Hi.
I am implementing the VoLTE setup with the dockerized project (https://github.com/herlesupreeth/docker_open5gs https://github.com/herlesupreeth/docker_open5gs).
I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.
How can I fix this problem?
I will share the discussion note in which I tried to solve some problems including the above one. : https://github.com/herlesupreeth/docker_open5gs/issues/55 https://github.com/herlesupreeth/docker_open5gs/issues/55
Very thanks, Taekkyung Oh.
Hi.
I am implementing the VoLTE setup with the dockerized project (https://github.com/herlesupreeth/docker_open5gs https://github.com/herlesupreeth/docker_open5gs).
I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.
How can I fix this problem?
I will share the discussion note in which I tried to solve some problems including the above one. : https://github.com/herlesupreeth/docker_open5gs/issues/55 https://github.com/herlesupreeth/docker_open5gs/issues/55
Very thanks, Taekkyung Oh.
Hi 401 is normal response for sip auth It is also normal response for IMS service Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change I believe you did not check further request processing. On Mon, 23 Aug 2021, 18:19 오택경, ohtk@kaist.ac.kr wrote:
Hi.
I am implementing the VoLTE setup with the dockerized project ( https://github.com/herlesupreeth/docker_open5gs).
I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.
How can I fix this problem?
I will share the discussion note in which I tried to solve some problems including the above one. : https://github.com/herlesupreeth/docker_open5gs/issues/55
Very thanks, Taekkyung Oh. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Thank you for your help!
I looked into the UE's IMS register request as you told me. (the content of request is shown below)
As my thinking, my UE can support only two algorithms: hmac-sha1-96 and hmac-md5-96.
But fhoss cannot support above auth algorithms (fhoss can support digest-akav1-md5, digest-akav2-md5, digest, http_digest_md5, early-ims-security, nass-bundled and sip digest).
What algorithm should I switch to for authentication in fhoss? Or do I have to change the UE device (smartphone) for auth?
Very thanks, Taekkyung Oh.
<IMS register request from the UE> Frame 4153: 840 bytes on wire (6720 bits), 840 bytes captured (6720 bits) on interface 0 Ethernet II, Src: 02:42:ac:16:00:16 (02:42:ac:16:00:16), Dst: 02:42:ac:16:00:06 (02:42:ac:16:00:06) Internet Protocol Version 4, Src: 172.22.0.22, Dst: 172.22.0.6 User Datagram Protocol, Src Port: 2152, Dst Port: 2152 GPRS Tunneling Protocol Internet Protocol Version 4, Src: 192.168.101.3, Dst: 172.22.0.21 Transmission Control Protocol, Src Port: 5060, Dst Port: 5060, Seq: 1021, Ack: 1, Len: 750 [2 Reassembled TCP Segments (1770 bytes): #4147(1020), #4153(750)] Session Initiation Protocol (REGISTER) Request-Line: REGISTER sip:ims.mnc001.mcc001.3gppnetwork.org SIP/2.0 Method: REGISTER Request-URI: sip:ims.mnc001.mcc001.3gppnetwork.org Request-URI Host Part: ims.mnc001.mcc001.3gppnetwork.org [Resent Packet: False] Message Header To: <sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org> SIP to address: sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org SIP to address User Part: 001010000031094 SIP to address Host Part: ims.mnc001.mcc001.3gppnetwork.org From: <sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org>;tag=qyecbkJ SIP from address: sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org SIP from address User Part: 001010000031094 SIP from address Host Part: ims.mnc001.mcc001.3gppnetwork.org SIP from tag: qyecbkJ Contact: <sip:001010000031094@192.168.101.3:5060>;+sip.instance="<urn:gsma:imei:86355804-632692-0>";+g.3gpp.accesstype="cellular2";audio;video;+g.3gpp.smsip;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel" Contact URI: sip:001010000031094@192.168.101.3:5060 Contact URI User Part: 001010000031094 Contact URI Host Part: 192.168.101.3 Contact URI Host Port: 5060 Contact parameter: +sip.instance="<urn:gsma:imei:86355804-632692-0>" Contact parameter: +g.3gpp.accesstype="cellular2" Contact parameter: audio Contact parameter: video Contact parameter: +g.3gpp.smsip Contact parameter: +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"\r
Expires: 600000 P-Access-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100010019B01 access-type: 3GPP-E-UTRAN-FDD utran-cell-id-3gpp: 0010100010019B01 Supported: path,sec-agree Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,UPDATE,PRACK,NOTIFY,MESSAGE,REFER Require: sec-agree Proxy-Require: sec-agree [truncated]Security-Client: ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=des-ede3-cbc;spi-c=10559690;spi-s=65664952;port-c=31112;port-s=31803,ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=aes-cbc;spi-c=10559690;spi-s=65664 [Security-mechanism]: ipsec-3gpp alg: hmac-sha-1-96 prot: esp mod=trans ealg: des-ede3-cbc spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 [Security-mechanism]: ipsec-3gpp alg: hmac-sha-1-96 prot: esp mod=trans ealg: aes-cbc spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 [Security-mechanism]: ipsec-3gpp alg: hmac-sha-1-96 prot: esp mod=trans ealg: null spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 [Security-mechanism]: ipsec-3gpp alg: hmac-md5-96 prot: esp mod=trans ealg: des-ede3-cbc spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 [Security-mechanism]: ipsec-3gpp alg: hmac-md5-96 prot: esp mod=trans ealg: aes-cbc spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 [Security-mechanism]: ipsec-3gpp alg: hmac-md5-96 prot: esp mod=trans ealg: null spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 Authorization: Digest username="001010000031094@ims.mnc001.mcc001.3gppnetwork.org",realm="ims.mnc001.mcc001.3gppnetwork.org",uri="sip:ims.mnc001.mcc001.3gppnetwork.org",nonce="",response="" Authentication Scheme: Digest Username: "001010000031094@ims.mnc001.mcc001.3gppnetwork.org" Realm: "ims.mnc001.mcc001.3gppnetwork.org" Authentication URI: "sip:ims.mnc001.mcc001.3gppnetwork.org" Nonce Value: "" Digest Authentication Response: "" Call-ID: txecbknlk@192.168.101.3 CSeq: 1 REGISTER Sequence Number: 1 Method: REGISTER Max-Forwards: 70 Via: SIP/2.0/TCP 192.168.101.3:5060;branch=z9hG4bKrzecbkJzsat7Xk6daqm5;rport Transport: TCP Sent-by Address: 192.168.101.3 Sent-by port: 5060 Branch: z9hG4bKrzecbkJzsat7Xk6daqm5 RPort: rport User-Agent: IM-client/OMA1.0 HW-Rto/V1.0 Content-Length: 0
-----Original Message----- From: "Yuriy Gorlichenko" <ovoshlook@gmail.com> To: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org>; Cc: Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00) Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error
Hi 401 is normal response for sip authIt is also normal response for IMS service Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change I believe you did not check further request processing.On Mon, 23 Aug 2021, 18:19 오택경, <ohtk@kaist.ac.kr mailto:ohtk@kaist.ac.kr> wrote: Hi.
