PJSIP-chan_sip trunk with authentication

Hi,

I’m trying to connect two Asterisk servers in the same LAN: one is v. 16 and the other is v. 1.4.
I am progressively moving the user extensions/endpoints from 1.4 to 16, but I need a SIP trunk between the two servers so that calls are made both ways (ie. I want extensions in 1.4 to able to call extensions in 16 and vice versa).

I tried setting up a “friend” trunk without authentication, but it didn’t work out.

So I tried the following configuration which works for users calling from 16 to 1.4.

This is on the v. 16 server:

pjsip_wizard.conf

[trunk_defaults](!)
type = wizard
transport = transport-udp
endpoint/allow_subscribe = no
endpoint/allow = !all,alaw,ulaw,opus,gsm,vp8,h264
aor/qualify_frequency = 30
registration/expiration = 1800

[meetbox](trunk_defaults)
sends_auth = yes
accepts_auth = yes
sends_registrations = yes
accepts_registrations = yes
remote_hosts = 10.215.147.115
endpoint/context = custom-newsystem
endpoint/from_user = meetbox
outbound_auth/username = meetbox
outbound_auth/password = xxxx
inbound_auth/username = meetbox
inbound_auth/password = xxxx

this is on the v. 1.4 server:

[meetbox]
disallow=all
type=friend
host=10.215.144.92
username=meetbox
secret=xxxx
qualify=yes
insecure=invite
allow=alaw
allow=ulaw
allow=gsm
allow=opus
allow=vp8
allow=h264
context=custom-newsystem
videosupport=yes

However, if users from v. 1.4 try to call anything in v. 16, I get several of these in the CLI of v. 16:

NOTICE[12221]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '"My Test" <sip:313537021@10.215.147.115>' failed for '10.215.147.115:5060' (callid: 184c185945f61d755f5b888154bb6e6e@10.215.147.115) - No matching endpoint found
NOTICE[12221]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '"My Test" <sip:313537021@10.215.147.115>' failed for '10.215.147.115:5060' (callid: 184c185945f61d755f5b888154bb6e6e@10.215.147.115) - Failed to authenticate

Any suggestions?

What does “No matching endpoint found” mean? When this happened the SIP user in v. 1.4 was trying to call sip:4053@10.215.144.92 where “4053” exists as a PJSIP endpoint in v. 16.
Does “endpoint” in this case refer to ‘313537021’, and is Asterisk trying to find it in v. 16? Why? (I mean, why does a “caller” have to exist there?)

In these cases is it necessary to add a line such as the following in sip.conf?
register=meetbox:xxxx@10.215.144.92
It doesn’t seem to be.
If I do, here is what I see on v. 16 after adding ‘aor/max_contacts = 1000’ in pjsip_wizard:

 Endpoint:  meetbox                                              Not in use    0 of inf
    OutAuth:  meetbox-oauth/meetbox
     InAuth:  meetbox-iauth/meetbox
        Aor:  meetbox                                         1000
      Contact:  meetbox/sip:10.215.147.115                 92e3d71c31 Avail         2.584
  Transport:  transport-udp             udp      0      0  0.0.0.0:5060

Still, I’m getting the same behavior for “incoming” calls on v. 16 (No matching endpoint found).

Regards,

Vieri

Asterisk will normally match endpoints by source address, or by From header user. Where possible, it is best to identify by source address, which for chan_sip means you should use type=peer, not type=friend (which will use From user and fall back to address).

I’m even less familiar with the wizard mode in pjsip, than with the full form, but in the full form, you would probably need a type=identify section, to say how to match the other system.

You shouldn’t be sending or accepting registrations in this usage, as you have static addresses on both sides. This is the key problem as “If accepts_registrations is no, an identify object is also created with a match line for each remote host”, but you have specified yes, so no identify section is generated. (The type of identify generated is equivalent to type=peer on chan_sip.)

As type=wizard generates the implied sections, I’m not entirely convinced that it is processed late enough for templates to work.

This appears to be a continuation of another thread.

This is not exactly a continuation of the other thread I started earlier as I wasn’t able to make a “trusted” SIP trunk with no authentication between PJSIP and chan_sip.
At least in this new thread I can successfully call from an endpoint in Asterisk 16 to another one in Asterisk 1.4 or any other extension in that dialplan context.

I’d prefer to go the simplest way – set up a trusted SIP trunk with no authentication at all, just “host” restrictions since both are in the same LAN. Not that I mind adding username/password to the trunk as I’ve already done so with IAX2, but SIP seems to be more complicated – or maybe pjsip and chan_sip don’t get along too well.

So, I’ll take a shot at it one more time…
I just want to make sure I fully understand what you’re saying.

1. on the Asterisk 1.4 side with chan_sip, I should define the sip trunk as:

[meetbox]
disallow=all
type=peer
host=asterisk16.domain.org
insecure=invite
allow=alaw
allow=ulaw
allow=gsm
allow=opus
allow=vp8
allow=h264
context=custom-newsystem
videosupport=yes

Notice that I’ve removed the username, password and moved to type “peer”. Is that what you’re suggesting?
I’ve also removed the “register=” line.

