Re: [SR-Users] [VoLTE] 401 unauthorized error

Thank you for your help!

I looked into the UE's  IMS register request as you told me. (the content of request is shown below)

As my thinking, my UE can support only two algorithms: hmac-sha1-96 and hmac-md5-96.

But fhoss cannot support above auth algorithms (fhoss can support digest-akav1-md5, digest-akav2-md5, digest, http_digest_md5, early-ims-security, nass-bundled and sip digest).

What algorithm should I switch to for authentication in fhoss? Or do I have to change the UE device (smartphone) for auth?

Very thanks, Taekkyung Oh.

<IMS register request from the UE> Frame 4153: 840 bytes on wire (6720 bits), 840 bytes captured (6720 bits) on interface 0 Ethernet II, Src: 02:42:ac:16:00:16 (02:42:ac:16:00:16), Dst: 02:42:ac:16:00:06 (02:42:ac:16:00:06) Internet Protocol Version 4, Src: 172.22.0.22, Dst: 172.22.0.6 User Datagram Protocol, Src Port: 2152, Dst Port: 2152 GPRS Tunneling Protocol Internet Protocol Version 4, Src: 192.168.101.3, Dst: 172.22.0.21 Transmission Control Protocol, Src Port: 5060, Dst Port: 5060, Seq: 1021, Ack: 1, Len: 750 [2 Reassembled TCP Segments (1770 bytes): #4147(1020), #4153(750)] Session Initiation Protocol (REGISTER)     Request-Line: REGISTER sip:ims.mnc001.mcc001.3gppnetwork.org SIP/2.0         Method: REGISTER         Request-URI: sip:ims.mnc001.mcc001.3gppnetwork.org             Request-URI Host Part: ims.mnc001.mcc001.3gppnetwork.org         [Resent Packet: False]     Message Header         To: <sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org>             SIP to address: sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org                 SIP to address User Part: 001010000031094                 SIP to address Host Part: ims.mnc001.mcc001.3gppnetwork.org         From: <sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org>;tag=qyecbkJ             SIP from address: sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org                 SIP from address User Part: 001010000031094                 SIP from address Host Part: ims.mnc001.mcc001.3gppnetwork.org             SIP from tag: qyecbkJ         Contact: <sip:001010000031094@192.168.101.3:5060>;+sip.instance="<urn:gsma:imei:86355804-632692-0>";+g.3gpp.accesstype="cellular2";audio;video;+g.3gpp.smsip;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"             Contact URI: sip:001010000031094@192.168.101.3:5060                 Contact URI User Part: 001010000031094                 Contact URI Host Part: 192.168.101.3                 Contact URI Host Port: 5060             Contact parameter: +sip.instance="<urn:gsma:imei:86355804-632692-0>"             Contact parameter: +g.3gpp.accesstype="cellular2"             Contact parameter: audio             Contact parameter: video             Contact parameter: +g.3gpp.smsip             Contact parameter: +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"\r

