Sip trunk over tls not authenticated by ip

Asterisk Asterisk SIP
1

Hi, I have a problem with a sip trunk or my provider configured on asterisk 13.22 over chan_sip. I have configured sip trunk over ip with tls , the outgoing calls work fine, but asterisk refuse the call with a SIP/2.0 401 Unauthorized. The configuration of sip trunk:

[SBC]
disallow=all
type=peer
transport=tls
insecure=port,invite
qualify=yes
host=ip_oftrunk
encryption=yes
context=from-trunk
allow=alaw
nat=force_rport,comedia
port=5061
dtmfmode=auto

here art a sip trace of invite, obiosly i changed the private data of ips domains etc:

<— SIP read from TLS:XXXXX:35780 —>
INVITE sip:91XXXXXX@pbx-corpXXX.com:5061;transport=tls SIP/2.0
Via: SIP/2.0/TLS X.X.X.X:5061;branch=z9hG4bKo6899u2068notcra7130.1
To: sip:9XXXX@pbx-corp.XXX.com
From: sip:91XXXXX@smtXXXXX;user=phone;tag=lm4q4zyj-23dhxr;correlation-id=55751636
Call-ID: 192.168.126.41_55959020_6526775462368711112
CSeq: 1 INVITE
Max-Forwards: 62
Content-Length: 382
Contact: sip:smtcXXXXs:5061;fid=fid_1;transport=tls
Content-Type: application/sdp
Allow: INVITE, ACK, OPTIONS, BYE, CANCEL, PRACK
Accept: application/sdp
Supported: histinfo, timer
P-Asserted-Identity: sip:9XXXXXX@smtcXXXX;user=phone
Min-SE: 180
Session-Expires: 1800; refresher=uac
P-Acme-Vsa: 200:c020.s20.icx.XXX.net
P-Early-Media: supported
X-CND: 5283349168674273844250

v=0
o=- 11849918 11849918 IN IP4 X.X.X.X
s=-
c=IN IP4 X.X.X.X
t=0 0
a=sendrecv
m=audio 22146 RTP/SAVP 8 18 96
c=IN IP4 X.X.X.X
b=RR:3000
b=RS:1000
b=AS:128
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-15
a=maxptime:40
a=ptime:20
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:ZDQ6OYPfcARbHk8+Pv01SBlFQjSgXUeNoHcX3xxJ
<------------->
— (19 headers 18 lines) —
Sending to X.X.X.X:35780 (NAT)
Sending to X.X.X.X:35780 (NAT)
Using INVITE request as basis request - 192.168.126.41_55959020_6526775462368711112
No matching peer for ‘916XXXXXX’ from ‘X.X:X.X:35780’

I think that problem are that the calls arrive with the origing port 35780, because if i changed port=5061 by port=35780 asterisk accept the call…

by the way, when I changed the sip trunk name SBC BY number that calling 91XXXXXX, asterisk accept the call. Im confused because asterisk should accept the call of any port with insecure=port,invite, and accept the call by ip defined host=X.X.X.X. Any ideas?
SBC X.X.X.X Yes Yes A 5061 OK (24 ms)

Thanks

2

XXXXX should be ip_oftrunk

Asterisk 13 is end of life.

chan_sip will not be in the version released next month, and is, effectively unsupported.

3

of coursde, XXXX is the ip, I now that asterisk 13 an chan_sip are unsuported, but I have a client with imposibility of migrate now, and this should work on chan_sip. Any ideas?

4

If you obfuscate information we will assume that different obfuscated values represent different original values.

5

Entirely possible that version had a bug with TCP/TLS transports and matching. I vaguely recall such a thing.

6

I think the same…

7

I see this in changelog od version 13.22.0
http://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-13.22.0

2017-12-04 05:27 +0000 [64942276d1] Alexander Traud pabstraud@compuserve.com

* chan_sip: Peers with distinct source ports don't match, regardless of transport.

  Previously, peers connected via TCP (or TLS) were matched by ignoring their
  source port. One cannot say anything when protocol:IP:port match, yes (see
  <http://stackoverflow.com/q/3329641>). However, when the ports do not match, the
  peers do not match as well.

  This change allows two peers connected to an Asterisk server via TCP (or TLS)
  behind a NAT (= same source IP address) to be differentiated via their port as
  well.

  ASTERISK-27457
  Reported by: Stephane Chazelas

  Change-Id: Id190428bf1d931f2dbfd4b293f53ff8f20d98efa

Seems to be the issue, resolved? dont work for me…

8

Don’t know then!