[Users] Proxy authentication message to wrong port
M D
md1979md at googlemail.com
Mon Aug 7 10:26:20 CEST 2006
Hi
I have an OpenSER 1.1 box on a public IP running a config taken more-or-less
verbatim from the iptel.org getting started examples. I have a UA behind a
PIX which is translating port 5060 on the phone to port 8907 on the
firewall. OpenSER is ignoring this and sending replies to INVITEs to port
5060 on the firewall.
If it's likely to make any difference, the PATed IP and the IP of the
OpenSER box are on the same network.
31 61.574505 193.x.x.15 -> 193.x.x.5 SIP/SDP Request: INVITE
sip:5551212 at 193.x.x.5;user=phone, with session description
32 61.575998 193.x.x.5 -> 193.x.x.15 SIP Status: 407 Proxy Authentication
Required
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: SIP Request:
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: method: <INVITE>
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: uri: <
sip:5551212 at 193.x.x.5;user=phone>
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: version: <SIP/2.0>
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: flags=2
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: Found param type 232,
<branch> = <z9hG4bK4ae31c203ab6ceb>; state=16
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: end of header reached,
state=5
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: Via found,
flags=2
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: this is the
first via
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: After parse_msg...
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: preparing to run routing
scripts...
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: flags=100
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG:parse_to:end of header
reached, state=10
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DBUG:parse_to: display={},
ruri={sip:5551212 at 193.x.x.5;user=phone}
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG: get_hdr_field: <To>
[39]; uri=[ sip:5551212 at 193.x.x.5;user=phone]
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG: to body [<
sip:5551212 at 193.x.x.5;user=phone>^M ]
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: get_hdr_field: cseq <CSeq>:
<1> <INVITE>
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG: get_hdr_body :
content_length=284
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: found end of header
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG: is_maxfwd_present:
max_forwards header not found!
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG: add_param:
tag=3783260355
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG:parse_to:end of header
reached, state=29
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DBUG:parse_to: display={},
ruri={sip:84410001 at 193.x.x.5;user=phone}
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: flags=200
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: find_first_route: No Route
headers found
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: loose_route: There is no
Route HF
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: grep_sock_info - checking if
host==us: 12==12 && [ 193.x.x.5] == [193.x.x.5]
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: grep_sock_info - checking if
port 5060 matches port 5060
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: XXX INVITE handler: start
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: flags=10000
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: pre_auth(): Credentials with
given realm not found
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: XXX INVITE handler:
proxy_authorize failed
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: build_auth_hf():
'Proxy-Authenticate: Digest realm=" 193.x.x.5",
nonce="44d3636e40c00e3f51456a587f994d0f285325af"^M '
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers:
flags=ffffffffffffffff
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: check_via_address( 193.x.x.15,
10.200.100.46, 0)
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG:destroy_avp_list:
destroying list (nil)
Aug 4 16:05:38 sip3 /usr/sbin/openser[22195]: receive_msg: cleaning up
How can I force proxy_challenge() to send its challenge to port 8907?
Cheers,
Mark
Config:
debug=8
fork=yes
log_stderror=no
listen=193.82.139.5
port=5060
children=4
dns=no
rev_dns=no
fifo="/tmp/ser_fifo"
fifo_db_url="mysql://openserro:openserro@localhost/openser"
loadmodule "/usr/lib/openser/modules/mysql.so"
loadmodule "/usr/lib/openser/modules/sl.so"
loadmodule "/usr/lib/openser/modules/tm.so"
loadmodule "/usr/lib/openser/modules/rr.so"
loadmodule "/usr/lib/openser/modules/maxfwd.so"
loadmodule "/usr/lib/openser/modules/usrloc.so"
loadmodule "/usr/lib/openser/modules/registrar.so"
loadmodule "/usr/lib/openser/modules/auth.so"
loadmodule "/usr/lib/openser/modules/auth_db.so"
