IP authentication with provider whose Invites originate from large IP range

avayax · May 20, 2018, 3:14pm

My voice service provider (Vitelity) uses IP authentication and has provided me with the appropriate peer settings for the trunk including their host server address.

[vitel-inbound] 
type=friend 
dtmfmode=auto 
host=64.2.142.90 
context=from-trunk 
disallow=all
allow=ulaw,gsm
insecure=port,invite 
canreinvite=no

However they said that incoming Invites would be coming from a whole range of IP addresses.
I guess the way to accomodate for that would be to set allowguests=yes, which I prefer not do to.
Or to create a peer for each possible host IP address but that is probably also not practical.

Is there a reasonable way to accomplish this without laxing security with allowguests?

ambiorixg12 · May 20, 2018, 3:16pm

create a sip peer for every posible address vitelity would use

avayax · May 20, 2018, 3:20pm

That would almost be impossible with the size of the IP address ranges that Vitelity told me signaling (and media) might come from.
It’s several /24 networks.

Is there another way with pjsip or using permit/deny maybe ?

jcolp · May 20, 2018, 3:26pm

The PJSIP identify section, which is used for IP based matching, allows multiple IP addresses or subnet masks to be configured.

ambiorixg12 · May 20, 2018, 3:31pm

https://wiki.asterisk.org/wiki/display/AST/PJSIP+Configuration+Sections+and+Relationships
;[mytrunk]
;type=identify
;endpoint=mytrunk
;match=198.51.100.1
;match=198.51.100.2

avayax · May 20, 2018, 6:14pm

Would I configure subnets like this?

;[mytrunk]
;type=identify
;endpoint=mytrunk
;match=198.51.100.1/24
;match=198.51.101.2/24

jcolp · May 20, 2018, 6:15pm

It uses the same core support as “permit” and “deny” so the way you specify for them will also work for it, including what you’ve done. You would need to uncomment all of that section though.