I am implementing the VoLTE setup with the dockerized project (https://github.com/herlesupreeth/docker_open5gs https://github.com/herlesupreeth/docker_open5gs).
I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.
How can I fix this problem?
I will share the discussion note in which I tried to solve some problems including the above one. : https://github.com/herlesupreeth/docker_open5gs/issues/55 https://github.com/herlesupreeth/docker_open5gs/issues/55
Very thanks, Taekkyung Oh. __________________________________________________________Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.orgImportant: keep the mailing list in the recipients, do not reply only to the sender!Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-----Original Message----- From: "Yuriy Gorlichenko" <ovoshlook@gmail.com> To: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org>; Cc: Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00) Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error
Hi 401 is normal response for sip authIt is also normal response for IMS service Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change I believe you did not check further request processing.On Mon, 23 Aug 2021, 18:19 오택경, <ohtk@kaist.ac.kr mailto:ohtk@kaist.ac.kr> wrote: Hi.
I am implementing the VoLTE setup with the dockerized project (https://github.com/herlesupreeth/docker_open5gs https://github.com/herlesupreeth/docker_open5gs).
I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.
How can I fix this problem?
I will share the discussion note in which I tried to solve some problems including the above one. : https://github.com/herlesupreeth/docker_open5gs/issues/55 https://github.com/herlesupreeth/docker_open5gs/issues/55
Very thanks, Taekkyung Oh. __________________________________________________________Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.orgImportant: keep the mailing list in the recipients, do not reply only to the sender!Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
I do not remember, to be honest, if IMS supports basic md5 auth algorithms. You need to go through specs about algo supported. Also try to look into docs of kamailio ims modules which algorithms it implements. If you find one which satisfies your device for negotiation then just use it. If no - try to update your client to have support of one of the proper algorithms.
On Tue, 24 Aug 2021, 10:45 오택경, ohtk@kaist.ac.kr wrote:
Thank you for your help!
I looked into the UE's IMS register request as you told me. (the content of request is shown below)
As my thinking, my UE can support only two algorithms: hmac-sha1-96 and hmac-md5-96.
But fhoss cannot support above auth algorithms (fhoss can support digest-akav1-md5, digest-akav2-md5, digest, http_digest_md5, early-ims-security, nass-bundled and sip digest).
What algorithm should I switch to for authentication in fhoss? Or do I have to change the UE device (smartphone) for auth?
Very thanks, Taekkyung Oh.
