Username mismatch, have <2010>, digest has <2020>

Asterisk Asterisk Support
1

Hello everyone,

I am having a problem with my recent installation of Asterisk 11.2.1
I have connected the system to Internet.
Basically the conection is Asterisk on lan -> Router (with PAT) -> internet
I can connect from outside using 3G on my mobile phone and make and receive calls, that works fine. The problem is happening for calls that I try to make from telephones connected to my lan.

In my local network, I have 3 smartphones registered to my Asterisk (one of which is my mobile phone). All the phones are pointed out my public dns address so I don’t have to change anything when I move out from my LAN.
When I see the output of a sip show peers, I can see all of them registered with the same IP (the lan IP of my router) and different port numbers. I assume I see the same IP due to the hairpinned connection.

The problem arises when I try to make a call…
I hear a fast busy, get a forbidden 403 on my phone, and see the following error in asterisk console:

[2013-02-17 14:53:56] WARNING[16743][C-0000004a]: chan_sip.c:16266 check_auth: username mismatch, have <2010>, digest has <2020>
[2013-02-17 14:53:56] NOTICE[16743][C-0000004a]: chan_sip.c:25084 handle_request_invite: Failed to authenticate device “2020” sip:2020@mydomain.net;tag=TYpnQpdzWJBLeCWnVUizRMf15s9JY7

If I only register one of the three phones (anyone), I can make calls without any problem.
Also, if I setup type=friend I can register the 3 phones and make calls, but I don’t like that option because it is less secure than using type=peer.
I will really appreciate any help to solve this issue.

The following is part of my sip.conf

[general]
tcpenable=yes
tcpbindaddr=172.16.5.1
externhost=Edited my public domain
localnet=172.16.5.0/255.255.255.0
videosupport=yes
allowguest=no
alwaysauthreject=yes

Advanced
type=peer
context=phones
host=dynamic
disallow=all
allow=speex
allow=alaw
dtmfmode=rfc2833
canreinvite=no
qualify=yes

2010
secret=Edited
transport=tcp,udp
nat=force_rport,comedia

2020
secret=Edited
transport=tcp,udp
nat=force_rport,comedia

Thanks in advance.

2

Asterisk cannot tell them apart, because they have the same IP address. It uses the first matching peer. Unfortunately the authentication data is different.

The best solution is direct them to the internal address, so that Asterisk doesn’t see NATed addresses for them.

Alternatively, this could be a rare case where type=user is appropriate.

3

[quote=“david55”]
The best solution is direct them to the internal address, so that Asterisk doesn’t see NATed addresses for them.
Alternatively, this could be a rare case where type=user is appropriate.[/quote]

Ok David, thanks for your answer!

Another question…the idea of directing my users to the internal address is good, but next week I am going to create some extensions that will be in a branch behind nat, so I believe that for those extensions I will implement type=peer, because again, asterisk will see them as coming from the public ip address of the branch router… With that in mind, could you give me an advice in terms of security? How can I protect the system from being hacked? I know there is no easy answer to that question.
Also, all my ip addresses are dynamic and because of that I can’t apply any filter based on ip address.
Among the security measures I have taken are:

  • Strong passwords
  • Fail2ban

Again, I would like to thank you a lot, you are really helping me.

4

The best security approach, in this case, is to use a VPN.

5

Thanks again David.
I have a router configured as a vpn server in the site where asterisk resides, but let’s forget that for a second.
Could it be an alternative to setup TLS and force every call signaling to be encrypted? I have a private certificate authority and it would be easy to me to install the root CA certificate on every softphone. In that case, I think (may be I am wrong) that setting up type=user for the branch users would be “safe”. Sorry but I am brain-storming my self, and I am conscious I could be thinking the wrong way…
Why I don’t want to setup a VPN? There are too many reasons… The first: bandwidth overhead, my links are very bad and I don’t have a way to upgrade them. The second: I don’t have another box in the branch to setup a vpn tunnel to the central site, so I could have to use the vpn client on the smartphones’s branch users, but they have to setup the vpn manually and I am looking for a solution transparent to the users.

Thanks again.