Issue connecting 2 Asterisk instances

Arterisk · November 8, 2023, 6:38am

Hi, I’m trying to setup 2 instances of Asterisk (version 20.5.0), with SIP trunking and calling/call transfers between the instances, but I can’t get calls or transfers to work

Both instances are behind NAT (since we can’t have nice things can we?), but there is a wireguard bridge between the 2;

Server A: 10.0.0.1
Server B: 10.0.0.2

Server A
pjsip.conf (could only get TLSv1.2 to work, but that’s a different issue);

type=global
[transport-udp-nat]
type=transport
protocol=udp
bind=0.0.0.0:5060
allow_reload=no

[transport-tls-nat]
type=transport
protocol=tls
method=tlsv1_2
ca_list_file=/etc/ssl/certs/ca-certificates.crt
bind=0.0.0.0:5061
external_media_address=<public ip>
external_signaling_address=<public ip>
allow_reload=no

pjsip_wizard.conf

[bridge]
type = wizard
transport=transport-udp-nat
accepts_auth = yes
endpoint/allow = !all,ulaw,alaw,G729,G722,opus
accepts_registrations = yes
endpoint/context = peer_context
endpoint/context = from-bridge
remote_hosts = 10.0.0.2:5060
inbound_auth/username = bridge
inbound_auth/password = <pass>
aor/qualify_frequency = 30
registration/expiration = 1800
aor/max_contacts = 1
aor/remove_existing = yes
aor/minimum_expiration = 30
endpoint/rewrite_contact=yes

[user_defaults](!)
type = wizard
accepts_registrations = yes
sends_registrations = no
accepts_auth = yes
endpoint/context = from-internal
endpoint/allow = !all,ulaw,alaw,G729,G722,opus
endpoint/dtmf_mode = rfc4733
endpoint/rewrite_contact = yes
endpoint/force_rport = yes
aor/max_contacts = 1
aor/remove_existing = yes
aor/minimum_expiration = 30
type = identify

[1001](user_defaults)
hint_exten = 1001
endpoint/callerid = <CID>
inbound_auth/username = 1001
inbound_auth/password = <pass>

extensions.conf;

[from-bridge]
exten => _X.,1,Answer()
 same => n,Wait(1)
 same => n,Playback(hello-world)
 same => n,Hangup()

Server B:
pjsip.conf:

[global]
type=global

[transport-udp-nat]
type=transport
protocol=udp
bind=0.0.0.0:5060
external_media_address=<public ip>
external_signaling_address=<public ip>
allow_reload=no

[transport-tls-nat]
type=transport
protocol=tls
method=tlsv1_2
ca_list_file=/etc/ssl/certs/ca-certificates.crt
bind=0.0.0.0:5061
external_media_address=<public ip>
external_signaling_address=<public ip>
allow_reload=no

pjsip_wizard.conf:

[bridge]
type = wizard
transport = transport-udp-nat
sends_auth = yes
endpoint/allow = !all,ulaw,alaw,G729,G722,opus
sends_registrations = yes
endpoint/context = peer_context
remote_hosts = 10.0.0.1:5060
outbound_auth/username = bridge
outbound_auth/password = <pass>
endpoint/rewrite_contact=yes
aor/qualify_frequency = 30
registration/expiration = 1800
aor/max_contacts = 1
aor/remove_existing = yes
aor/minimum_expiration = 30

[user_defaults](!)
type = wizard
accepts_registrations = yes
sends_registrations = no
accepts_auth = yes
endpoint/context = from-internal
endpoint/allow = !all,ulaw,alaw,G729,G722,opus
endpoint/dtmf_mode = rfc4733
endpoint/rewrite_contact = yes
endpoint/force_rport = yes
endpoint/callerid = <CID>
aor/max_contacts = 1
aor/remove_existing = yes
aor/minimum_expiration = 30
type = identify

[2001](user_defaults)
hint_exten = 2001
inbound_auth/username = 2001
inbound_auth/password = <pass>

extensions.conf;

[from-internal]
exten => _1XXX,1,Dial(PJSIP/${EXTEN}@bridge,20,T)
 same => n,HangUp()

Server A endpoint;

 Endpoint:  bridge                                              Not in use    0 of inf
     InAuth:  bridge-iauth/bridge
        Aor:   bridge                                             1
      Contact:   bridge/sip:s@10.0.0.2:5060;x-ast-orig- d2b28213a8 Avail         5.523
      Contact:   bridge/sip:10.0.0.2:5060               0d148ccb25 Avail         5.772
  Transport:  transport-udp-nat         udp      0      0  0.0.0.0:5060

Server B endpoint;

Endpoint:  bridge                                               Not in use    0 of inf
    OutAuth:  bridge-oauth/bridge
        Aor:  bridge                                             1
      Contact:  bridge/sip:10.0.0.1:5060               de2c6b4f89 Avail        11.640
  Transport:  transport-udp-nat         udp      0      0  0.0.0.0:5060
   Identify:  bridge-identify/bridge
        Match: 10.0.0.1:5060/32

Whenever I call 1001 (on server A) from SIP account 2001 from server B;

WARNING[133712]: res_pjsip_outbound_authenticator_digest.c:554 digest_create_request_with_auth: Endpoint: 'bridge': Authentication credentials not accepted by server.