*<IMS register request from the UE>* *Frame 4153: 840 bytes on wire (6720 bits), 840 bytes captured (6720 bits) on interface 0* *Ethernet II, Src: 02:42:ac:16:00:16 (02:42:ac:16:00:16), Dst: 02:42:ac:16:00:06 (02:42:ac:16:00:06)* *Internet Protocol Version 4, Src: 172.22.0.22, Dst: 172.22.0.6* *User Datagram Protocol, Src Port: 2152, Dst Port: 2152* *GPRS Tunneling Protocol* *Internet Protocol Version 4, Src: 192.168.101.3, Dst: 172.22.0.21* *Transmission Control Protocol, Src Port: 5060, Dst Port: 5060, Seq: 1021, Ack: 1, Len: 750* *[2 Reassembled TCP Segments (1770 bytes): #4147(1020), #4153(750)]* *Session Initiation Protocol (REGISTER)*
- Request-Line: REGISTER sip:ims.mnc001.mcc001.3gppnetwork.org
http://ims.mnc001.mcc001.3gppnetwork.org SIP/2.0*
Method: REGISTER*Request-URI: sip:ims.mnc001.mcc001.3gppnetwork.orghttp://ims.mnc001.mcc001.3gppnetwork.org*
Request-URI Host Part: ims.mnc001.mcc001.3gppnetwork.orghttp://ims.mnc001.mcc001.3gppnetwork.org*
[Resent Packet: False]*- Message Header*
To: <sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.orgsip%3A001010000031094@ims.mnc001.mcc001.3gppnetwork.org>*
SIP to address:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org sip%3A001010000031094@ims.mnc001.mcc001.3gppnetwork.org*
SIP to address User Part: 001010000031094*SIP to address Host Part:ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org*
From: <sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.orgsip%3A001010000031094@ims.mnc001.mcc001.3gppnetwork.org>;tag=qyecbkJ*
SIP from address:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org sip%3A001010000031094@ims.mnc001.mcc001.3gppnetwork.org*
SIP from address User Part: 001010000031094*SIP from address Host Part:ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org*
SIP from tag: qyecbkJ*Contact: <sip:001010000031094@192.168.101.3:5060http://sip:001010000031094@192.168.101.3:5060>;+sip.instance="urn:gsma:imei:86355804-632692-0";+g.3gpp.accesstype="cellular2";audio;video;+g.3gpp.smsip;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"*
Contact URI: sip:001010000031094@192.168.101.3:5060http://sip:001010000031094@192.168.101.3:5060*
Contact URI User Part: 001010000031094*Contact URI Host Part: 192.168.101.3*Contact URI Host Port: 5060*Contact parameter:+sip.instance="urn:gsma:imei:86355804-632692-0"*
Contact parameter: +g.3gpp.accesstype="cellular2"*Contact parameter: audio*Contact parameter: video*Contact parameter: +g.3gpp.smsip*Contact parameter:+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"\r\n*
Expires: 600000*P-Access-Network-Info:3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100010019B01*
access-type: 3GPP-E-UTRAN-FDD*utran-cell-id-3gpp: 0010100010019B01*Supported: path,sec-agree*Allow:INVITE,ACK,OPTIONS,BYE,CANCEL,UPDATE,PRACK,NOTIFY,MESSAGE,REFER*
Require: sec-agree*Proxy-Require: sec-agree*[truncated]Security-Client:ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=des-ede3-cbc;spi-c=10559690;spi-s=65664952;port-c=31112;port-s=31803,ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=aes-cbc;spi-c=10559690;spi-s=65664*
[Security-mechanism]: ipsec-3gpp*alg: hmac-sha-1-96*prot: esp*mod=trans*ealg: des-ede3-cbc*spi-c: 10559690 (0x00a120ca)*spi-s: 65664952 (0x03e9f7b8)*port-c: 31112*port-s: 31803*[Security-mechanism]: ipsec-3gpp*alg: hmac-sha-1-96*prot: esp*mod=trans*ealg: aes-cbc*spi-c: 10559690 (0x00a120ca)*spi-s: 65664952 (0x03e9f7b8)*port-c: 31112*port-s: 31803*[Security-mechanism]: ipsec-3gpp*alg: hmac-sha-1-96*prot: esp*mod=trans*ealg: null*spi-c: 10559690 (0x00a120ca)*spi-s: 65664952 (0x03e9f7b8)*port-c: 31112*port-s: 31803*[Security-mechanism]: ipsec-3gpp*alg: hmac-md5-96*prot: esp*mod=trans*ealg: des-ede3-cbc*spi-c: 10559690 (0x00a120ca)*spi-s: 65664952 (0x03e9f7b8)*port-c: 31112*port-s: 31803*[Security-mechanism]: ipsec-3gpp*alg: hmac-md5-96*prot: esp*mod=trans*ealg: aes-cbc*spi-c: 10559690 (0x00a120ca)*spi-s: 65664952 (0x03e9f7b8)*port-c: 31112*port-s: 31803*[Security-mechanism]: ipsec-3gpp*alg: hmac-md5-96*prot: esp*mod=trans*ealg: null*spi-c: 10559690 (0x00a120ca)*spi-s: 65664952 (0x03e9f7b8)*port-c: 31112*port-s: 31803*Authorization: Digestusername="001010000031094@ims.mnc001.mcc001.3gppnetwork.org 001010000031094@ims.mnc001.mcc001.3gppnetwork.org",realm="ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org",uri="sip:ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org",nonce="",response=""*
Authentication Scheme: Digest*Username: "001010000031094@ims.mnc001.mcc001.3gppnetwork.org001010000031094@ims.mnc001.mcc001.3gppnetwork.org"*
Realm: "ims.mnc001.mcc001.3gppnetwork.orghttp://ims.mnc001.mcc001.3gppnetwork.org"*
Authentication URI: "sip:ims.mnc001.mcc001.3gppnetwork.orghttp://ims.mnc001.mcc001.3gppnetwork.org"*
Nonce Value: ""*Digest Authentication Response: ""*Call-ID: txecbknlk@192.168.101.3 <txecbknlk@192.168.101.3>*CSeq: 1 REGISTER*Sequence Number: 1*Method: REGISTER*Max-Forwards: 70*Via: SIP/2.0/TCP192.168.101.3:5060;branch=z9hG4bKrzecbkJzsat7Xk6daqm5;rport*
Transport: TCP*Sent-by Address: 192.168.101.3*Sent-by port: 5060*Branch: z9hG4bKrzecbkJzsat7Xk6daqm5*RPort: rport*User-Agent: IM-client/OMA1.0 HW-Rto/V1.0*Content-Length: 0*-----Original Message----- From: "Yuriy Gorlichenko" ovoshlook@gmail.com To: "Kamailio (SER) - Users Mailing List" sr-users@lists.kamailio.org; Cc: Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00) Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error
Hi 401 is normal response for sip auth It is also normal response for IMS service Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change I believe you did not check further request processing. On Mon, 23 Aug 2021, 18:19 오택경, ohtk@kaist.ac.kr wrote:
Hi.
I am implementing the VoLTE setup with the dockerized project ( https://github.com/herlesupreeth/docker_open5gs).
I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.
How can I fix this problem?
