Okay, Scott, I think we are on the wrong path. Maybe I'm wrong though. I will summarize again briefly the problems together: The peer ip address could be another than the ip address of incoming invites After an re-register the REGISTER is send to the new SIP server, answered with OK. But the peer ip address is still the old one (sip show peers). If now is a INVITE, the request is answered with 401 Unauthorized.
That’s why I would say, the problem is not the port or a needed authentication. My Asterisk works behind a NAT without port forwarding and nat=no, I have qualify=yes that it does not come to a NAT timeout. Here is an example. The peer ip address was at this time 217.0.23.100, the INVITE came from 217.0.23.68 an was rejected with 401 Unauthorized: INVITE sip:[email protected]:45061 SIP/2.0 Max-Forwards: 58 Via: SIP/2.0/UDP 217.0.23.68:5060;branch=z9hG4bKg3Zqkv7ib7h2smv8whryjnos88srot1i7 To: <sip:[email protected]> From: <sip:[email protected];user=phone>;tag=h7g4Esbg_44c62525 Call-ID: [email protected] CSeq: 3950540 INVITE Contact: <sip:[email protected];transport=udp> Record-Route: <sip:217.0.23.68;transport=udp;lr> Min-Se: 900 P-Asserted-Identity: <sip:[email protected];user=phone> Session-Expires: 3600 Supported: histinfo Supported: timer Supported: norefersub Content-Type: application/sdp Content-Disposition: session Content-Length: 204 Allow: ACK, BYE, CANCEL, INFO, INVITE, OPTIONS, PRACK, REFER, REGISTER, UPDATE v=0 o=- 0 0 IN IP4 217.0.23.68 s=- c=IN IP4 217.0.4.134 t=0 0 m=audio 36480 RTP/AVP 9 8 102 a=rtpmap:9 G722/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:102 telephone-event/8000 a=maxptime:20 a=ptime:20 > Am 02.04.2015 um 22:00 schrieb Scott Griepentrog <[email protected]>: > > Actually, the IP address is still used to identify the incoming invite. With > the insecure=port option set, Asterisk will presume the invite to still match > the trunk account even if the NAT router has mangled (changed) the port > number. My suspicion is that when the new register goes out, it's creating a > new state in the firewall, resulting in a new port number, which is why you > would have to allow anonymous calls to then accept it without insecure=port. > The other possibility is that you have a port forward in the router set, > which is similarly mangling the port number. With a valid registration being > held, and assuming the router does not drop UDP states faster than 30 > minutes, and also assuming that the provider is sending you invites on the > registered port rather than always on 5060, there should not be a need for an > inbound port forward to Asterisk, and you should not need insecure=port. > > The invite option disables authentication - which means only that Asterisk > will not force a check of the password on the other end. Where the IP > address is well known and trusted, the extra overhead and delay of > authenticating incoming INVITEs is not needed. > > > > On Thu, Apr 2, 2015 at 2:28 PM, Daniel Heckl <[email protected] > <mailto:[email protected]>> wrote: > Scott, I have changed the configuration as said it and will test it. I’m > curious. > > Can you briefly explain what insecure=invite,port does? > > ;insecure=port ; Allow matching of peer by IP address without > ; matching port number > ;insecure=invite ; Do not require authentication of incoming INVITEs > ;insecure=port,invite ; (both) > > Do I understand correctly that in this mode the IP address is not checked and > no authentication is required? > >> Am 02.04.2015 um 20:11 schrieb Scott Griepentrog <[email protected] >> <mailto:[email protected]>>: >> >> I'd be curious if setting >> >> insecure=invite,port >> >> makes any difference either (without alllowguest on). >> >> >> On Thu, Apr 2, 2015 at 9:03 AM, Daniel Heckl <[email protected] >> <mailto:[email protected]>> wrote: >> Ok, I have tested dnsmgr. This is not a solution, the situation has not >> changed. With dnsmgr I can not place outbound calls. I do not know why and >> what dnsmgr really do. >> >> My current solution is as follows: >> >> Say allowguest=yes, configure the default context that there can not be >> placed outbound calls. Use iptables to DROP all at your SIP port and allow >> only your local phones and the sip trunk ip range. I think srvlookup must be >> set to yes to place outbound calls if there is an ip address change. >> >> I think with the restriction of the firewall that should be a secure >> solution. >> >> > Am 01.04.2015 um 19:23 schrieb Sebastian Kemper <[email protected] >> > <mailto:[email protected]>>: >> > >> > On Wed, Apr 01, 2015 at 11:00:56AM -0400, Andres wrote: >> >> On 4/1/15 10:48 AM, Daniel Heckl wrote: >> >>> John, >> >>> >> >>> thank you four your answer. I think you have misunderstood the >> >>> problem. It’s about a ip address change of the sip trunk, not of my >> >>> asterisk server. >> >> You would probably benefit by enabling the DNS Manager to allow for >> >> dynamic IP changes: >> >> >> >> # cat dnsmgr.conf [general] enable=yes ; enable creation >> >> of managed DNS lookups ; default is 'no' refreshinterval=180 ; >> >> refresh managed DNS lookups every <n> seconds ; default is 300 (5 >> >> minutes) >> > >> > Hello Andres, >> > >> > I read that same suggestion elsewhere in connection with Deutsche >> > Telekom, so it seems there's some benefit in it. >> > >> > Daniel, did you try it out already? >> > >> > Kind regards, >> > Sebastian >> > >> > -- >> > _____________________________________________________________________ >> > -- Bandwidth and Colocation Provided by http://www.api-digital.com >> > <http://www.api-digital.com/> -- >> > New to Asterisk? Join us for a live introductory webinar every Thurs: >> > http://www.asterisk.org/hello <http://www.asterisk.org/hello> >> > >> > asterisk-users mailing list >> > To UNSUBSCRIBE or update options visit: >> > http://lists.digium.com/mailman/listinfo/asterisk-users >> > <http://lists.digium.com/mailman/listinfo/asterisk-users> >> >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com >> <http://www.api-digital.com/> -- >> New to Asterisk? Join us for a live introductory webinar every Thurs: >> http://www.asterisk.org/hello <http://www.asterisk.org/hello> >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> <http://lists.digium.com/mailman/listinfo/asterisk-users> >> >> >> -- >> >> Scott Griepentrog >> Digium, Inc · Software Developer >> 445 Jan Davis Drive NW · Huntsville, AL 35806 · US >> direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090 >> Check us out at: http://digium.com <http://digium.com/> · >> http://asterisk.org <http://asterisk.org/> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com >> <http://www.api-digital.com/> -- >> New to Asterisk? Join us for a live introductory webinar every Thurs: >> http://www.asterisk.org/hello <http://www.asterisk.org/hello> >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> <http://lists.digium.com/mailman/listinfo/asterisk-users> > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com > <http://www.api-digital.com/> -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello <http://www.asterisk.org/hello> > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > <http://lists.digium.com/mailman/listinfo/asterisk-users> > > > > -- > > Scott Griepentrog > Digium, Inc · Software Developer > 445 Jan Davis Drive NW · Huntsville, AL 35806 · US > direct/fax: +1 256 428 6239 · mobile: +1 256 580 6090 > Check us out at: http://digium.com <http://digium.com/> · http://asterisk.org > <http://asterisk.org/> > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
