[contribteam] [Bug 12496] Bind address 0.0.0.0 causes SIP authorization failures

[bugzilla-daemon--- via contribteam]

https://bugs.koozali.org/show_bug.cgi?id=12496

            Bug ID: 12496
           Summary: Bind address 0.0.0.0 causes SIP authorization failures
    Classification: Contribs
           Product: SME Contribs
           Version: 10.0
          Hardware: ---
                OS: ---
            Status: CONFIRMED
          Severity: normal
          Priority: P3
         Component: smeserver-freepbx
          Assignee: te...@pialasse.com
          Reporter: jcr...@safeandsoundit.co.uk
        QA Contact: contribteam@lists.contribs.org
                CC: jcr...@safeandsoundit.co.uk
  Target Milestone: ---

I was attempting to run a Grandstream SIP phone over OpenVPN routed. All my
phones can only connect to the SIP server over VPNs. There is no 'public'
access.

The OpenVPN client was a Mikrotik Hex S (RB760iGS).

This was sitting behind a ISP router which was CGNat'd so had no public IP
address of its own.

The VPN used certificates and it came up without issues.

I had to add a route in the open vpn file and a ccd file for the particular
device so SME/OpenVPN knew where to route.

I could ssh to the VOIP /OpneVPN server and then ssh to the Mikrotik AND ssh to
the ISP phone behind the Mikrtotik

I could also ssh port forward with ssh -=L via the SME server.

Dwspite all this I the SIP phone was unable to register.

I could see the SIP packets on the Asterisk server with tcpdump, but they
received SIP/2.0 401 Unauthorized

Sample transaction:

16:38:58.725587 IP (tos 0x68, ttl 63, id 0, offset 0, flags [DF], proto UDP
(17), length 708)
    192.168.29.2.34399 > 192.168.98.1.5060: SIP, length: 680
        REGISTER sip:192.168.98.1 SIP/2.0
        Via: SIP/2.0/UDP 192.168.88.254:34399;branch=z9hG4bK789144097;rport
        Route: <sip:192.168.98.1:5060;lr>
        From: <sip:8105@192.168.98.1>;tag=1563189881
        To: <sip:8105@192.168.98.1>
        Call-ID: 886844672-2647...@bjc.bgi.ii.cfe
        CSeq: 2049 REGISTER
        Contact:
<sip:8105@192.168.88.254:34399>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-1000-8000-C074AD6CBFEA>"
        X-Grandstream-PBX: true
        Max-Forwards: 70
        User-Agent: Grandstream GXP2170 1.0.11.79
        Supported: path
        Expires: 3600
        X-switch-info: mac=78:9a:18:e2:9d:ce,port=bridge/ether2
        Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO,
REFER, UPDATE, MESSAGE
        Content-Length: 0

16:38:58.725740 IP (tos 0x60, ttl 64, id 40643, offset 0, flags [none], proto
UDP (17), length 555)
    192.168.29.1.5060 > 192.168.29.2.34399: SIP, length: 527
        SIP/2.0 401 Unauthorized
        Via: SIP/2.0/UDP
192.168.88.254:34399;branch=z9hG4bK789144097;received=192.168.29.2;rport=34399
        From: <sip:8105@192.168.98.1>;tag=1563189881
        To: <sip:8105@192.168.98.1>;tag=as5c69cc5b
        Call-ID: 886844672-2647...@bjc.bgi.ii.cfe
        CSeq: 2049 REGISTER
        Server: FPBX-15.0.37.4(16.30.1)
        Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
INFO, PUBLISH, MESSAGE
        Supported: replaces, timer
        WWW-Authenticate: Digest algorithm=MD5, realm="asterisk",
nonce="4a045f86"
        Content-Length: 0

It looks like the Unauthorized packet was sending to To:
<sip:8105@192.168.98.1> but it should have gone to To:
<sip:8105@192.168.88.254>

After a lot of reading I stumbled across this article whicxh described my
issue:

https://serverfault.com/questions/392979/asterisk-sip-2-0-401-unauthorized

"Despite Asterisk offering the ability to deal with more than one address by
specifying 0.0.0.0 as your listen address, the box on which Asterisk was
present was sending invites from other aliased IPs on the server instead of the
one intended. Binding Asterisk to one IP, and connecting to that one IP,
resolves this issue entirely."

I set the bindaddr to 192.168.98.1 which is the server (dummy) internal address
and the adderss that all clients connect to, and the phone instantly
authorized.

I then had one follow up issue.

I have two trunks. One is my main trunk and was already running chan_pjsip. The
other is a backup and was using chan_sip.

It appeared that after setting the bind address the backup trunk on chan_sip
failed to register. I swapped that to chan_pjsip and it registered.

I have done some basic tests trying the SIP phones on chan_pjsip but they do
not seem happy with that, possibly due to the change of the bind address but I
can't confirm definitively right now.

(We should consider the fact that chan_sip is deprecated)

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail contribteam-unsubscr...@lists.contribs.org
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/