Hi all, I just tried a setup like
[UA] --> [pub][Firewall][priv] --> [priv][Kam] where the Firewall maps the public IP reachable by UAs to a private IP where Kamailio is listening. If I run sipsak on the Kamailio-machine, I can register fine, but as soon as the request goes via Firewall, authentication stops working. So how does the IP of Kamailio actually influence authentication? Do I have to set something special on Kamailio to make this work? Here's the Register after a 401 and the resulting 401 again, and it looks pretty well to me (1.2.3.4 is the public Firewall IP, which is configured as outbound proxy on the UA, 172.17.10.50 is the private Kamailio-IP and is also used as domain for user sipwise1, which is trying to register). Trace is taken on client-side, but looks the same on the Kamailio server (NAT seems to be handled fine): U 192.168.123.150:50600 -> 1.2.3.4:5060 REGISTER sip:1.2.3.4 SIP/2.0. Via: SIP/2.0/UDP 192.168.123.150:50600;rport;branch=z9hG4bK906580090. From: <sip:[email protected]>;tag=1631756043. To: <sip:[email protected]>. Call-ID: 1235449552. CSeq: 4 REGISTER. Contact: <sip:[email protected]:50600;line=e779ddd40d3251b>. Authorization: Digest username="sipwise1", realm="172.17.10.50", nonce="4a06e2820000000a80c173db2d166fedb7d8d1e933c97855", uri="sip:1.2.3.4", response="de645a701a7c507c47a5278923bce54b", algorithm=MD5. Max-Forwards: 70. User-Agent: Linphone/2.1.1 (eXosip2/3.1.0). Expires: 900. Content-Length: 0. U 1.2.3.4:5060 -> 192.168.123.150:50600 SIP/2.0 401 Unauthorized. Via: SIP/2.0/UDP 192.168.123.150:50600;rport=50600;branch=z9hG4bK906580090;received=213.47.175.165. From: <sip:[email protected]>;tag=1631756043. To: <sip:[email protected]>;tag=a49efde55ae28efd11dc5969af09c5db.b607. Call-ID: 1235449552. CSeq: 4 REGISTER. WWW-Authenticate: Digest realm="172.17.10.50", nonce="4a06e2820000000b2bd307dd3e71c80e3d6549ccc2b28269". Server: Sipwise registrar. Content-Length: 0. So the only thing referring to the public Firewall IP is in the R-Uri of the registration and in the Authorization-uri-token. Is this token also used to calculate the auth hashes somehow? Username looks fine in the Authorization header, and so does Realm. Any ideas? Andreas _______________________________________________ Kamailio (OpenSER) - Users mailing list [email protected] http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
