Migrate from sip to pjsip

Daft_Dutch · August 5, 2022, 10:29pm

I followed how to’s on the web to get my asterisk environment running. and resulted in a sip configuration.

I was told in some other post that that is outdated. and now when i moved on to home assistant i found a nice asterisk integration that uses the web socket to connect. that requires pjsip.

So I installed an asterisk home assistant instance with a clean autoconfigured pjsip configuration.

I have some questions. I need to rewrite the sip connections in sip.conf and users.conf to the new pjsip configuration right? and can keep the extentions.conf file.
But how is NAT arranged? I cant find anything on that.

ps.
I found a tool called sip_to_pjsip.py but that has failing dependencies.

david551 · August 5, 2022, 10:51pm

NAT is arranged in your router, as was the case for chan_sip.

The options for compensating for your being inside NAT are the four starting here:

github.com

asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample#L1068


      
                          ; (default: "")
          ;cipher=        ; Preferred cryptography cipher names TLS ONLY (default: "")
          ;method=        ; Method of SSL transport TLS ONLY (default: "")
          ;priv_key_file= ; Private key file TLS ONLY (default: "")
          ;verify_client= ; Require verification of client certificate TLS ONLY (default:
                          ; "")
          ;verify_server= ; Require verification of server certificate TLS ONLY (default:
                          ; "")
          ;require_client_cert=   ; Require client certificate TLS ONLY (default: "")
          ;domain=        ; Domain the transport comes from (default: "")
          ;external_media_address=        ; External IP address to use in RTP handling
                                          ; (default: "")
          ;external_signaling_address=    ; External address for SIP signalling (default:
                                          ; "")
          ;external_signaling_port=0      ; External port for SIP signalling (default:
                                          ; "0")
          ;local_net=     ; Network to consider local used for NAT purposes (default: "")
          ;password=      ; Password required for transport (default: "")
          ;protocol=udp   ; Protocol to use for SIP traffic (default: "udp")
          ;type=  ; Must be of type transport (default: "")
          ;tos=0  ; Enable TOS for the signalling sent over this transport (default: "0")

The options that you might need to compensate for the failure of the other side to correctly compensate for NAT are the three starting here:

github.com

asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample#L391


      
          ;
          ;[6002]
          ;type=endpoint
          ;transport=transport-udp
          ;context=from-internal
          ;disallow=all
          ;allow=ulaw
          ;auth=6002
          ;aors=6002
          ;direct_media=no
          ;rtp_symmetric=yes
          ;force_rport=yes
          ;rewrite_contact=yes  ; necessary if endpoint does not know/register public ip:port
          ;ice_support=yes   ;This is specific to clients that support NAT traversal
                             ;for media via ICE,STUN,TURN. See the wiki at:
                             ;https://wiki.asterisk.org/wiki/x/D4FHAQ
                             ;for a deeper explanation of this topic.
          
          
;[6002]
          ;type=auth
          ;auth_type=userpass

Note that the nat= option in chan_sip confuses many people; it isn’t there for Asterisk behind NAT, but rather for the peer being behind NAT and failing to compensate for that.

This:

github.com

asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample#L394


      
          ;transport=transport-udp
          ;context=from-internal
          ;disallow=all
          ;allow=ulaw
          ;auth=6002
          ;aors=6002
          ;direct_media=no
          ;rtp_symmetric=yes
          ;force_rport=yes
          ;rewrite_contact=yes  ; necessary if endpoint does not know/register public ip:port
          ;ice_support=yes   ;This is specific to clients that support NAT traversal
                             ;for media via ICE,STUN,TURN. See the wiki at:
                             ;https://wiki.asterisk.org/wiki/x/D4FHAQ
                             ;for a deeper explanation of this topic.
          
          
;[6002]
          ;type=auth
          ;auth_type=userpass
          ;password=6002
          ;username=6002

also provides support for NAT for media with suitable clients, and corresponds to:

github.com

asterisk/asterisk/blob/master/configs/samples/sip.conf.sample#L1009


      
          ; res_stun_monitor is configured.  If res_stun_monitor is enabled and you wish to not
          ; generate all outbound registrations on a network change, use the option below to disable
          ; this feature.
          ;
          ; subscribe_network_change_event = yes ; on by default
          ;
          ; ICE/STUN/TURN usage can be enabled globally or on a per-peer basis using the icesupport
          ; configuration option. When set to yes ICE support is enabled. When set to no it is disabled.
          ; It is disabled by default.
          ;
          ; icesupport = yes
          
