401 Unauthorized when receiving calls from providers

Hello,
I’m new to Asterisk and SIP telephony in general, trying to build a web Softphone,
I setup asterisk and added my WebRTC endpoints, so that I can make Local calls between them.

Now I just got a provider SIP account (Username/Password and server address…), My account works fine in other Softphones.

When I try to call to receive calls, I can see that mys server is receiving the INVITE request from the provider but then it returns a 401 Unauthorized Tried many solutions but nothing seems to work, since I’m new to the domain so I’m not sure how can I fix this

Here is the Log

<--- Received SIP request (1282 bytes) from UDP:196.41.228.32:5060 --->
INVITE sip:213982420090@192.168.1.18:5060 SIP/2.0
Via: SIP/2.0/UDP 196.41.228.32:5060;branch=z9hG4bK-524287-1---5db72d61b26cbcb56f87d93ea811d67b;rport
Via: SIP/2.0/UDP 196.41.228.115:5071;rport=5071;branch=z9hG4bK-ahbc4rmu3votu6zn
Max-Forwards: 69
Record-Route: <sip:196.41.228.32;lr;ep;pinhole=UDP:41.111.136.198:65476>
Contact: sip:196.41.228.115:5071
To: <sip:213982420090@196.41.228.32>
From: <sip:0556382997@196.41.228.32>;tag=UQJ44NLV6G2A3XRAM4RQ____.o
Call-ID: 3a64c388a15dac2@196.41.228.244~2o
CSeq: 450 INVITE
Expires: 300
Allow: INVITE, ACK, BYE, CANCEL, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS, UPDATE
Content-Disposition: session
Content-Type: application/sdp
User-Agent: PortaSIP
P-Asserted-Identity: <sip:0556382997@196.41.228.32>
Remote-Party-ID: <sip:0556382997@196.41.228.32>;party=calling
cisco-GUID: 3468086570-3909692268-1066052068-1066052068
h323-conf-id: 3468086570-3909692268-1066052068-1066052068
Content-Length: 310

v=0
o=PortaSIP 3299437597378171192 1 IN IP4 196.41.228.115
s=-
t=0 0
m=audio 60438 RTP/AVP 18 3 8 0 4 101
c=IN IP4 196.41.228.115
a=rtpmap:18 G729/8000/1
a=rtpmap:3 GSM/8000/1
a=rtpmap:8 PCMA/8000/1
a=rtpmap:0 PCMU/8000/1
a=rtpmap:4 G723/8000/1
a=rtpmap:101 telephone-event/8000/1
a=fmtp:101 0-15

<--- Transmitting SIP response (733 bytes) to UDP:196.41.228.32:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 196.41.228.32:5060;rport=5060;received=196.41.228.32;branch=z9hG4bK-524287-1---5db72d61b26cbcb56f87d93ea811d67b
Via: SIP/2.0/UDP 196.41.228.115:5071;rport=5071;branch=z9hG4bK-ahbc4rmu3votu6zn
Record-Route: <sip:196.41.228.32;lr;ep;pinhole=UDP:41.111.136.198:65476>
Call-ID: 3a64c388a15dac2@196.41.228.244~2o
From: <sip:0556382997@196.41.228.32>;tag=UQJ44NLV6G2A3XRAM4RQ____.o
To: <sip:213982420090@196.41.228.32>;tag=z9hG4bK-524287-1---5db72d61b26cbcb56f87d93ea811d67b
CSeq: 450 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1632322393/9bd16c297da55a8e6d03c87f5ad657d0",opaque="195c9a35060ce674",algorithm=md5,qop="auth"
Server: Asterisk PBX 18.4.0
Content-Length:  0


