Hi,
I am trying to run the SER as an outbound proxy. Unfortunately I have some problems. I have used the nathelper/rtpproxy with a customized ser.conf and the result is that the clients behind NAT are making outbound calls with no problems. The audio is two-way and all seems best, but when I try to react a client behind NAT I can not. It is registered in the SIP Proxy, but I can not dial it.
My scenario is: SER with MySQL authorization on the first PC and SER with nathelper/rtpproxy for outbound proxy on second PC.
Could someone give me some hint as I can not solve this problem. The Outbound Proxy SER version is:
version: ser 0.9.3 (i386/linux)
flags: STATS: Off, USE_IPV6, USE_TCP, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
@(#) $Id: main.c,v 1.197 2004/12/03 19:09:31 andrei Exp $
main.c compiled on 20:51:59 Jun 28 2005 with gcc 3.3
The ser.cfg of the Outbound Proxy SER is:
#
# $Id: nathelper.cfg,v 1.1 2003/11/10 14:15:36 janakj Exp $
#
# simple quick-start config script including nathelper support
# This default script includes nathelper support. To make it work
# you will also have to install Maxim's RTP proxy. The proxy is enforced
# if one of the parties is behind a NAT.
#
# If you have an endpoing in the public internet which is known to
# support symmetric RTP (Cisco PSTN gateway or voicemail, for example),
# then you don't have to force RTP proxy. If you don't want to enforce
# RTP proxy for some destinations than simply use t_relay() instead of
# route(1)
#
# Sections marked with !! Nathelper contain modifications for nathelper
#
# NOTE !! This config is EXPERIMENTAL !
#
# ----------- global configuration parameters ------------------------
debug=3 # debug level (cmd line: -dddddddddd)
fork=yes
log_stderror=no # (cmd line: -E)
/* Uncomment these lines to enter debugging mode
fork=no
log_stderror=yes
*/
check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)
port=5082
children=4
fifo="/tmp/ser_fifo"
# ------------------ module loading ----------------------------------
# Uncomment this if you want to use SQL database
#loadmodule "/usr/local/lib/ser/modules/mysql.so"
loadmodule "/usr/local/lib/ser/modules/sl.so"
loadmodule "/usr/local/lib/ser/modules/tm.so"
loadmodule "/usr/local/lib/ser/modules/rr.so"
loadmodule "/usr/local/lib/ser/modules/maxfwd.so"
loadmodule "/usr/local/lib/ser/modules/usrloc.so"
loadmodule "/usr/local/lib/ser/modules/registrar.so"
loadmodule "/usr/local/lib/ser/modules/textops.so"
# Uncomment this if you want digest authentication
# mysql.so must be loaded !
#loadmodule "/usr/local/lib/ser/modules/auth.so"
#loadmodule "/usr/local/lib/ser/modules/auth_db.so"
# !! Nathelper
loadmodule "/usr/local/lib/ser/modules/nathelper.so"
# ----------------- setting module-specific parameters ---------------
# -- usrloc params --
modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
#modparam("usrloc", "db_mode", 2)
# -- auth params --
# Uncomment if you are using auth module
#
#modparam("auth_db", "calculate_ha1", yes)
#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
#
#modparam("auth_db", "password_column", "password")
# -- rr params --
# add value to ;lr param to make some broken UAs happy
modparam("rr", "enable_full_lr", 1)
# !! Nathelper
modparam("registrar", "nat_flag", 6)
modparam("nathelper", "natping_interval", 60) # Ping interval 60 s
modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT
# ------------------------- request routing logic -------------------
# main routing logic
route{
# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
break;
};
if (msg:len >= max_len ) {
sl_send_reply("513", "Message too big");
break;
};
# !! Nathelper
# Special handling for NATed clients; first, NAT test is
# executed: it looks for via!=received and RFC1918 addresses
# in Contact (may fail if line-folding is used); also,
# the received test should, if completed, should check all
# vias for rpesence of received
if (nat_uac_test("3")) {
# Allow RR-ed requests, as these may indicate that
# a NAT-enabled proxy takes care of it; unless it is
# a REGISTER
if (method == "REGISTER" || ! search("^Record-Route:")) {
log("LOG: Someone trying to register from private IP, rewriting\n");
