Sip phone does not register to asterisk via vpn Ipsec

Hi all,
i appreciate anyone help me with this trouble\configuration.
i have asterisk 11 installed in central office and a phone in the remote office, sites are linked via IPSEC vpn. the ipsec vpn works fine, and i can ping the sip phone from asterisk , so icmp travels within ESP.
the problem is with registration:

  • sip phone (at remote site) send register message to asterisk, then protected by the local security gateway with ESP
  • at central site the security gateway receives SIP REGISTER inside ESP, then extract the REGISTER MESSAGE and sends it to the asterisk pbx in clear.
  • the REGISTER MESSAGE carries Via Header with the IP address of the remote sip phone, as expected
  • asterisk receive REGISTER with correct Via, but sends 401 Unauthorized to its local security gateway instead of remote sip phone. With wireshark i can see the 401 SIP message sent to destination address that is the security gateway at central site instead of the remote sip phone.

this is asterisk debug sip:

REGISTER from 301 extension (the phone’s ip address is 192.168.1.101):

<— SIP read from UDP:192.168.2.99:49162 —>
REGISTER sip:192.168.2.82 SIP/2.0
Via: SIP/2.0/UDP 192.168.1.101:5060;branch=z9hG4bKc404f33c
From: sip:301@192.168.2.82;tag=001c58f99a1d01f4e952ed84-af00148c
To: sip:301@192.168.2.82
Call-ID: 001c58f9-9a1d0003-301da3d3-4fc0bf03@192.168.1.101
Max-Forwards: 70
Date: Wed, 06 May 2009 17:34:55 GMT
CSeq: 599 REGISTER
User-Agent: Cisco-CP7911G/8.5.2
Contact: sip:301@192.168.1.101:5060;transport=udp;+sip.instance=“urn:uuid:00000000-0000-0000-0000-001c58f99a1d”;+u.sip!model.ccm.cisco.com="307"
Supported: (null),X-cisco-xsi-7.0.1
Content-Length: 0
Reason: SIP;cause=200;text="cisco-alarm:20 Name=SEP001561F59AAD Load=SIP11.8-5-2S Last=phone-keypad"
Expires: 3600

<------------->
— (14 headers 0 lines) —
Sending to 192.168.2.99:5060 (no NAT)

Asterisk is sending the response to 192.168.2.99 that is the securiry gateway at central site:

<— Transmitting (no NAT) to 192.168.2.99:5060 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.101:5060;branch=z9hG4bKc404f33c;received=192.168.2.99
From: sip:301@192.168.2.82;tag=001c58f99a1d01f4e952ed84-af00148c
To: sip:301@192.168.2.82;tag=as3351bdf3
Call-ID: 001c58f9-9a1d0003-301da3d3-4fc0bf03@192.168.1.101
CSeq: 599 REGISTER
Server: Asterisk PBX 11.22.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="6e763983"
Content-Length: 0

As per rfc3261 i understand Via header in requests are employed to send back responses to the sip entity generated the request.

I’m new on asterisk so please lead me to the correct configuration of sip.conf, if the problem is related to the .conf:

[general]
nat=no
localnet=192.168.2.0/255.255.255.0 --> it’s the network at central site, where asterisk resides

[301]
type=friend
secret=12345
qualify=no
port=5060
permit=0.0.0.0/0.0.0.0
host=dynamic
dtmfmode=rfc2833
dial=SIP/301
nat=no
context=tutorial
canreinvite=nonat
localnet=192.168.1.0/255.255.255.0 --> it’s the local network where the remote sip phone resides
call-limit=50

regards
marco

localnet can’t be used in a peer/friend/user, it is only applicable to the general section and is from the perspective of Asterisk. “What is local to me”.

As for your issue since the Cisco does not support rport and you have “nat” set to no the response will be sent using the Via header. If you’d like it to go to the source IP address and port you can enable the nat option and it will force it.

Hi jcolp,

i modified sip.conf, but nat=no was already to the correct value as per your suggestion, with this configuration i still get 401 sent to the wrong ip destination, i want asterisk send 401 to the ip address reported in Via header of the REGISTER message. Di i understand your reply, or still forgetting something else? I rebooted asterisk but the behaviour is the same.

[general]
nat=no
localnet=192.168.2.0/255.255.255.0

[301]
type=friend
secret=12345
qualify=yes
port=5060
permit=0.0.0.0/0.0.0.0
host=dynamic
dtmfmode=rfc2833
dial=SIP/301
nat=no
context=tutorial
canreinvite=yes
call-limit=50

nat=yes will cause Asterisk to send the response to the source IP address and port.

I want asterisk sending 401 to ip phone not the local security gateway, as you can see from my sip.conf nat=no.

Maybe i did not explain clear. I want asterisk to build a 401 and send it to remote ip phone, i don’t want asterisk to use the ip src of the REGISTER

I don’t understand how Asterisk would know where to send it then… and it certainly sounds like it’s off RFC. You’re supposed to always send it to the source IP address and port of the request, but we don’t enforce that and allow it configurable.

i have asterisk with default gateway set, so every packet sent out of its subnet is going to security gateway first for the ESP encapsulation.
this is what happen at central site

from the INTERNET ESP sent to central sec gw —> exctract the REGISTER and send it to ip dest of asterisk --> asterisk generate 401 with dest ip addr==ip central sec gw,

is it possible to have this behaviour changed? --> asterisk generate 401 with dest ip addr==remote ip phone

How would it know where to send it though, is it contained within the request? If not then I don’t see how… and regardless it would require code modifications.

yes, in REGISTER message the Via and contact header contain the ip of the remote phone that is 192.168.1.101

You would need to modify the code to ignore certain things. I don’t know what else it would break as it’s sort of going against the RFC and not sure what would be required as I haven’t touched that code.