Re: [SR-Users] How to configure Kamailio + Asterisk (on same server) to route between several disjoint networks?

As part of a project, I have installed a CentOS 6 test system (a virtual machine) with Asterisk 11.7.0 and Kamailio 4.1.1 downloaded from http://download.opensuse.org/repositories/home:/kamailio:/telephony/CentOS_…. I am trying to setup a combination of Kamailio and Asterisk that will route SIP calls between all the configured networks in the test setup, in addition to being capable of using Asterisk in order to handle PSTN and IAX2 calls. I am using the following online guide to modify my kamailio.cfg: http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb . Based on this, I generated the attached patch for my Kamailio configuration My test setup has the following network interfaces: eth0: 10.1.0.3, on network 10.1.0.0/24 eth1: 192.168.5.18, on network 192.168.0.0/16 eth2: 10.0.0.2, on network 10.0.0.0/24 lo: 127.0.0.1, on network 127.0.0.0/8 I first configured Asterisk with SIP realtime support (with no Kamailio), and tested that all configured accounts could register from all interfaces, and that Asterisk could properly route media between any two disjoint networks. After installing Kamailio, the guide called for disabling Asterisk SIP authentication by setting passwords to NULL, and moving Asterisk SIP to a different port (I chose 5080) so that Asterisk and Kamailio could run on the same machine. At this point, the SIP clients (one softphone and one VoIP phone) can now register at port 5080 without authentication. In the process of changing my Kamailio configuration according to the attached patch, the guide says that I should configure the IP of the network interface as the value of asterisk.bindip and kamailio.bindip. After performing all required changes, Kamailio does take over authentication at the default port of 5060. Testing shows that for all SIP clients with IPs belonging to the same network as the configured asterisk.bindip, both registration and media exchange work correctly, and that the SIP clients are still capable of calling into the Asterisk dialplan, and therefore, routing into Asterisk resources. For SIP clients in disjoint networks, the failure mode depends on whether mhomed is enabled or disabled in kamailio.cfg. For mhomed=0 (or unset), I have the following situation between the two SIP clients (one at 10.1.0.1, the other at 10.0.0.3), as shown by "sip show peers" in Asterisk (when asterisk.bindip is set to 192.168.5.18): Privilege escalation protection disabled! See https://wiki.asterisk.org/wiki/x/1gKfAQ for more details. Name/username Host Dyn Forcerport ACL Port Status Description Realtime gatitoscomx64am_100/gatit 10.1.0.3 D N A 5060 OK (16 ms) Cached RT gatitoscomx64am_101/gatit 10.0.0.2 D N A 5060 OK (36 ms) Cached RT gatitoscomx64am_IM101 (Unspecified) D N A 0 UNREACHABLE Cached RT 3 sip peers [Monitored: 2 online, 1 offline Unmonitored: 0 online, 0 offline] If I try to call from one SIP client to an extension in the Asterisk dialplan that does NOT map to a SIP client in a disjoint network, the media exchange works (with negotiatied media IP in the same network as the SIP client), regardless of whether the calling client belongs in the same network as asterisk.bindip. If I try to call from the same SIP client to an extension that maps to a SIP client in a disjoint network, the call fails, and I get the spoken message about the user at extension such-and-such being unavailable. Additionally, I get the following error message in the Asterisk logs: [Feb 25 16:53:14] NOTICE[13807][C-00000003] chan_sip.c: Call from 'gatitoscomx64am_101' (10.0.0.2:5060) to extension 'gatitoscomx64am_101' rejected because extension not found in context 'gatitoscomx64am-from-internal'. For mhomed=1, the output of "sip show peers" changes to the following (when asterisk.bindip is set to 192.168.5.18): Privilege escalation protection disabled! See https://wiki.asterisk.org/wiki/x/1gKfAQ for more details. Name/username Host Dyn Forcerport ACL Port Status Description Realtime gatitoscomx64am_100/gatit 192.168.5.18 D N A 5060 OK (19 ms) Cached RT gatitoscomx64am_101/gatit 192.168.5.18 D N A 5060 OK (34 ms) Cached RT gatitoscomx64am_IM101 (Unspecified) D N A 0 UNREACHABLE Cached RT 3 sip peers [Monitored: 2 online, 1 offline Unmonitored: 0 online, 0 offline] From wireshark sniffing, I can see that the SDP payload sent from the client to Kamailio contains the IP address of the client, which is accessible by both Kamailio and Asterisk. However, the SDP payload in the OK response sent back to the client contains a media port with the IP address of asterisk.bindip (the one that appears in the "Host" column in the "sip show peers" report), not the IP address of the interface that received the INVITE. This results in broken media negotiation for all SIP clients belonging to networks other than the one that contains asterisk.bindip. In either case, I have to hardcode an IP address in kamailio.cfg, which is not satisfactory. IPs assigned to interfaces can and do change, especially if the interface is managed with DHCP. To escape this, I tried setting asterisk.bindip to 127.0.0.1, but since apparently localhost is also a disjoint network, all of the above described problems apply. Related to these issues, I am not satisfied with leaving Asterisk running unauthenticated SIP at the nonstandard port. Somebody suggested blocking the port with iptables, but I do not want to rely on this alone. I tried setting bindaddr=127.0.0.1 so that only Kamailio gets to talk to Asterisk, but this also has the side effect of restricting the media negotiation to localhost only. I am asking for help in building a Kamailio/Asterisk configuration that will support all of the networks and route media between all of them, just as if Asterisk were the only program running. Ideally, the configuration should not encode the current IP of any interface (except, maybe, localhost). What is the official name (if any) for the setup I am describing above? Does it have a standard setup procedure? How is Asterisk secured so that clients cannot bypass authentication using the Asterisk SIP port directly? _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users(a)lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users