# This will work only for user agents that support symmetric
# communication. We tested quite many of them and majority is
# smart enough to be symmetric. In some phones it takes a configuration
# option. With Cisco 7960, it is called NAT_Enable=Yes, with kphone it is
# called "symmetric media" and "symmetric signalling".
fix_nated_contact(); # Rewrite contact with source IP of signalling
if (method == "INVITE") {
fix_nated_sdp("1"); # Add direction=active to SDP
};
force_rport(); # Add rport parameter to topmost Via
setflag(6); # Mark as NATed
};
};
# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!method=="REGISTER") record_route();
# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
break;
};
if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
break;
};
# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {
if (method=="REGISTER") {
save("location");
break;
};
lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
break;
};
# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
break;
};
};
append_hf("P-hint: usrloc applied\r\n");
route(1);
}
route[1]
{
# !! Nathelper
if (uri=~"[@:](192\.168\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.)" && !search("^Route:")){
sl_send_reply("479", "We don't forward to private IP addresses");
break;
};
# if client or server know to be behind a NAT, enable relay
if (isflagset(6)) {
force_rtp_proxy();
};
# NAT processing of replies; apply to all transactions (for example,
# re-INVITEs from public to private UA are hard to identify as
# NATed at the moment of request processing); look at replies
t_on_reply("1");
# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (!t_relay()) {
sl_reply_error();
};
}
# !! Nathelper
onreply_route[1] {
# NATed transaction ?
if (isflagset(6) && status =~ "(183)|2[0-9][0-9]") {
fix_nated_contact();
if (!search("^Content-Length:\ 0")) {
force_rtp_proxy();
};
# otherwise, is it a transaction behind a NAT and we did not
# know at time of request processing ? (RFC1918 contacts)
} else if (nat_uac_test("1")) {
fix_nated_contact();
};
}
For some reason my SER isn't using the sip domain I specify (export SIP_DOMAIN="whatever.edu"). When my UA registers it will only register if I take out all of the digect authentication from my config file (I leave all of them blank instead of putting in a domain) and then use the host name of my server instead of a domain.
Any ideas what I am doing wrong?
Thanks,
George
hi
can u pls send me a sample confuguration file so that i can configure a proxy server.
my requerment is simple..
i want to send request to a server through openser
regards
jyoti
---------------------------------
Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
Hi!
I've just posted a domainkeys module on the tracker on sourceforge:
http://sourceforge.net/tracker/index.php?func=detail&aid=1368417&group_id=1…
This is a "proof-of-concept" and at the moment not a module for real
usage. Further, this is something which not standardized or documented
anywhere. It's just an experiment to use the domainkeys technology
(invented as anti-SPAM technology for emails) also with SIP.
Following some snippets from the README file.
If you would like to discuss this idea with me, you'r welcome.
regards
klaus
Chapter 1. User's Guide
1.1. Overview
This module is a proof-of-concept. It tries to use the
domainkeys technologie, for signing SIP message. Domainkeys
were developed as an anti-SPAM technology for emails. But as
SIP is familiar with email, it might also be useful to use
domainkeys for signing SIP messages.
_________________________________________________________
1.1.1. Installation
Just copy the module into openser's module directory. This
module needs the libdomainkeys library and the libcrypto
library (from openssl). Thus make sure to have openssl
installed. If the domainkeys library is not installed in the
default directories, you have to modify the library path in
the Makefile to point to the location of the domainkeys module
and include this directory to /etc/ld.so.conf. Further you
have to adopt the inlcude path of #include
"/home/darilion/libdomainkeys-0.68/domainkeys.h" in the file
domainkeys.c. Then compile and use the module as usual.
_________________________________________________________
1.1.2. Known Limitations
* The current version signs only the From: and To: header,
and the message body.