I will share the discussion note in which I tried to solve some problems including the above one. : https://github.com/herlesupreeth/docker_open5gs/issues/55
Very thanks, Taekkyung Oh. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-----Original Message----- From: "Yuriy Gorlichenko" ovoshlook@gmail.com To: "Kamailio (SER) - Users Mailing List" sr-users@lists.kamailio.org; Cc: Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00) Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error
Hi 401 is normal response for sip auth It is also normal response for IMS service Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change I believe you did not check further request processing. On Mon, 23 Aug 2021, 18:19 오택경, ohtk@kaist.ac.kr wrote:
Hi.
I am implementing the VoLTE setup with the dockerized project ( https://github.com/herlesupreeth/docker_open5gs).
I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.
How can I fix this problem?
I will share the discussion note in which I tried to solve some problems including the above one. : https://github.com/herlesupreeth/docker_open5gs/issues/55
Very thanks, Taekkyung Oh. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
I tried to use all of the algorithms which fhoss can support, but they did not work.
Fortunately, I found that my UE did not send the digest response for the received nonce to the server after 401 unauthorized. (digest response content is empty in the 2nd register packet.)
I think this is the cause of the authentication problem. So I changed to another smartphone, but the same problem has occurred.
-----Original Message----- From: "Yuriy Gorlichenko" <ovoshlook@gmail.com> To: "오택경" <ohtk@kaist.ac.kr>; Cc: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org>; Sent: 2021-08-24 (화) 21:37:36 (UTC+09:00) Subject: Re: Re: [SR-Users] [VoLTE] 401 unauthorized error
I do not remember, to be honest, if IMS supports basic md5 auth algorithms. You need to go through specs about algo supported. Also try to look into docs of kamailio ims modules which algorithms it implements. If you find one which satisfies your device for negotiation then just use it. If no - try to update your client to have support of one of the proper algorithms.
On Tue, 24 Aug 2021, 10:45 오택경, <ohtk@kaist.ac.kr mailto:ohtk@kaist.ac.kr> wrote: Thank you for your help!
I looked into the UE's IMS register request as you told me. (the content of request is shown below)
As my thinking, my UE can support only two algorithms: hmac-sha1-96 and hmac-md5-96.
But fhoss cannot support above auth algorithms (fhoss can support digest-akav1-md5, digest-akav2-md5, digest, http_digest_md5, early-ims-security, nass-bundled and sip digest).
What algorithm should I switch to for authentication in fhoss? Or do I have to change the UE device (smartphone) for auth?
Very thanks, Taekkyung Oh.
<IMS register request from the UE> Frame 4153: 840 bytes on wire (6720 bits), 840 bytes captured (6720 bits) on interface 0 Ethernet II, Src: 02:42:ac:16:00:16 (02:42:ac:16:00:16), Dst: 02:42:ac:16:00:06 (02:42:ac:16:00:06) Internet Protocol Version 4, Src: 172.22.0.22, Dst: 172.22.0.6 User Datagram Protocol, Src Port: 2152, Dst Port: 2152 GPRS Tunneling Protocol Internet Protocol Version 4, Src: 192.168.101.3, Dst: 172.22.0.21 Transmission Control Protocol, Src Port: 5060, Dst Port: 5060, Seq: 1021, Ack: 1, Len: 750 [2 Reassembled TCP Segments (1770 bytes): #4147(1020), #4153(750)] Session Initiation Protocol (REGISTER) Request-Line: REGISTER sip:ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org SIP/2.0 Method: REGISTER Request-URI: sip:ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org Request-URI Host Part: ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org [Resent Packet: False] Message Header To: <sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org mailto:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org> SIP to address: sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org mailto:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org SIP to address User Part: 001010000031094 SIP to address Host Part: ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org From: <sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org mailto:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org>;tag=qyecbkJ SIP from address: sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org mailto:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org SIP from address User Part: 001010000031094 SIP from address Host Part: ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org SIP from tag: qyecbkJ Contact: <sip:001010000031094@192.168.101.3:5060 http://sip:001010000031094@192.168.101.3:5060%3E;+sip.instance=%22%3Curn:gsm..." Contact URI: sip:001010000031094@192.168.101.3:5060 http://sip:001010000031094@192.168.101.3:5060 Contact URI User Part: 001010000031094 Contact URI Host Part: 192.168.101.3 Contact URI Host Port: 5060 Contact parameter: +sip.instance="<urn:gsma:imei:86355804-632692-0>" Contact parameter: +g.3gpp.accesstype="cellular2" Contact parameter: audio Contact parameter: video Contact parameter: +g.3gpp.smsip Contact parameter: +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"\r
Expires: 600000 P-Access-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100010019B01 access-type: 3GPP-E-UTRAN-FDD utran-cell-id-3gpp: 0010100010019B01 Supported: path,sec-agree Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,UPDATE,PRACK,NOTIFY,MESSAGE,REFER Require: sec-agree Proxy-Require: sec-agree [truncated]Security-Client: ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=des-ede3-cbc;spi-c=10559690;spi-s=65664952;port-c=31112;port-s=31803,ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=aes-cbc;spi-c=10559690;spi-s=65664 [Security-mechanism]: ipsec-3gpp alg: hmac-sha-1-96 prot: esp mod=trans ealg: des-ede3-cbc spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 [Security-mechanism]: ipsec-3gpp alg: hmac-sha-1-96 prot: esp mod=trans ealg: aes-cbc spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 [Security-mechanism]: ipsec-3gpp alg: hmac-sha-1-96 prot: esp mod=trans ealg: null spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 [Security-mechanism]: ipsec-3gpp alg: hmac-md5-96 prot: esp mod=trans ealg: des-ede3-cbc spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 [Security-mechanism]: ipsec-3gpp alg: hmac-md5-96 prot: esp mod=trans ealg: aes-cbc spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 [Security-mechanism]: ipsec-3gpp alg: hmac-md5-96 prot: esp mod=trans ealg: null spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 Authorization: Digest username="001010000031094@ims.mnc001.mcc001.3gppnetwork.org mailto:001010000031094@ims.mnc001.mcc001.3gppnetwork.org",realm="ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org%22,uri=%22sip:ims.mnc001.mcc001.3gp... http://ims.mnc001.mcc001.3gppnetwork.org%22,nonce=%22%22,response="" Authentication Scheme: Digest Username: "001010000031094@ims.mnc001.mcc001.3gppnetwork.org mailto:001010000031094@ims.mnc001.mcc001.3gppnetwork.org" Realm: "ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org" Authentication URI: "sip:ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org" Nonce Value: "" Digest Authentication Response: "" Call-ID: txecbknlk@192.168.101.3 mailto:txecbknlk@192.168.101.3 CSeq: 1 REGISTER Sequence Number: 1 Method: REGISTER Max-Forwards: 70 Via: SIP/2.0/TCP 192.168.101.3:5060;branch=z9hG4bKrzecbkJzsat7Xk6daqm5;rport Transport: TCP Sent-by Address: 192.168.101.3 Sent-by port: 5060 Branch: z9hG4bKrzecbkJzsat7Xk6daqm5 RPort: rport User-Agent: IM-client/OMA1.0 HW-Rto/V1.0 Content-Length: 0
-----Original Message----- From: "Yuriy Gorlichenko" <ovoshlook@gmail.com mailto:ovoshlook@gmail.com> To: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org>; Cc: Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00) Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error
Hi 401 is normal response for sip authIt is also normal response for IMS service Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change I believe you did not check further request processing.On Mon, 23 Aug 2021, 18:19 오택경, <ohtk@kaist.ac.kr mailto:ohtk@kaist.ac.kr> wrote: Hi.
I am implementing the VoLTE setup with the dockerized project (https://github.com/herlesupreeth/docker_open5gs https://github.com/herlesupreeth/docker_open5gs).
I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.
How can I fix this problem?
I will share the discussion note in which I tried to solve some problems including the above one. : https://github.com/herlesupreeth/docker_open5gs/issues/55 https://github.com/herlesupreeth/docker_open5gs/issues/55
Very thanks, Taekkyung Oh. __________________________________________________________Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.orgImportant: keep the mailing list in the recipients, do not reply only to the sender!Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-----Original Message-----From: "Yuriy Gorlichenko" <ovoshlook@gmail.com mailto:ovoshlook@gmail.com> To: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org>; Cc: Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00) Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error
Hi 401 is normal response for sip authIt is also normal response for IMS service Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change I believe you did not check further request processing.On Mon, 23 Aug 2021, 18:19 오택경, <ohtk@kaist.ac.kr mailto:ohtk@kaist.ac.kr> wrote: Hi.
I am implementing the VoLTE setup with the dockerized project (https://github.com/herlesupreeth/docker_open5gs https://github.com/herlesupreeth/docker_open5gs).
I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.
How can I fix this problem?
I will share the discussion note in which I tried to solve some problems including the above one. : https://github.com/herlesupreeth/docker_open5gs/issues/55 https://github.com/herlesupreeth/docker_open5gs/issues/55
Very thanks, Taekkyung Oh. __________________________________________________________Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.orgImportant: keep the mailing list in the recipients, do not reply only to the sender!Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
I succeeded in the IMS registering!
I submitted both op and opc values in the fhoss, UE was able to send the digest auth response!
Thank you for your help!
-----Original Message----- From: "오택경" <ohtk@kaist.ac.kr> To: "Yuriy Gorlichenko" <ovoshlook@gmail.com>; Cc: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org>; Sent: 2021-08-25 (수) 01:04:07 (UTC+09:00) Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error
I tried to use all of the algorithms which fhoss can support, but they did not work.
Fortunately, I found that my UE did not send the digest response for the received nonce to the server after 401 unauthorized. (digest response content is empty in the 2nd register packet.)
I think this is the cause of the authentication problem. So I changed to another smartphone, but the same problem has occurred.
-----Original Message----- From: "Yuriy Gorlichenko" <ovoshlook@gmail.com> To: "오택경" <ohtk@kaist.ac.kr>; Cc: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org>; Sent: 2021-08-24 (화) 21:37:36 (UTC+09:00) Subject: Re: Re: [SR-Users] [VoLTE] 401 unauthorized error
I do not remember, to be honest, if IMS supports basic md5 auth algorithms. You need to go through specs about algo supported. Also try to look into docs of kamailio ims modules which algorithms it implements. If you find one which satisfies your device for negotiation then just use it. If no - try to update your client to have support of one of the proper algorithms.
On Tue, 24 Aug 2021, 10:45 오택경, <ohtk@kaist.ac.kr mailto:ohtk@kaist.ac.kr> wrote: Thank you for your help!
I looked into the UE's IMS register request as you told me. (the content of request is shown below)
As my thinking, my UE can support only two algorithms: hmac-sha1-96 and hmac-md5-96.
But fhoss cannot support above auth algorithms (fhoss can support digest-akav1-md5, digest-akav2-md5, digest, http_digest_md5, early-ims-security, nass-bundled and sip digest).
What algorithm should I switch to for authentication in fhoss? Or do I have to change the UE device (smartphone) for auth?
Very thanks, Taekkyung Oh.