<--- Received SIP request (597 bytes) from UDP:196.41.228.32:5060 --->
ACK sip:213982420090@192.168.1.18:5060 SIP/2.0
Via: SIP/2.0/UDP 196.41.228.32:5060;branch=z9hG4bK-524287-1---5db72d61b26cbcb56f87d93ea811d67b;rport
Via: SIP/2.0/UDP 196.41.228.115:5071;rport=5071;branch=z9hG4bK-ahbc4rmu3votu6zn
Max-Forwards: 69
To: <sip:213982420090@196.41.228.32>;tag=z9hG4bK-524287-1---5db72d61b26cbcb56f87d93ea811d67b
From: <sip:0556382997@196.41.228.32>;tag=UQJ44NLV6G2A3XRAM4RQ____.o
Call-ID: 3a64c388a15dac2@196.41.228.244~2o
CSeq: 450 ACK
Allow: INVITE, ACK, BYE, CANCEL, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
User-Agent: PortaSIP
Content-Length: 0

Thanks in advance.

You’d need to show the actual configuration you are using.

In particular, for chan_pjsip, which you should be using, you should only specify outbound authentication and for chan_sip, which you should be moving away from, you should use remotesecret, rather than secret (although you will see an older method, insecure=invite, in most examples on the internet, but those examples usually have lots of bad practice).

In general, service providers expect you to take them on trust, even though they will ask you to prove who you are.

Here is my config

pjsip.conf

;============================================
[transport-wss]
type=transport
protocol=wss
bind=0.0.0.0

[webrtc_client_1]
type=aor
max_contacts=2
remove_existing=yes

  
[webrtc_client_1]
type=auth
auth_type=userpass
username=webrtc_client_1
password=****
 
[webrtc_client_1]
type=endpoint
aors=webrtc_client_1
auth=webrtc_client_1
outbound_auth=icosnet
dtls_auto_generate_cert=yes
webrtc=yes
; Setting webrtc=yes is a shortcut for setting the following options:
; use_avpf=yes
; media_encryption=dtls
; dtls_verify=fingerprint
; dtls_setup=actpass
; ice_support=yes
; media_use_received_transport=yes
; rtcp_mux=yes
context=default
disallow=all
allow=opus,ulaw
direct_media=no


;==========================================  registration   ======================================================================

[transport-udp-nat]
type=transport
protocol=udp
bind=0.0.0.0

 
[icosnet]
type=registration
transport=transport-udp-nat
outbound_auth=icosnet
server_uri=sip:196.41.228.32
client_uri=sip:213982420090@196.41.228.32
contact_user=213982420090
retry_interval=60
 
[icosnet]
type=auth
auth_type=userpass
password=*********
username=213982420090

 
[icosnet]
type=aor
max_contacts=2
contact=sip:213982420090@196.41.228.32
 
[icosnet]
type=identify
endpoint=webrtc_client_1
match=196.41.228.32

here is the extensions.conf file

[default]
include => local-extensions
exten => 5098,1,Dial(PJSIP/webrtc_client_1,30)

exten => 213982420090,1,Dial(PJSIP/webrtc_client_1,30)

You don’t have an endpoint [see Joshua’s response for why you are being challenged].

Incidentally, naming a transport as udp-nat, when it has no NAT settings, is confusing.

As I said, I’m a newbie to the domain tried setting up NAT, but I don’t really know how to do so,
I thought that if there is a network problem then I won’t receive any request,

Wrong NAT settings will generally cause calls to break some time into the call, e.g. you might have no or one way audio, and the call might drop at 30 seconds, when retransmissions of response or ACK time out.

Got you, any suggestion on what I’m doing wrong here; as you said you have no endpoint, I didn’t understand what you mean, since my endpoint is configured and logged in from the softphone.

In PJSIP an endpoint section defines the configuration to use when talking to something remote (like an ITSP). You don’t have one for the ITSP, you have an identify section which says to use the configuration of a WebRTC client for talking to your ITSP, and it also says to challenge them for authentication. That’s probably not what is needed. The wiki has an example for an ITSP endpoint[1].

[1] res_pjsip Configuration Examples - Asterisk Project - Asterisk Project Wiki

I got you, that was the issue, I needed an endpoint for the ITSP, the case is to close.