Server A;

NOTICE[6721]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '<sip:<outbound CID>@<NAT IP of server B>>' failed for '10.0.0.2:5060' (callid: <ID>) - No matching endpoint found
NOTICE[6721]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '<sip:<outbound CID>@<NAT IP of server B>>' failed for '10.0.0.2:5060' (callid: <ID>) - Failed to authenticate

SIP logs on server A;

<--- Received SIP request (1066 bytes) from UDP:10.0.0.2:5060 --->
INVITE sip:1001@10.0.0.1:5060 SIP/2.0
Via: SIP/2.0/UDP <public IP>:5060;rport;branch=z9hG4bKPjfc50637f-1c98-40cc-a6f0-ff4715d41d02
From: <sip:<outbound CID>@<NAT IP>>;tag=0c015b9e-f0df-4d9b-a82b-da3047cb6820
To: <sip:1001@10.0.0.1>
Contact: <sip:asterisk@<public ip>:5060>
Call-ID: afd41058-4493-433a-b708-b7f56bf362db
CSeq: 3551 INVITE
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub, histinfo
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX 20.5.0
Content-Type: application/sdp
Content-Length:   395

v=0
o=- 1462217399 1462217399 IN IP4 <public IP>
s=Asterisk
c=IN IP4 <public ip>
t=0 0
m=audio 11228 RTP/AVP 0 8 18 107 9 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:107 opus/48000/2
a=fmtp:107 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:20
a=sendrecv

NOTICE[6920]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '<sip:<outbind CID>@<NAT IP>' failed for '10.0.0.2:5060' (callid: afd41058-4493-433a-b708-b7f56bf362db) - No matching endpoint found
<--- Transmitting SIP response (571 bytes) to UDP:10.0.0.2:5060 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP <public IP>:5060;rport=5060;received=10.0.0.2;branch=z9hG4bKPjfc50637f-1c98-40cc-a6f0-ff4715d41d02
Call-ID: afd41058-4493-433a-b708-b7f56bf362db
From: <sip:<outgoing CID>@<NAT IP>>;tag=0c015b9e-f0df-4d9b-a82b-da3047cb6820
To: <sip:1001@10.0.0.1>;tag=z9hG4bKPjfc50637f-1c98-40cc-a6f0-ff4715d41d02
CSeq: 3551 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1699424820/51d558412d33aac3cd39db1d1455bfe4",opaque="5605b8c460cd7592",algorithm=MD5,qop="auth"
Server: Asterisk PBX 20.5.0
Content-Length:  0

Would anyone be so kind as to point out as to what I’m missing?

Endpoint 1001 does indeed exist, but does the IP in the request need to match the expected too?

Thanks.

Arterisk · November 21, 2023, 4:20am

Most of the issue seems to be how pjsip_wizard doesn’t seem to be actually documented.

Is there any better documentation than?; res_pjsip_config_wizard: Module that provides simple configuration wizard capabilities. - Asterisk Documentation

Arterisk · November 21, 2023, 7:00am

Figured it out myself.

So people can find the answer via a search engine, I’ll document my config;

Server A pjsip_wizard.conf;

[trunk_defaults](!)
type = wizard
transport = transport-udp-nat
endpoint/allow_subscribe = no
endpoint/allow = !all,ulaw,alaw,G729,G722,opus
;route calls asterisk --> wireguard --> asterisk, rather than trying to send them directly since NAT
endpoint/direct_media = no
aor/qualify_frequency = 30
registration/expiration = 1800

;no need for auth as is only reachable via wireguard and only internal calls are allowed
[trunk](trunk_defaults)
endpoint/context = from-B
remote_hosts = 10.0.0.2:5060
sends_registrations = no
accepts_registrations = no
sends_auth = no
accepts_auth = no

;account config here

Server B pjsip_wizard.conf;

[trunk_defaults](!)
type = wizard
transport = transport-udp-nat
endpoint/allow_subscribe = no
endpoint/allow = !all,ulaw,alaw,G729,G722,opus
;route calls asterisk --> wireguard --> asterisk, rather than trying to send them directly since NAT
endpoint/direct_media = no
aor/qualify_frequency = 30
registration/expiration = 1800

;no need for auth as is only reachable via wireguard and only internal calls are allowed
[trunk](trunk_defaults)
endpoint/context = from-A
remote_hosts = 10.0.0.1:5060
sends_registrations = no
accepts_registrations = no
sends_auth = no
accepts_auth = no

;account config here

Server B extensions.conf;

[from-internal]
exten => _2XXX,1,Dial(PJSIP/${EXTEN}@trunk,30,T)
 same => n,Hangup()

[from-A]
exten => _1XXX,1,Dial(PJSIP/${EXTEN},30)
 same => n,Hangup()

Server A extensions.conf;

[from-B]
exten => _2XXX,1,Dial(PJSIP/${EXTEN},60)
 same => n,HangUp()

[from-internal]
exten => _1XXX,1,Dial(PJSIP/${EXTEN}@trunk,20,T)
 same => n,HangUp()