<IMS register request from the UE> Frame 4153: 840 bytes on wire (6720 bits), 840 bytes captured (6720 bits) on interface 0 Ethernet II, Src: 02:42:ac:16:00:16 (02:42:ac:16:00:16), Dst: 02:42:ac:16:00:06 (02:42:ac:16:00:06) Internet Protocol Version 4, Src: 172.22.0.22, Dst: 172.22.0.6 User Datagram Protocol, Src Port: 2152, Dst Port: 2152 GPRS Tunneling Protocol Internet Protocol Version 4, Src: 192.168.101.3, Dst: 172.22.0.21 Transmission Control Protocol, Src Port: 5060, Dst Port: 5060, Seq: 1021, Ack: 1, Len: 750 [2 Reassembled TCP Segments (1770 bytes): #4147(1020), #4153(750)] Session Initiation Protocol (REGISTER) Request-Line: REGISTER sip:ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org SIP/2.0 Method: REGISTER Request-URI: sip:ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org Request-URI Host Part: ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org [Resent Packet: False] Message Header To: <sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org mailto:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org> SIP to address: sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org mailto:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org SIP to address User Part: 001010000031094 SIP to address Host Part: ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org From: <sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org mailto:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org>;tag=qyecbkJ SIP from address: sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org mailto:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org SIP from address User Part: 001010000031094 SIP from address Host Part: ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org SIP from tag: qyecbkJ Contact: <sip:001010000031094@192.168.101.3:5060 http://sip:001010000031094@192.168.101.3:5060%3E;+sip.instance=%22%3Curn:gsm..." Contact URI: sip:001010000031094@192.168.101.3:5060 http://sip:001010000031094@192.168.101.3:5060 Contact URI User Part: 001010000031094 Contact URI Host Part: 192.168.101.3 Contact URI Host Port: 5060 Contact parameter: +sip.instance="<urn:gsma:imei:86355804-632692-0>" Contact parameter: +g.3gpp.accesstype="cellular2" Contact parameter: audio Contact parameter: video Contact parameter: +g.3gpp.smsip Contact parameter: +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"\r
Expires: 600000 P-Access-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100010019B01 access-type: 3GPP-E-UTRAN-FDD utran-cell-id-3gpp: 0010100010019B01 Supported: path,sec-agree Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,UPDATE,PRACK,NOTIFY,MESSAGE,REFER Require: sec-agree Proxy-Require: sec-agree [truncated]Security-Client: ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=des-ede3-cbc;spi-c=10559690;spi-s=65664952;port-c=31112;port-s=31803,ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=aes-cbc;spi-c=10559690;spi-s=65664 [Security-mechanism]: ipsec-3gpp alg: hmac-sha-1-96 prot: esp mod=trans ealg: des-ede3-cbc spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 [Security-mechanism]: ipsec-3gpp alg: hmac-sha-1-96 prot: esp mod=trans ealg: aes-cbc spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 [Security-mechanism]: ipsec-3gpp alg: hmac-sha-1-96 prot: esp mod=trans ealg: null spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 [Security-mechanism]: ipsec-3gpp alg: hmac-md5-96 prot: esp mod=trans ealg: des-ede3-cbc spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 [Security-mechanism]: ipsec-3gpp alg: hmac-md5-96 prot: esp mod=trans ealg: aes-cbc spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 [Security-mechanism]: ipsec-3gpp alg: hmac-md5-96 prot: esp mod=trans ealg: null spi-c: 10559690 (0x00a120ca) spi-s: 65664952 (0x03e9f7b8) port-c: 31112 port-s: 31803 Authorization: Digest username="001010000031094@ims.mnc001.mcc001.3gppnetwork.org mailto:001010000031094@ims.mnc001.mcc001.3gppnetwork.org",realm="ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org%22,uri=%22sip:ims.mnc001.mcc001.3gp... http://ims.mnc001.mcc001.3gppnetwork.org%22,nonce=%22%22,response="" Authentication Scheme: Digest Username: "001010000031094@ims.mnc001.mcc001.3gppnetwork.org mailto:001010000031094@ims.mnc001.mcc001.3gppnetwork.org" Realm: "ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org" Authentication URI: "sip:ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org" Nonce Value: "" Digest Authentication Response: "" Call-ID: txecbknlk@192.168.101.3 mailto:txecbknlk@192.168.101.3 CSeq: 1 REGISTER Sequence Number: 1 Method: REGISTER Max-Forwards: 70 Via: SIP/2.0/TCP 192.168.101.3:5060;branch=z9hG4bKrzecbkJzsat7Xk6daqm5;rport Transport: TCP Sent-by Address: 192.168.101.3 Sent-by port: 5060 Branch: z9hG4bKrzecbkJzsat7Xk6daqm5 RPort: rport User-Agent: IM-client/OMA1.0 HW-Rto/V1.0 Content-Length: 0
-----Original Message-----From: "Yuriy Gorlichenko" <ovoshlook@gmail.com mailto:ovoshlook@gmail.com> To: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org>; Cc: Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00) Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error
Hi 401 is normal response for sip authIt is also normal response for IMS service Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change I believe you did not check further request processing.On Mon, 23 Aug 2021, 18:19 오택경, <ohtk@kaist.ac.kr mailto:ohtk@kaist.ac.kr> wrote: Hi.
I am implementing the VoLTE setup with the dockerized project (https://github.com/herlesupreeth/docker_open5gs https://github.com/herlesupreeth/docker_open5gs).
I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.
How can I fix this problem?