* This module is far from stable and seriously contains
several bugs.
* Signing and validation takes time. On a 2GHz Athlon CPU,
the signing off an INVITE message (From:, To: and body)
took ~8ms. The validation of this message took ~9ms.
Additionally, the validation takes time as at least one
DNS lookup is necessary to fetch the public key of the
signing domain. This can be reduced by a fast resolving
name server and long TTLs for the public key.
* This module uses the original received SIP message for
calculating the message signatur. Thus, if you use
function which modify the used headers (e.g. uac module)
or which modify the body (e.g. nathelper module), then the
added signature will be invalid.
1.3. Exported Parameters
1.3.1. privkey_file (string)
Path to the file containing the private key for the signing.
(The public key for the validation will be fetched from DNS)
Default value is "".
Example 1-1. privkey_file example
modparam("domainkeys", "privkey_file", "/etc/domainkeys/privkeys/2005")
_________________________________________________________
1.4. Exported Functions
1.4.1. domainkeys_validate
Signs the SIP message.
This function can be used from REQUEST_ROUTE.
Example 1-2. domainkeys_validate usage
...
if (is_method("INVITE")) {
if (domainkeys_sign()) {
xlog("L_INFO","domainkeys - signing: SUCCESS\n");
} else {
xlog("L_INFO","domainkeys - signing: FAILURE\n");
}
}
...
_________________________________________________________
1.4.2. domainkeys_validate
Validates the Domainkeys-Signature in the received SIP
message.
This function can be used from REQUEST_ROUTE.
Example 1-3. search_append usage
...
if (is_present_hf("Domainkey-Signature")) {
xlog("L_INFO","Domainkey-Signature found, start validating...\n");
if (domainkeys_validate()) {
xlog("L_INFO","domainkeys - validate: SUCCESS\n");
} else {
xlog("L_INFO","domainkeys - validate: FAILURE\n");
}
}
...
Hi All,
I download the latest version of SER, 0.9.4, but do not see anything about
TLS in ser.cfg file. Does SER support TLS?
If it does, how to configure and install SER with TLS feature ON?
Thanks,
Weihsin Chueh
HMP Function Test, Intel
1515 Route 10, Parsippany, NJ 07045
973-967-6243
mailto: <mailto:weihsin.chueh@intel.com> weihsin.chueh(a)intel.com
Hello,
Does nathelper module would support rfc3264 to provide
MOH ?
Harry
___________________________________________________________________________
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez cette version sur http://fr.messenger.yahoo.com
All, I browsed around on google and saw no mention of this problem. When
compiling I get:
gcc -g -O9 -funroll-loops -Wcast-align -Wall -minline-all-stringops
-malign-double -falign-loops -mcpu=athlon -DNAME='"openser"'
-DVERSION='"1.0.0"' -DARCH='"i386"' -DOS='"linux"' -DCOMPILER='"gcc
3.3"' -D__CPU_i386 -D__OS_linux -DCFG_DIR='"/usr/local/etc/openser/"'
-DPKG_MALLOC -DSHM_MEM -DSHM_MMAP -DDNS_IP_HACK -DUSE_MCAST
-DDISABLE_NAGLE -DHAVE_RESOLV_RES -DF_MALLOC -DFAST_LOCK
-DADAPTIVE_WAIT -DADAPTIVE_WAIT_LOOPS=1024 -DHAVE_GETHOSTBYNAME2
-DHAVE_UNION_SEMUN -DHAVE_SCHED_YIELD -DHAVE_MSG_NOSIGNAL
-DHAVE_MSGHDR_MSG_CONTROL -DHAVE_ALLOCA_H -c msg_translator.c -o
msg_translator.o
msg_translator.c: In function `build_req_buf_from_sip_req':
msg_translator.c:1339: error: `id_buf' undeclared (first use in this
function)
msg_translator.c:1339: error: (Each undeclared identifier is reported
only once
msg_translator.c:1339: error: for each function it appears in.)
msg_translator.c:1340: error: `id_len' undeclared (first use in this
function)
make: *** [msg_translator.o] Error 1
Simple enough error, any suggestions? I am running:
Fedora Core 2 (yum updated of course)
gcc 3.3.3
Thanks!