          
; ---------------------------------- MEDIA HANDLING --------------------------------
          ; By default, Asterisk tries to re-invite media streams to an optimal path. If there's
          ; no reason for Asterisk to stay in the media path, the media will be redirected.
          ; This does not really work well in the case where Asterisk is outside and the
          ; clients are on the inside of a NAT. In that case, you want to set directmedia=nonat.
          ;
          ;directmedia=yes                ; Asterisk by default tries to redirect the
                                          ; RTP media stream to go directly from
                                          ; the caller to the callee.  Some devices do not

I believe it is particularly important for webrtc and therefore websockets, but I haven’t personally researched it.

I didn’t think many serious users use users.conf, so I don’t know about that. You will need to change the technology name in dialstrings and there are differences in the possible resource parts, in extensions.conf and other places that use them.

Functions for accessing low level information relating to SIP are different, and the one that particularly catches people out is that adding and reading headers is done differently.

InterLinked · August 6, 2022, 10:30am

I found a tool called sip_to_pjsip.py but that has failing dependencies.

Careful! I actually recommend you not use this, or if you do use it, be very careful, because this is an incomplete tool that will generate false, nonsensical data. It’s a helpful start, but you can’t convert your sip.conf in one step and be done. You’ll have a lot of cleanup work to sort through.

It may be better to start fresh with PSJIP config and not use that script, because it may just confuse you and set things back further. (I used that tool and it took about 6 months to sort through all the aftermath fully).

david551 · August 6, 2022, 10:58am

Generally doing anything except starting from first principles and understanding how things work will produce bad configurations. Most of the chan_sip configurations I’ve seen here are based on ones provided by service provides who don’t really seem to understand how things work. You are almost certainly trying to convert something that was badly designed in the first place. In particular lax security can appear to make things work.

Daft_Dutch · August 8, 2022, 12:02am

Oke i could work on my asterisk system. I Migrated from sip to jpsip. Only two issues. I cant connect to TLS with my softphone. But cant write about it because im back to SIP due to issue two.

My Grandstream FXO does not hang up the call when i hang up the phone.
I went back to SIP to verify and that works fine.

Some one has a solution?

david551 · August 8, 2022, 10:15am

Please provide the “pjsip set logger on” type logging.

(This sounds like a bad contact header, which is generally NAT related.)

BlazeStudios · August 8, 2022, 1:30pm

Show us the pjsip configurations for the endpoint(s) and all their sections. What model is the Grandstream?

Daft_Dutch · August 8, 2022, 6:25pm

pjsip set logger on gives to much information from bots trying to make a call. I dont know where im looking for,

[transport-udp-nat]
type=transport
protocol=udp
bind=0.0.0.0
local_net=192.168.5.0/24
local_net=192.168.2.0/24
local_net=10.8.0.0/24
local_net=127.0.0.1/32
external_media_address=my.h-o-s-t.name
external_signaling_address=my.h-o-s-t.name


[fxo]
type=endpoint
context=pstn-incoming
disallow=all
allow=alaw
callerid=fxo
transport=transport-udp-nat
auth=fxo
aors=fxo

[fxo]
type=auth
auth_type=userpass
password=1234
username=fxo

[fxo]
type=aor
max_contacts=1

david551 · August 8, 2022, 7:32pm

Without the logging for a failed call, I’d need very detailed information about your network topology. I generally find that the logging is a much more reliable source, and most people seem to be able to extract the call.

You probably need much better firewalling if the logs are overwhelmed with toll fraud attempts.

Daft_Dutch · August 8, 2022, 8:13pm

I have fail2ban enabled. I could use a other port.

I have now reanabled the sip config for the grandstream on a diffrent port.

The grandstream is connected with the wan port to my local lan. With a virtual bridge to my asterisk virtual machine.

sedwards · August 9, 2022, 2:02am

Whitelisting is your friend.

Whitelist your SIP provider, drop everything else.

Daft_Dutch · August 9, 2022, 7:52am

Whitelist. My mobile phone. That can be connected from anywhere?

sedwards · August 9, 2022, 2:02pm

Probably not everywhere.

Maybe block off certain countries that are problematic for you. Like China, Russia, Iran, etc.

Maybe collecting a days worth of hostile IP addresses and looking up the netblocks on Arin.net would reduce the problem to more manageable levels.

Many find ‘fail2ban’ is also a help.

system · September 8, 2022, 2:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.