I will share the discussion note in which I tried to solve some problems including the above one. : https://github.com/herlesupreeth/docker_open5gs/issues/55 https://github.com/herlesupreeth/docker_open5gs/issues/55
Very thanks, Taekkyung Oh. __________________________________________________________Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.orgImportant: keep the mailing list in the recipients, do not reply only to the sender!Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-----Original Message-----From: "Yuriy Gorlichenko" <ovoshlook@gmail.com mailto:ovoshlook@gmail.com> To: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org>; Cc: Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00) Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error
Hi 401 is normal response for sip authIt is also normal response for IMS service Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change I believe you did not check further request processing.On Mon, 23 Aug 2021, 18:19 오택경, <ohtk@kaist.ac.kr mailto:ohtk@kaist.ac.kr> wrote: Hi.
I am implementing the VoLTE setup with the dockerized project (https://github.com/herlesupreeth/docker_open5gs https://github.com/herlesupreeth/docker_open5gs).
I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.
How can I fix this problem?
I will share the discussion note in which I tried to solve some problems including the above one. : https://github.com/herlesupreeth/docker_open5gs/issues/55 https://github.com/herlesupreeth/docker_open5gs/issues/55
Very thanks, Taekkyung Oh. __________________________________________________________Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.orgImportant: keep the mailing list in the recipients, do not reply only to the sender!Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Probably the 401 didn’t make it to the client and what you are seeing are retransmission.
-ovidiu
On Tue, Aug 24, 2021 at 11:54 오택경 ohtk@kaist.ac.kr wrote:
I tried to use all of the algorithms which fhoss can support, but they did not work.
Fortunately, I found that my UE did not send the digest response for the received nonce to the server after 401 unauthorized. (digest response content is empty in the 2nd register packet.)
I think this is the cause of the authentication problem. So I changed to another smartphone, but the same problem has occurred.
-----Original Message----- From: "Yuriy Gorlichenko" ovoshlook@gmail.com To: "오택경" ohtk@kaist.ac.kr; Cc: "Kamailio (SER) - Users Mailing List" sr-users@lists.kamailio.org; Sent: 2021-08-24 (화) 21:37:36 (UTC+09:00) Subject: Re: Re: [SR-Users] [VoLTE] 401 unauthorized error
I do not remember, to be honest, if IMS supports basic md5 auth algorithms. You need to go through specs about algo supported. Also try to look into docs of kamailio ims modules which algorithms it implements. If you find one which satisfies your device for negotiation then just use it. If no - try to update your client to have support of one of the proper algorithms.
On Tue, 24 Aug 2021, 10:45 오택경, ohtk@kaist.ac.kr wrote:
Thank you for your help!
I looked into the UE's IMS register request as you told me. (the content of request is shown below)
As my thinking, my UE can support only two algorithms: hmac-sha1-96 and hmac-md5-96.
But fhoss cannot support above auth algorithms (fhoss can support digest-akav1-md5, digest-akav2-md5, digest, http_digest_md5, early-ims-security, nass-bundled and sip digest).
What algorithm should I switch to for authentication in fhoss? Or do I have to change the UE device (smartphone) for auth?
Very thanks, Taekkyung Oh.
*<IMS register request from the UE>* *Frame 4153: 840 bytes on wire (6720 bits), 840 bytes captured (6720 bits) on interface 0* *Ethernet II, Src: 02:42:ac:16:00:16 (02:42:ac:16:00:16), Dst: 02:42:ac:16:00:06 (02:42:ac:16:00:06)* *Internet Protocol Version 4, Src: 172.22.0.22, Dst: 172.22.0.6* *User Datagram Protocol, Src Port: 2152, Dst Port: 2152* *GPRS Tunneling Protocol* *Internet Protocol Version 4, Src: 192.168.101.3, Dst: 172.22.0.21* *Transmission Control Protocol, Src Port: 5060, Dst Port: 5060, Seq: 1021, Ack: 1, Len: 750* *[2 Reassembled TCP Segments (1770 bytes): #4147(1020), #4153(750)]* *Session Initiation Protocol (REGISTER)*
- Request-Line: REGISTER sip:ims.mnc001.mcc001.3gppnetwork.org
http://ims.mnc001.mcc001.3gppnetwork.org SIP/2.0*
Method: REGISTER*Request-URI: sip:ims.mnc001.mcc001.3gppnetwork.orghttp://ims.mnc001.mcc001.3gppnetwork.org*
Request-URI Host Part: ims.mnc001.mcc001.3gppnetwork.orghttp://ims.mnc001.mcc001.3gppnetwork.org*
[Resent Packet: False]*- Message Header*
To: <sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.orgsip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org>*
SIP to address:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org*
SIP to address User Part: 001010000031094*SIP to address Host Part:ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org*
From: <sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.orgsip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org>;tag=qyecbkJ*
SIP from address:sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org sip:001010000031094@ims.mnc001.mcc001.3gppnetwork.org*
SIP from address User Part: 001010000031094*SIP from address Host Part:ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org*