I configured SER for authentication through RADIATOR to LDAP. I am kind of
stumped in regards to the User-Name attribute that is given to the Radius
server with the realm attached. Is there a way to send only the username
portion? I have included the output from debug. I would appropriate any
information.
Thanks,
Alan
--------------------------------------------------------------------------
Mon Nov 28 14:32:44 2005: DEBUG: Reading dictionary file
'/etc/radiator/dictionary'
Mon Nov 28 14:32:44 2005: DEBUG: Creating authentication port 0.0.0.0:1645
Mon Nov 28 14:32:44 2005: DEBUG: Creating accounting port 0.0.0.0:1646
Mon Nov 28 14:32:44 2005: NOTICE: Server started: Radiator 3.13 on sip
(LOCKED)
Mon Nov 28 14:32:51 2005: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 33032 ....
Code: Access-Request
Identifier: 247
Authentic: <210>E<8>@m<211>h<133><34><23><16><21><28><242><187><154>
Attributes:
User-Name = "alan(a)sip.domain.com"
Digest-Attributes = "<10><6>alan"
Digest-Attributes = "<1><19>sip.domain.com"
Digest-Attributes = "<2>*438b5c8fa0ca1bassjsjskakad74ec2c2bd0"
Digest-Attributes = "<4><23>sip:sip.domain.com"
Digest-Attributes = "<3><10>REGISTER"
Digest-Response = "c469a2464876sska898jkdsjs889"
Service-Type = Sip-Session
Sip-Uri-User = "alan"
NAS-IP-Address = UNKNOWN
NAS-Port = 5060
Mon Nov 28 14:32:51 2005: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Mon Nov 28 14:32:51 2005: DEBUG: Deleting session for alan(a)sip.domain.com,
UNKNOWN, 5060
Mon Nov 28 14:32:51 2005: DEBUG: Handling with Radius::AuthLDAP2:
Mon Nov 28 14:32:51 2005: INFO: Connecting to ldap.domain.com, port 389
Mon Nov 28 14:32:51 2005: INFO: Attempting to bind to LDAP server
ldap.domain.com:389
Mon Nov 28 14:32:51 2005: ERR: ldap search failed with error
LDAP_PARAM_ERROR.
Mon Nov 28 14:32:51 2005: ERR: LDAP_PARAM_ERROR
Mon Nov 28 14:32:51 2005: DEBUG: Radius::AuthLDAP2 looks for match with
alan(a)sip.domain.com
Mon Nov 28 14:32:51 2005: ERR: ldap search failed with error
LDAP_PARAM_ERROR.
Mon Nov 28 14:32:51 2005: ERR: LDAP_PARAM_ERROR
Mon Nov 28 14:32:51 2005: DEBUG: AuthBy LDAP2 result: REJECT, No such user
Mon Nov 28 14:32:51 2005: INFO: Access rejected for alan(a)sip.domain.com: No
such user
Mon Nov 28 14:32:51 2005: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 33032 ....
Code: Access-Reject
Identifier: 247
Authentic: <210>E<8>@m<211>h<133><34><23><16><21><28><242><187><154>
Attributes:
Reply-Message = "Request Denied"
Hi All,
Just checked on the list, found already some answers but still no luck.
I use the getting started files from Onsip.org.
Running Debian 2.6.12
ERROR: module modules/cpl/cpl.so not compiled
ERROR: module modules/cpl-c/cpl-c.so not compiled
ERROR: module modules/extcmd/extcmd.so not compiled
ERROR: module modules/jabber/jabber.so not compiled
ERROR: module modules/mysql/mysql.so not compiled
When I use make all; make install, this is the outcome of my SER
installation.
I also tried make module etc.
Is Debian the problem or do I need to make some changes to the Makefiles?
Any help is welcome.
Marcel
