[Solved] No Authorization in REGISTER with PJSIP

docx · November 9, 2014, 12:52pm

I’m using Asterisk 13.0.0 and am migrating from chan_sip to pjsip.

But after hours of tries and work, I really can’t get pjsip to sent an Authorization header in the REGISTER request.

That’s what pjsip sends for outbound registration:

<--- Transmitting SIP request (576 bytes) to UDP:217.0.xxx.xxx:5060 ---> REGISTER sip:0711xxxxxxxx@tel.t-online.de SIP/2.0 Via: SIP/2.0/UDP 217.231.xxx.xxx:5060;rport;branch=z9hG4bKPja3bd7baa-7e71-42c4-98a0-229184d1b175 From: <sip:0711xxxxxxxx@tel.t-online.de>;tag=a05a01ae-da0c-486a-9472-4dd409ab46d9 To: <sip:0711xxxxxxxx@tel.t-online.de> Call-ID: 80094f89-e2b4-4557-ba36-93681849ba27 CSeq: 8869 REGISTER Contact: <sip:0711xxxxxxxx@217.231.xxx.xxx:5060> Expires: 480 Allow: OPTIONS, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, MESSAGE, REFER Max-Forwards: 70 User-Agent: Asterisk Content-Length: 0

This leads to a “Unauthorized” answer by the server, cause I am (and the server) expecting a header in the REGISTER request, something like:

My relevant pjsip.conf parts are:

[code][transport-udp]
type=transport
protocol=udp
bind=0.0.0.0

;======== TRUNKS

[trunk-telekom-auth]
type=auth
auth_type=userpass
username=0711xxxxxxxx
password=XXXXXXXX
realm=tel.t-online.de

[trunk-telekom]
type=registration
transport=transport-udp
outbound_auth=trunk-telekom-auth
server_uri=sip:0711xxxxxxxx@tel.t-online.de
client_uri=sip:0711xxxxxxxx@tel.t-online.de
contact_user=0711xxxxxxxx
expiration=240
forbidden_retry_interval=60

[trunk-telekom]
type=aor
contact=sip:tel.t-online-de

[trunk-telekom]
type=endpoint
transport=transport-udp
outbound_auth=trunk-telekom-auth
aors=trunk-telekom
disallow=all
allow=alaw
allow=g726
allow=g722
allow=ulaw
allow=gsm
context=from-trunk-telekom

[trunk-telekom]
type=identify
endpoint=trunk-telekom
match=tel.t-online.de

;============ ENDPOINTS
[/code]

Any hint to get the authorization is highly appreciated!

Regards,
Marco

david55 · November 10, 2014, 10:35am

That is a correct, but incomplete, message sequence for a REGISTER. There is not enough information to provide cryptographic authorization data on the initial REGISTER.

Most likely the server has done something like breaking the call-ID, so the 401 appears to relate to a different call.

docx · November 13, 2014, 11:15am

David, thanx for your answer.
Problem turned out to be the identify section:

[trunk-telekom] type=identify endpoint=trunk-telekom match=tel.t-online.de
PJSIP tries to match the endpoint by IP, regardsless of the header.
In the case of the t-online provider, their returned IP doesn’t match tel.t-online.de. Removing this section, the outbound registration works.

For inbound calls I’m using the anonymous endpoint. Not nice, but working.

I’m wondering in chan_sip it’s possible to permit and deny IP RANGES for certain extensions, like

[3990]
:
deny=0.0.0.0/32
permit=192.168.0.0/16

so extension 3990 can only be reached from internal network - but regardless of the actual IP.
Is there anything similar in PJSIP?

david55 · November 13, 2014, 11:19am

You can use the Linux firewall, or a router a network firewall.