SIP from tag: qyecbkJ*Contact: <sip:001010000031094@192.168.101.3:5060http://sip:001010000031094@192.168.101.3:5060>;+sip.instance="urn:gsma:imei:86355804-632692-0";+g.3gpp.accesstype="cellular2";audio;video;+g.3gpp.smsip;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"*
Contact URI: sip:001010000031094@192.168.101.3:5060http://sip:001010000031094@192.168.101.3:5060*
Contact URI User Part: 001010000031094*Contact URI Host Part: 192.168.101.3*Contact URI Host Port: 5060*Contact parameter:+sip.instance="urn:gsma:imei:86355804-632692-0"*
Contact parameter: +g.3gpp.accesstype="cellular2"*Contact parameter: audio*Contact parameter: video*Contact parameter: +g.3gpp.smsip*Contact parameter:+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"\r\n*
Expires: 600000*P-Access-Network-Info:3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100010019B01*
access-type: 3GPP-E-UTRAN-FDD*utran-cell-id-3gpp: 0010100010019B01*Supported: path,sec-agree*Allow:INVITE,ACK,OPTIONS,BYE,CANCEL,UPDATE,PRACK,NOTIFY,MESSAGE,REFER*
Require: sec-agree*Proxy-Require: sec-agree*[truncated]Security-Client:ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=des-ede3-cbc;spi-c=10559690;spi-s=65664952;port-c=31112;port-s=31803,ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=aes-cbc;spi-c=10559690;spi-s=65664*
[Security-mechanism]: ipsec-3gpp*alg: hmac-sha-1-96*prot: esp*mod=trans*ealg: des-ede3-cbc*spi-c: 10559690 (0x00a120ca)*spi-s: 65664952 (0x03e9f7b8)*port-c: 31112*port-s: 31803*[Security-mechanism]: ipsec-3gpp*alg: hmac-sha-1-96*prot: esp*mod=trans*ealg: aes-cbc*spi-c: 10559690 (0x00a120ca)*spi-s: 65664952 (0x03e9f7b8)*port-c: 31112*port-s: 31803*[Security-mechanism]: ipsec-3gpp*alg: hmac-sha-1-96*prot: esp*mod=trans*ealg: null*spi-c: 10559690 (0x00a120ca)*spi-s: 65664952 (0x03e9f7b8)*port-c: 31112*port-s: 31803*[Security-mechanism]: ipsec-3gpp*alg: hmac-md5-96*prot: esp*mod=trans*ealg: des-ede3-cbc*spi-c: 10559690 (0x00a120ca)*spi-s: 65664952 (0x03e9f7b8)*port-c: 31112*port-s: 31803*[Security-mechanism]: ipsec-3gpp*alg: hmac-md5-96*prot: esp*mod=trans*ealg: aes-cbc*spi-c: 10559690 (0x00a120ca)*spi-s: 65664952 (0x03e9f7b8)*port-c: 31112*port-s: 31803*[Security-mechanism]: ipsec-3gpp*alg: hmac-md5-96*prot: esp*mod=trans*ealg: null*spi-c: 10559690 (0x00a120ca)*spi-s: 65664952 (0x03e9f7b8)*port-c: 31112*port-s: 31803*Authorization: Digestusername="001010000031094@ims.mnc001.mcc001.3gppnetwork.org 001010000031094@ims.mnc001.mcc001.3gppnetwork.org",realm="ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org",uri="sip:ims.mnc001.mcc001.3gppnetwork.org http://ims.mnc001.mcc001.3gppnetwork.org",nonce="",response=""*
Authentication Scheme: Digest*Username: "001010000031094@ims.mnc001.mcc001.3gppnetwork.org001010000031094@ims.mnc001.mcc001.3gppnetwork.org"*
Realm: "ims.mnc001.mcc001.3gppnetwork.orghttp://ims.mnc001.mcc001.3gppnetwork.org"*
Authentication URI: "sip:ims.mnc001.mcc001.3gppnetwork.orghttp://ims.mnc001.mcc001.3gppnetwork.org"*
Nonce Value: ""*Digest Authentication Response: ""*Call-ID: txecbknlk@192.168.101.3 <txecbknlk@192.168.101.3>*CSeq: 1 REGISTER*Sequence Number: 1*Method: REGISTER*Max-Forwards: 70*Via: SIP/2.0/TCP192.168.101.3:5060;branch=z9hG4bKrzecbkJzsat7Xk6daqm5;rport*
Transport: TCP*Sent-by Address: 192.168.101.3*Sent-by port: 5060*Branch: z9hG4bKrzecbkJzsat7Xk6daqm5*RPort: rport*User-Agent: IM-client/OMA1.0 HW-Rto/V1.0*Content-Length: 0*-----Original Message----- From: "Yuriy Gorlichenko" ovoshlook@gmail.com To: "Kamailio (SER) - Users Mailing List" sr-users@lists.kamailio.org; Cc: Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00) Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error
Hi 401 is normal response for sip auth It is also normal response for IMS service Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change I believe you did not check further request processing. On Mon, 23 Aug 2021, 18:19 오택경, ohtk@kaist.ac.kr wrote:
Hi.
I am implementing the VoLTE setup with the dockerized project ( https://github.com/herlesupreeth/docker_open5gs).
I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.
How can I fix this problem?
I will share the discussion note in which I tried to solve some problems including the above one. : https://github.com/herlesupreeth/docker_open5gs/issues/55
Very thanks, Taekkyung Oh. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-----Original Message----- From: "Yuriy Gorlichenko" ovoshlook@gmail.com To: "Kamailio (SER) - Users Mailing List" sr-users@lists.kamailio.org; Cc: Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00) Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error
Hi 401 is normal response for sip auth It is also normal response for IMS service Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change I believe you did not check further request processing. On Mon, 23 Aug 2021, 18:19 오택경, ohtk@kaist.ac.kr wrote:
Hi.
I am implementing the VoLTE setup with the dockerized project ( https://github.com/herlesupreeth/docker_open5gs).
I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.
How can I fix this problem?
I will share the discussion note in which I tried to solve some problems including the above one. : https://github.com/herlesupreeth/docker_open5gs/issues/55
Very thanks, Taekkyung Oh. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions
- sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-
Ovidiu Sas -
Yuriy Gorlichenko -
오택경