Andreas Granig schrieb:
Hi all,
I just tried a setup like
[UA] --> [pub][Firewall][priv] --> [priv][Kam]
where the Firewall maps the public IP reachable by UAs to a private IP where Kamailio is listening. If I run sipsak on the Kamailio-machine, I can register fine, but as soon as the request goes via Firewall, authentication stops working.
So how does the IP of Kamailio actually influence authentication? Do I have to set something special on Kamailio to make this work?
Here's the Register after a 401 and the resulting 401 again, and it looks pretty well to me (1.2.3.4 is the public Firewall IP, which is configured as outbound proxy on the UA, 172.17.10.50 is the private Kamailio-IP and is also used as domain for user sipwise1, which is trying to register). Trace is taken on client-side, but looks the same on the Kamailio server (NAT seems to be handled fine):
U 192.168.123.150:50600 -> 1.2.3.4:5060 REGISTER sip:1.2.3.4 SIP/2.0. Via: SIP/2.0/UDP 192.168.123.150:50600;rport;branch=z9hG4bK906580090. From: sip:sipwise1@172.17.10.50;tag=1631756043. To: sip:sipwise1@172.17.10.50. Call-ID: 1235449552. CSeq: 4 REGISTER. Contact: sip:sipwise1@192.168.123.150:50600;line=e779ddd40d3251b. Authorization: Digest username="sipwise1", realm="172.17.10.50", nonce="4a06e2820000000a80c173db2d166fedb7d8d1e933c97855", uri="sip:1.2.3.4", response="de645a701a7c507c47a5278923bce54b", algorithm=MD5. Max-Forwards: 70. User-Agent: Linphone/2.1.1 (eXosip2/3.1.0). Expires: 900. Content-Length: 0.
U 1.2.3.4:5060 -> 192.168.123.150:50600 SIP/2.0 401 Unauthorized. Via: SIP/2.0/UDP 192.168.123.150:50600;rport=50600;branch=z9hG4bK906580090;received=213.47.175.165. From: sip:sipwise1@172.17.10.50;tag=1631756043. To: sip:sipwise1@172.17.10.50;tag=a49efde55ae28efd11dc5969af09c5db.b607. Call-ID: 1235449552. CSeq: 4 REGISTER. WWW-Authenticate: Digest realm="172.17.10.50", nonce="4a06e2820000000b2bd307dd3e71c80e3d6549ccc2b28269". Server: Sipwise registrar. Content-Length: 0.
So the only thing referring to the public Firewall IP is in the R-Uri of the registration and in the Authorization-uri-token. Is this token also used to calculate the auth hashes somehow?
Yes, the uri="" parameter is also used for calculation of the response. So, if this gets changed then there will be a problem.
Further, the proxy should compare the RURI with the uri="" parameter to detect man-in-the-middle attacks. AFAIK this is not done in the code, but needs to be done in the config.
regards klaus
Username looks fine in the Authorization header, and so does Realm. Any ideas?
Andreas
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users