2. on the Asterisk 16 side with PJSIP Wizard, I should do this (taken from https://wiki.asterisk.org/wiki/display/AST/PJSIP+Configuration+Wizard):

[trunk_defaults](!)
type = wizard
transport = transport-udp
endpoint/allow_subscribe = no
endpoint/allow = !all,alaw,ulaw,opus,gsm,vp8,h264
aor/qualify_frequency = 30
registration/expiration = 1800

[meetbox](trunk_defaults)
sends_auth = no
accepts_auth = no
sends_registrations = no
accepts_registrations = no
remote_hosts = asterisk1point4.domain.org
endpoint/context = custom-newsystem

Note that instead of asterisk16.domain.org and asterisk1point4.domain.org I use IP addresses instead. I use names here just for clarity.

However, placing a call from Ast 16 to Ast 1.4 yields this error:

    -- Called PJSIP/meetbox/sip:7000@asterisk1point4.domain.org
[Sep 28 11:22:34] WARNING[16361]: res_pjsip_outbound_authenticator_digest.c:178 digest_create_request_with_auth: Endpoint: 'meetbox': Unable to create request with auth. No auth credentials for realm(s) 'asterisk' in challenge.
  == Everyone is busy/congested at this time (1:0/0/1)

There is no SIP/7000 friend or peer in asterisk1point4.domain.org. The dialplan extension 7000 in asterisk1point4.domain.org should lead to an IVR.

Placing a call from Ast 16 to a SIP “friend” in Ast 1.4 yields this error:

    -- Called PJSIP/meetbox/sip:4053@asterisk1point4.domain.org
[Sep 28 11:31:22] WARNING[19295]: res_pjsip_outbound_authenticator_digest.c:178 digest_create_request_with_auth: Endpoint: 'meetbox': Unable to create request with auth. No auth credentials for realm(s) 'asterisk' in challenge.
  == Everyone is busy/congested at this time (1:0/0/1)

So I changed the SIP “friend” in Ast 1.4 to “peer” and tried again. That worked.
BTW I have hundreds of SIP softphones and hardphones configured as “friend” in asterisk1point4.domain.org. What are the gotchas of moving all of them from “friend” to “peer”?

On the other hand, placing a call from Ast 1.4 to a SIP endpoint on Ast 16 seems to work now.

Also, I finally found out why the call to ‘7000’ on asterisk1point4.domain.org failed.
It was because my custom-newsystem context did not properly include the ‘7000’ dialplan extension.
What really puzzles me is why my IAX2 trunk actually did allow reaching ‘7000’ as it also uses the same custom-newsystem context.
Anyway, I won’t dwell too much on that now if the SIP trunk is finally working as the reason for which I wanted to switch from IAX2 to SIP is because some video calls fail under IAX2 and work fine with SIP.

Thanks

PS: I guess now it really is a continuation of the other thread. I’ll try to link the two, in case it helps anyone.

| vieridipaola,

I am attempting to do the same with Asterisk-16 to Asterisk-13. Would you paste your complete configurations of chan_sip and res_sip, please?


Thank You,
Dave
|

Hi,

Note that my chan_sip side is on a very old Asterisk 1.4. No res_sip in my case, and the only thing I have on that system with respect to this issue is what I’ve already posted above:

[meetbox]
disallow=all
type=peer
host=asterisk16.domain.org
insecure=invite
allow=alaw
allow=ulaw
allow=gsm
allow=opus
allow=vp8
allow=h264
context=custom-newsystem
videosupport=yes

My custom_newsystem context includes local peers (must be of type peer, not friend). It looks like this:

[custom-newsystem]
include => dids
include => internals
include => outbounds

Can you paste PJSIP config, too, please?

Danke Schoen,
Dave

Asterisk 16 with PJSIP Wizard:

# cat /etc/asterisk/pjsip.conf
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;,
; webrtc (transport)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;,

[transport-wss]
type=transport
protocol=wss
bind=0.0.0.0
; All other transport parameters are ignored for wss transports.

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;,
; SIP users (transport)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;,

[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0:5060

/etc/asterisk/pjsip_wizard.conf contains:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;,
; SIP trunk (wizard template)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;,

[trunk_defaults](!)
type = wizard
transport = transport-udp
endpoint/allow_subscribe = no
endpoint/allow = !all,alaw,ulaw,opus,gsm,vp8,h264
aor/qualify_frequency = 30
registration/expiration = 1800
aor/max_contacts = 1000

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;,
; custom SIP trunk (old / new systems)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;,

[meetbox](trunk_defaults)
sends_auth = no
accepts_auth = no
sends_registrations = no
accepts_registrations = no
remote_hosts = 10.215.147.115
endpoint/context = custom-newsystem

Actually, I believe the aor/max_contacts = 1000 line can be removed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.