Control outgoing route or bind RTP listener to different interface

Asterisk Asterisk SIP
1

Hi everyone,

I have Asterisk and Kamailio running on one machine. Kamailio handles all registrations and proxies all messages (it is the external entrypoint) while Asterisk acts a B2BUA re-originating calls. This allows us to fork calls on Asterisk with relatively complex logic and also facilitate calls like this: Client A <--sip;transport=tls--> Server <--sips--> Client B

Our Topology is this (with RTP directly via Asterisk):

Clients <==>  [(sip/tls our.host.tld:5061) Kamailio (sip/tls 127.0.0.1:5062) <==> (sip/tls 0.0.0.0:5071) Asterisk]

Why SIP via TLS inside one host? To support sips: without violating standards.
Why bind Asterisk to 0.0.0.0:5071 instead of 127.0.0.1:5071? Now this is my issue. Because otherwise it does not handle RTP on the public interface, which I need it to do.

The issue with this setup is that it sometimes breaks when Asterisk, bound to 0.0.0.0, decides to use its local interface 10.x.x.x to send a message. This address is not in the certificate, so it is rejected.

Ideally, I would want to bind Asterisk’s PJSIP to 127.0.0.1:5071 and still listen for RTP on 0.0.0.0. Is this somehow possible?

If this is not possible, my next best approach would be to keep Asterisk’s PJSIP on 0.0.0.0:5071 and just firewall-off that port. But then I need a way to tell Asterisk to always send these messages to Kamailio via 127.0.0.1:5062. Is there a way to determine the default route for this?

This is an example of the issue manifesting:

== ... assume established call client_a <-> asterisk <-> client_b ...

== The called client_a sends a BYE to the server
<--- Received SIP request (600 bytes) from TLS:127.0.0.1:42471 --->
BYE sips:asterisk@127.0.0.1:5071;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 127.0.0.1:5062;branch=z9hG4bK0b35.04a473ed54b7fa2681c941bd6a05f9c2.0;i=e
Via: SIP/2.0/TLS CLIENTIP:64754;received=CLIENTIP;rport=64754;branch=z9hG4bKPj0133eaf253d84468b7b2f733eb7ff7a9;alias
Max-Forwards: 69
From: <sips:client_a@my.host.tld>;tag=6bdf042e782549cd9e8119a77c6f8fa0
To: "Test Device" <sip:client_b@my.host.tld>;tag=a5a850a3-6719-427a-bf88-37e877c72115
Call-ID: a3d497df-0560-4f65-aac2-9bb8bb646b68
CSeq: 8313 BYE
 
== Asterisk correctly acknowledges it
<--- Transmitting SIP response (581 bytes) to TLS:127.0.0.1:42471 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS 127.0.0.1:5062;rport=42471;received=127.0.0.1;branch=z9hG4bK0b35.04a473ed54b7fa2681c941bd6a05f9c2.0;i=e
Via: SIP/2.0/TLS CLIENTIP:64754;rport=64754;received=CLIENTIP;branch=z9hG4bKPj0133eaf253d84468b7b2f733eb7ff7a9;alias
Call-ID: a3d497df-0560-4f65-aac2-9bb8bb646b68
From: <sips:client_a@my.host.tld>;tag=6bdf042e782549cd9e8119a77c6f8fa0
To: "Test Device" <sip:client_b@my.host.tld>;tag=a5a850a3-6719-427a-bf88-37e877c72115
CSeq: 8313 BYE

== Asterisk wants to send a BYE to the first call but sends it via its 10.x.x.x interface
<--- Transmitting SIP request (588 bytes) to TLS:my.external.ip:5061 --->
BYE sip:client_b@localip:8616;transport=TLS;ob SIP/2.0
Via: SIP/2.0/TLS 10.0.0.35:5071;rport;branch=z9hG4bKPj89f41e1a-8185-46f6-a23a-ca9183c5291b;alias
From: <sip:client_a@my.host.tld>;tag=eee45000-bdd0-492c-adf4-18e2f30b3ec1
To: "Test Device" <sip:client_b@my.host.tld>;tag=4b6f2890-2244-4006-ae21-93ff28b1e990
Call-ID: 1dc3d7b9-adf1-424d-9e1b-34cb9d5025f2
CSeq: 15601 BYE
Route: <sip:my.external.ip:5061;transport=tls;lr>
Reason: Q.850;cause=16
Max-Forwards: 70

My current Asterisk pjsip.conf:

[transport-tls-kamailio]
type=transport
protocol=tls
bind=0.0.0.0:5071
external_media_address=MY_PUBLIC_IP
cert_file=/etc/asterisk/sips/asterisk.crt
priv_key_file=/etc/asterisk/sips/asterisk.key
ca_list_file=/etc/asterisk/sips/trustedca.crt
verify_server=yes
verify_client=yes
method=sslv23

[kamailio-sip]
type=endpoint
transport=transport-tls-kamailio
context=from-kamailio
disallow=all
allow=h264,g722,ulaw,alaw,gsm,ilbc
aors=kamailio-sip
direct_media=no
rtp_symmetric=yes
from_domain=MY_DOMAIN

[kamailio-sip]
type=aor
contact=sip:127.0.0.1:5062
 
[kamailio-sip]
type=identify
endpoint=kamailio-sip
match=127.0.0.1

[kamailio-sips]
type=endpoint
transport=transport-tls-kamailio
context=from-kamailio
disallow=all
allow=h264,g722,ulaw,alaw,gsm,ilbc
aors=kamailio-sips
direct_media=no
rtp_symmetric=yes
from_domain=MY_DOMAIN

[kamailio-sips]
type=aor
contact=sips:127.0.0.1:5062
 
[kamailio-sips]
type=identify
endpoint=kamailio-sips
match=127.0.0.1
2

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.