On Wed, 2010-11-24 at 15:47 -0600, Sherwood McGowan wrote: > On Wed, Nov 24, 2010 at 3:08 PM, Hans Witvliet <h...@a-domani.nl> wrote: > > On Wed, 2010-11-24 at 08:29 -0500, Ryan Bullock wrote: > >> On Asterisk 1.8 when a SIP peer resgisters or unregisters it generates > >> a PeerStatus event. I don't know if this is in 1.4/1.6 as well, but > >> should be easy enough to test. > >> > >> Here is an example of what I see on the manager interface during a > >> register/unregister: > >> > >> Event: PeerStatus > >> Privilege: system,all > >> ChannelType: SIP > >> Peer: SIP/twinkle > >> PeerStatus: Registered > >> Address: 192.168.56.1:5068 > >> > >> Event: PeerStatus > >> Privilege: system,all > >> ChannelType: SIP > >> Peer: SIP/twinkle > >> PeerStatus: Unregistered > >> > >> I think that should work for whatever you need to do. > >> > > > > I'm doing a fresh install, so 1.8 is what i'm going to use. > > > > What i want to check, is whether to person who is doing a register, is > > realy the person at the other end of a VPN-tunnel. > > With openvpn i'm absolutely sure which person is at a certain > > vpn-ip-addres. I must check if the registering is faked or not. > > > > As ong as linphone (or for that matter any other softphone) does not > > have a possibility for using the libraries from opensc, there is no > > other way... > > > > So next couple of weeks i'll start exploring AMI, > > > > Thanks! > >
> > > > Well, if that's all you need (restricting registrations for a SIP > endpoint to a specific IP address), try one of the following > methods... > > Method 1: > In the endpoint definition, set the host to the vpn ip address, rather > than setting it to dynamic. This disallows registrations. Then, use > qualify=yes so Asterisk "knows" when the endpoint is available > (responding to OPTIONS requests). > > Method 2: > Use the permit,deny, and mask settings to define what ip address > and/or network the endpoint should be at, thereby locking out use from > another address. > (http://www.voip-info.org/wiki/view/Asterisk+sip+permit-deny-mask) > > Either of those should resolve your needs No, don't think so, (unless mistaken) Everybody got a dynamic address from openvpn, something in 10.225.0.0/16 You never know what you wil get, so it got to be dynamic. Anybody within that range is a valid user (otherwise he could not set up the vpn-tunnel). But any rogue co-worker should not be able to register as another co-worker, so method-2 won't do either. sip/tls might have been a solution, but private keys are locked on a card, and can ony be reached with the pkcs11-libs from opensc. Hans -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users