loadmodule "/usr/lib/openser/modules/uri.so"
loadmodule "/usr/lib/openser/modules/uri_db.so"
loadmodule "/usr/lib/openser/modules/nathelper.so"
loadmodule "/usr/lib/openser/modules/textops.so"
modparam("auth_db|uri_db|usrloc", "db_url", "
mysql://openserro:openserro@localhost/openser")
modparam("auth_db", "calculate_ha1", 1)
modparam("auth_db", "password_column", "password")
modparam("nathelper", "natping_interval", 30)
modparam("nathelper", "ping_nated_only", 1)
modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock")
modparam("usrloc", "db_mode", 2)
modparam("registrar", "nat_flag", 6)
modparam("rr", "enable_full_lr", 1)
route {
# -----------------------------------------------------------------
# Sanity Check Section
# -----------------------------------------------------------------
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483", "Too Many Hops");
return;
};
if (msg:len > max_len) {
sl_send_reply("513", "Message Overflow");
return;
};
# -----------------------------------------------------------------
# Record Route Section
# -----------------------------------------------------------------
if (method!="REGISTER") {
record_route();
};
if (method=="BYE" || method=="CANCEL") {
unforce_rtp_proxy();
}
# -----------------------------------------------------------------
# Loose Route Section
# -----------------------------------------------------------------
if (loose_route()) {
if ((method=="INVITE" || method=="REFER") && !has_totag()) {
sl_send_reply("403", "Forbidden");
return;
};
if (method=="INVITE") {
if (!proxy_authorize("","subscriber")) {
proxy_challenge("","0");
return;
} else if (!check_from()) {
sl_send_reply("403", "Use From=ID");
return;
};
consume_credentials();
if (nat_uac_test("19")) {
setflag(6);
force_rport();
fix_nated_contact();
};
force_rtp_proxy("l");
};
route(1);
return;
};
# -----------------------------------------------------------------
# Call Type Processing Section
# -----------------------------------------------------------------
if (uri!=myself) {
route(4);
route(1);
return;
};
if (method=="ACK") {
route(1);
return;
} else if (method=="CANCEL") {
route(1);
return;
} else if (method=="INVITE") {
route(3);
return;
} else if (method=="REGISTER") {
route(2);
return;
};
lookup("aliases");
if (uri!=myself) {
route(4);
route(1);
return;
};
if (!lookup("location")) {
sl_send_reply("404", "User Not Found");
return;
};
route(1);
}
route[1] {
log("XXX default handler: start");
# -----------------------------------------------------------------
# Default Message Handler
# -----------------------------------------------------------------
t_on_reply("1");
if (!t_relay()) {
if (method=="INVITE" && isflagset(6)) {
unforce_rtp_proxy();
};
sl_reply_error();
};
}
route[2] {
log("XXX REGISTER handler: start");
# -----------------------------------------------------------------
# REGISTER Message Handler
# ----------------------------------------------------------------
if (!search("^Contact:[ ]*\*") && nat_uac_test("19")) {
log("XXX REGISTER handler: valid contact and
nat_uac_test(19) true");
setflag(6);
fix_nated_register();
force_rport();
};
log("XXX REGISTER handler: 100 trying");
sl_send_reply("100", "Trying");
if (!www_authorize("","subscriber")) {
log("XXX REGISTER handler: www_authorize failed");
www_challenge("","0");
return;
};
if (!check_to()) {
sl_send_reply("401", "Unauthorized");
return;
};
consume_credentials();
if (!save("location")) {
sl_reply_error();
};
log("XXX REGISTER handler: location saved");
}
route[3] {
log("XXX INVITE handler: start");
# -----------------------------------------------------------------
# INVITE Message Handler
# -----------------------------------------------------------------
if (!proxy_authorize("","subscriber")) {
log("XXX INVITE handler: proxy_authorize failed");
proxy_challenge("","0");
return;
} else if (!check_from()) {
sl_send_reply("403", "Use From=ID");
return;
};
consume_credentials();
if (nat_uac_test("19")) {
setflag(6);
}
lookup("aliases");
if (uri!=myself) {
route(4);
route(1);
return;
};
if (!lookup("location")) {
sl_send_reply("404", "User Not Found");
return;
};
route(4);
route(1);
}
route[4] {
log("XXX NAT traversal: start");
# -----------------------------------------------------------------
# NAT Traversal Section
# -----------------------------------------------------------------
if (isflagset(6)) {
force_rport();
fix_nated_contact();
force_rtp_proxy();
}
}
onreply_route[1] {
log("XXX onreply_route: start");
if (isflagset(6) && status=~"(180)|(183)|2[0-9][0-9]") {
if (!search("^Content-Length:[ ]*0")) {
force_rtp_proxy();
};
};
if (nat_uac_test("1")) {
log("XXX onreply_route: nat_uac_test(1) true");
fix_nated_contact();
};
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kamailio.org/pipermail/users/attachments/20060807/d39712ae/attachment.htm
More information about the Users
mailing list