Hello,

I can suggest that you run with debug=3 in kamailio.cfg and watch the logs printed by kamailio in syslog to see what happens.

If you need to look at the traffic sent over the tls connection, load sipdump module and enable it to write traffic in a file.

Cheers, Daniel

On 07.07.20 16:11, Роман С. wrote:

OK, spent some time around tls configuration. OpenSSL shows no error now, but dispatcher continues to show me IP or AX.

openssl s_client -showcerts -debug -connect servername.com:5061 http://servername.com:5061 -no_ssl2 -bugs -servername  servername.com http://servername.com -CAfile /root/intermediate.crt

<goodgoodgoodnoerrors>

kamalio.cfg .... ####### Routing Logic ########

event_route[tm:local-request] {

if(is_method("OPTIONS") && $ru =~ "pstnhub.microsoft.com http://pstnhub.microsoft.com") {                append_hf("Contact: sip:servername.com:5061;transport=tls\r\n");         }         xlog("L_INFO", "Sent out tm request: $mb\n"); }

request_route { ...         if (is_method("INVITE|SUBSCRIBE")) {                 record_route_preset("servername.com:5061;transport=tls", "my_ip:5060");                 #record_route();         } ... }

route[WITHINDLG] {         if (!has_totag()) return;

# sequential request withing a dialog should         # take the path determined by record-routing         if (loose_route()) {                 route(DLGURI);                 if (is_method("BYE")) {                         setflag(FLT_ACC); # do accounting ...                         setflag(FLT_ACCFAILED); # ... even if the transaction fails                 } else if ( is_method("ACK") ) {                         # ACK is forwarded statelessly                         route(NATMANAGE);                 } else if ( is_method("NOTIFY") ) {                         # Add Record-Route for in-dialog NOTIFY as per RFC 6665.                 record_route_preset("servername.com:5061;transport=tls", "my_ip:5060");                         #record_route();                 }                 route(RELAY);                 exit;         }

Teams web-interface shows inactive. Kamcmd's same as previous output. What do I do :(?

вт, 7 июл. 2020 г. в 12:43, Роман С. <highlandy@gmail.com mailto:highlandy@gmail.com>:

Hello.
I'm trying to set up Kamailio as SBC for Teams using
https://skalatan.de/en/blog/kamailio-sbc-teams.
Setup is completely default (except things mentioned at article),
but I use wildcard certificate for TLS. Well, I can't even pass
dispatcher:

kamcmd dispatcher.list | egrep "RI|FLAG"
                                        URI:
sip:sip.pstnhub.microsoft.com
<http://sip.pstnhub.microsoft.com>;transport=tls
                                        FLAGS: IP
                                        PRIORITY: 3
                                        URI:
sip:sip2.pstnhub.microsoft.com
<http://sip2.pstnhub.microsoft.com>;transport=tls
                                        FLAGS: IP
                                        PRIORITY: 2
                                        URI:
sip:sip3.pstnhub.microsoft.com
<http://sip3.pstnhub.microsoft.com>;transport=tls
                                        FLAGS: IP
                                        PRIORITY: 1

Where do I start to dig?

---

Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Hm, letsencrypt is out of supported CA list :/ I will give it a try and roll over to sipdump if it fails. Thank you guys.

вт, 7 июл. 2020 г. в 21:19, Karsten Horsmann khorsmann@gmail.com:

Hi there,

my teams tls problems with wildcard certs are gone after I did the an letsencrypt cert fqdn based cn.

Did you tried that?

Cheers Karsten

Роман С. highlandy@gmail.com schrieb am Di., 7. Juli 2020, 11:46:

...

Hello. I'm trying to set up Kamailio as SBC for Teams using https://skalatan.de/en/blog/kamailio-sbc-teams. Setup is completely default (except things mentioned at article), but I use wildcard certificate for TLS. Well, I can't even pass dispatcher:

kamcmd dispatcher.list | egrep "RI|FLAG" URI: sip: sip.pstnhub.microsoft.com;transport=tls FLAGS: IP PRIORITY: 3 URI: sip: sip2.pstnhub.microsoft.com;transport=tls FLAGS: IP PRIORITY: 2 URI: sip: sip3.pstnhub.microsoft.com;transport=tls FLAGS: IP PRIORITY: 1

Where do I start to dig? _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

---

Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

It becomes stranger. I've managed to put in letsencrypt cert. No better. After that i started sipdump. OK, pings to microsoft were using local IP of kamalio server. Added a few "listen" directives to config to fix it.

Well, now dispatcher still shows bad status. Teams admin center also shows inactive. But when someone makes a test call from Teams, I get the traffic! Like this:

|||||||||||||||||||| ==================== tag: rcv pid: 81575 process: 30 time: 1594204711.307233 date: Wed Jul 8 13:38:31 2020 proto: tls ipv4 srcip: 52.114.148.0 srcport: 10176 dstip: dstport: 5061 ~~~~~~~~~~~~~~~~~~~~ INVITE sip:+...@domain.com:5061;user=phone;transport=tls SIP/2.0^M FROM: Sergey A. Smirnovsip:+...@sip.pstnhub.microsoft.com:5061 ;user=phone;tag=3c0c73c49b334dad885ed8383d9bfd02^M TO: sip:+...@domain.com:5061;user=phone^M CSEQ: 1 INVITE^M CALL-ID: f90cfaf1cc465256a58910806c85e7e3^M MAX-FORWARDS: 70^M VIA: SIP/2.0/TLS 52.114.148.0:5061;branch=z9hG4bK38865678^M RECORD-ROUTE: sip:sip-du-a-us.pstnhub.microsoft.com:5061 ;transport=tls;lr^M CONTACT: sip:api-du-c-euno.pstnhub.microsoft.com:443 ;x-i=61bae769-d23e-498b-800d-f1e258214d96;x-c=f90cfaf1cc465256a58910806c85e7e3/d/10/bf778faf9b964e8cb1ff2ad03b4abd68^M CONTENT-LENGTH: 1133^M MIN-SE: 300^M SUPPORTED: timer^M USER-AGENT: Microsoft.PSTNHub.SIPProxy v.2020.7.1.9 i.USWE2.0^M CONTENT-TYPE: application/sdp^M ALLOW: INVITE,ACK,OPTIONS,CANCEL,BYE,NOTIFY^M SESSION-EXPIRES: 3600^M ^M v=0^M o=- 247300 0 IN IP4 127.0.0.1^M s=session^M c=IN IP4 52.113.47.185^M b=CT:10000000^M t=0 0^M m=audio 51320 RTP/SAVP 104 117 9 103 111 18 0 8 97 101 13 118^M c=IN IP4 52.113.47.185^M a=rtcp:51321^M a=ice-ufrag:V73X^M a=ice-pwd:KGyenWsebt1f6QY6CiwAoQzA^M a=rtcp-mux^M a=candidate:1 1 UDP 2130706431 52.113.47.185 51320 typ srflx raddr 10.0.32.202 rport 51320^M a=candidate:1 2 UDP 2130705918 52.113.47.185 51321 typ srflx raddr 10.0.32.202 rport 51321^M a=candidate:2 1 tcp-act 2121006078 52.113.47.185 49152 typ srflx raddr 10.0.32.202 rport 49152^M a=candidate:2 2 tcp-act 2121006078 52.113.47.185 49152 typ srflx raddr 10.0.32.202 rport 49152^M a=label:main-audio^M a=mid:1^M a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:vKSpeCodqNjmTXOlZUjJCgW1YXXGmmAzYg/RqziH|2^31^M a=sendrecv^M a=rtpmap:104 SILK/16000^M a=rtpmap:117 G722/8000/2^M a=rtpmap:9 G722/8000^M a=rtpmap:103 SILK/8000^M a=rtpmap:111 SIREN/16000^M a=fmtp:111 bitrate=16000^M a=rtpmap:18 G729/8000^M a=fmtp:18 annexb=no^M a=rtpmap:0 PCMU/8000^M a=rtpmap:8 PCMA/8000^M a=rtpmap:97 RED/8000^M a=rtpmap:101 telephone-event/8000^M a=fmtp:101 0-16^M a=rtpmap:13 CN/8000^M a=rtpmap:118 CN/16000^M a=ptime:20^M |||||||||||||||||||| |||||||||||||||||||| ==================== tag: snd pid: 81575 process: 30 time: 1594204711.311578 date: Wed Jul 8 13:38:31 2020 proto: tls ipv4 srcip: srcport: 5061 dstip: 52.114.148.0 dstport: 5061 ~~~~~~~~~~~~~~~~~~~~ SIP/2.0 404 Not Found^M FROM: Sergey A. Smirnovsip:+...@sip.pstnhub.microsoft.com:5061 ;user=phone;tag=3c0c73c49b334dad885ed8383d9bfd02^M TO: sip:+...@domain.com:5061 ;user=phone;tag=e69338500f192915ee9e9b54c3e94a3c-e71d1853^M CSEQ: 1 INVITE^M CALL-ID: f90cfaf1cc465256a58910806c85e7e3^M VIA: SIP/2.0/TLS 52.114.148.0:5061;branch=z9hG4bK38865678^M Server: kamailio (5.3.5 (x86_64/linux))^M Content-Length: 0^M

Well, I get that 404 is because I have no forward route to my pstn. But shouldn't I rely on dispatchers output? Also all these "inactive" make me worried.

ср, 8 июл. 2020 г. в 10:32, Karsten Horsmann khorsmann@gmail.com:

Hi,

Yeah they told you that. But I got it working with letsencrypt. It's an easy and harmless try before you bumping your head on the desk in case of tls debugging.

BTW I remember that you can sniff ms teams ssl/tls handshake with ssldump.

And if teams is happy with there option pings to you the direct routing shows up as okay (AFAIK).

Роман С. highlandy@gmail.com schrieb am Mi., 8. Juli 2020, 09:07:

...

Hm, letsencrypt is out of supported CA list :/ I will give it a try and roll over to sipdump if it fails. Thank you guys.

вт, 7 июл. 2020 г. в 21:19, Karsten Horsmann khorsmann@gmail.com:

...

Hi there,

my teams tls problems with wildcard certs are gone after I did the an letsencrypt cert fqdn based cn.

Did you tried that?

Cheers Karsten

Роман С. highlandy@gmail.com schrieb am Di., 7. Juli 2020, 11:46:

...

Hello. I'm trying to set up Kamailio as SBC for Teams using https://skalatan.de/en/blog/kamailio-sbc-teams. Setup is completely default (except things mentioned at article), but I use wildcard certificate for TLS. Well, I can't even pass dispatcher:

kamcmd dispatcher.list | egrep "RI|FLAG" URI: sip: sip.pstnhub.microsoft.com;transport=tls FLAGS: IP PRIORITY: 3 URI: sip: sip2.pstnhub.microsoft.com;transport=tls FLAGS: IP PRIORITY: 2 URI: sip: sip3.pstnhub.microsoft.com;transport=tls FLAGS: IP PRIORITY: 1

Where do I start to dig? _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

---

Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

---

Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

---

Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users