        Expires: 600000         P-Access-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100010019B01             access-type: 3GPP-E-UTRAN-FDD             utran-cell-id-3gpp: 0010100010019B01         Supported: path,sec-agree         Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,UPDATE,PRACK,NOTIFY,MESSAGE,REFER         Require: sec-agree         Proxy-Require: sec-agree          [truncated]Security-Client: ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=des-ede3-cbc;spi-c=10559690;spi-s=65664952;port-c=31112;port-s=31803,ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=aes-cbc;spi-c=10559690;spi-s=65664             [Security-mechanism]: ipsec-3gpp             alg: hmac-sha-1-96             prot: esp             mod=trans             ealg: des-ede3-cbc             spi-c: 10559690 (0x00a120ca)             spi-s: 65664952 (0x03e9f7b8)             port-c: 31112             port-s: 31803             [Security-mechanism]: ipsec-3gpp             alg: hmac-sha-1-96             prot: esp             mod=trans             ealg: aes-cbc             spi-c: 10559690 (0x00a120ca)             spi-s: 65664952 (0x03e9f7b8)             port-c: 31112             port-s: 31803             [Security-mechanism]: ipsec-3gpp             alg: hmac-sha-1-96             prot: esp             mod=trans             ealg: null             spi-c: 10559690 (0x00a120ca)             spi-s: 65664952 (0x03e9f7b8)             port-c: 31112             port-s: 31803             [Security-mechanism]: ipsec-3gpp             alg: hmac-md5-96             prot: esp             mod=trans             ealg: des-ede3-cbc             spi-c: 10559690 (0x00a120ca)             spi-s: 65664952 (0x03e9f7b8)             port-c: 31112             port-s: 31803             [Security-mechanism]: ipsec-3gpp             alg: hmac-md5-96             prot: esp             mod=trans             ealg: aes-cbc             spi-c: 10559690 (0x00a120ca)             spi-s: 65664952 (0x03e9f7b8)             port-c: 31112             port-s: 31803             [Security-mechanism]: ipsec-3gpp             alg: hmac-md5-96             prot: esp             mod=trans             ealg: null             spi-c: 10559690 (0x00a120ca)             spi-s: 65664952 (0x03e9f7b8)             port-c: 31112             port-s: 31803         Authorization: Digest username="001010000031094@ims.mnc001.mcc001.3gppnetwork.org",realm="ims.mnc001.mcc001.3gppnetwork.org",uri="sip:ims.mnc001.mcc001.3gppnetwork.org",nonce="",response=""             Authentication Scheme: Digest             Username: "001010000031094@ims.mnc001.mcc001.3gppnetwork.org"             Realm: "ims.mnc001.mcc001.3gppnetwork.org"             Authentication URI: "sip:ims.mnc001.mcc001.3gppnetwork.org"             Nonce Value: ""             Digest Authentication Response: ""         Call-ID: txecbknlk@192.168.101.3         CSeq: 1 REGISTER             Sequence Number: 1             Method: REGISTER         Max-Forwards: 70         Via: SIP/2.0/TCP 192.168.101.3:5060;branch=z9hG4bKrzecbkJzsat7Xk6daqm5;rport             Transport: TCP             Sent-by Address: 192.168.101.3             Sent-by port: 5060             Branch: z9hG4bKrzecbkJzsat7Xk6daqm5             RPort: rport         User-Agent: IM-client/OMA1.0 HW-Rto/V1.0         Content-Length: 0

-----Original Message----- From: "Yuriy Gorlichenko" <ovoshlook@gmail.com> To: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org>; Cc: Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00) Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error

Hi  401 is normal response for sip authIt is also normal response for IMS service Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change  I believe you did not check further request processing.On Mon, 23 Aug 2021, 18:19 오택경, <ohtk@kaist.ac.kr mailto:ohtk@kaist.ac.kr> wrote: Hi.

I am implementing the VoLTE setup with the dockerized project (https://github.com/herlesupreeth/docker_open5gs https://github.com/herlesupreeth/docker_open5gs).

I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.

How can I fix this problem?

I will share the discussion note in which I tried to solve some problems including the above one. : https://github.com/herlesupreeth/docker_open5gs/issues/55 https://github.com/herlesupreeth/docker_open5gs/issues/55

Very thanks, Taekkyung Oh. __________________________________________________________Kamailio - Users Mailing List - Non Commercial Discussions  * sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.orgImportant: keep the mailing list in the recipients, do not reply only to the sender!Edit mailing list options or unsubscribe:  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-----Original Message----- From: "Yuriy Gorlichenko" <ovoshlook@gmail.com> To: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org>; Cc: Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00) Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error

Hi  401 is normal response for sip authIt is also normal response for IMS service Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change  I believe you did not check further request processing.On Mon, 23 Aug 2021, 18:19 오택경, <ohtk@kaist.ac.kr mailto:ohtk@kaist.ac.kr> wrote: Hi.

I am implementing the VoLTE setup with the dockerized project (https://github.com/herlesupreeth/docker_open5gs https://github.com/herlesupreeth/docker_open5gs).

I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.

How can I fix this problem?

I will share the discussion note in which I tried to solve some problems including the above one. : https://github.com/herlesupreeth/docker_open5gs/issues/55 https://github.com/herlesupreeth/docker_open5gs/issues/55

Very thanks, Taekkyung Oh. __________________________________________________________Kamailio - Users Mailing List - Non Commercial Discussions  * sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.orgImportant: keep the mailing list in the recipients, do not reply only to the sender!Edit mailing list options or unsubscribe:  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users