El 26/02/14 11:39, Alex Villacís Lasso escribió:
El 26/02/14 05:25, Klaus Darilion escribió:
Puh, too many questions in one email.
I am sorry about that. I wanted to provide as much useful information as possible on my email, including what I had observed, and what I have already tried. After all the exposition, I just want to 1) have a setup that routes media between several
disjoint networks, 2) while being secure by default even if the firewall gets misconfigured, 3) without having to hardcode a particular IP address in the configuration file.
First, you should describe what you want to achieve. Eg. is there routing between the networks done by the server? E.g. can a clinet on 10.1.0.0/24 ping a client on 192.168.0.0/16? If yes, there is no need for Kamailio/Asterisk to listen on multiple
interfaces.
No, the server is not supposed to route ordinary traffic between networks.
If there is no routing, you need to have a media relay too. Either use rtpproxy or just
configure Asterisk with "canreinvite=no" to avoid media offloading.
The asterisk instance was supposed to be already configured with directmedia=no the whole time. This was set both in the configuration file and in each of the realtime peers. The full sip.conf file is attached. The #include'd files at the end are
currently empty. You can see the commented-out attempt to listen on localhost only.
I fail to see why rtpproxy would be required in this setup, since asterisk already opens RTP ports on all interfaces. In the (already tested) asterisk-only scenario, media is routed between the test networks through asterisk when it does all of the SIP
negotiation itself.
Regarding security, I think rtpproxy can help me. I have configured asterisk to listen for SIP traffic on localhost only. Of course, this means asterisk will send the media to localhost only, but now I can be sure there is no way to bypass kamailio
authentication from the outside.
My test setup resembles a typical NAT traversal. However, instead of a single private interface and a single outgoing interface, I need to route between localhost (which behaves here as the private network) and multiple external interfaces (similar to the
"public" network). A partially-working patch to kamailio.cfg is attached to this email. The known problems with the patch are:
- Incoming calls (external->kamailio->asterisk) are handled and media is correctly routed with multiple rtpproxy instances. However, calls generated from Asterisk itself (asterisk->kamailio->external) do not have their media routed correctly. This is
because I need to choose which rtpproxy set to use in order to route the media, and I do not know which field to use at the required point for an outgoing INVITE. For incoming INVITEs, I am using $Ri, and for OK replies to those INVITES, I am using
$(hdr(Record-Route)[1] (I believe this is not optimal and that a better solution must exist).
- I am forced to hardcode IPs to the various defined interfaces. As explained before, IPs can and do change, and removing the need to hardcode the IPs will make configuration and maintenance easier. I must add that I want to build a generic solution that
can be minimally modified for several deployments.
Is this setup recognizable as an already-solved problem (minus the localhost
trick)? How is it done correctly?
--- kamailio.cfg.orig 2014-02-19 17:22:25.040166479 -0500
+++ kamailio.cfg 2014-02-27 17:02:26.599259984 -0500
@@ -1,4 +1,12 @@
#!KAMAILIO
+
+#!define WITH_ODBC
+#!define WITH_AUTH
+#!define WITH_USRLOCDB
+#!define WITH_ASTERISK
+#!define WITH_PRESENCE
+#!define WITH_NAT
+
#
# Kamailio (OpenSER) SIP Server v4.1 - default configuration script
# - web: http://www.kamailio.org
@@ -105,6 +113,14 @@
####### Defined Values #########
# *** Value defines - IDs used later in config
+#!ifdef WITH_ODBC
+#!ifndef DBURL
+#!define DBURL "unixodbc:///kamailio-connector"
+#!endif
+#!ifdef WITH_ASTERISK
+#!define DBASTURL "unixodbc:///elxpbx-connector"
+#!endif
+#!endif
#!ifdef WITH_MYSQL
# - database URL - used to connect to database server by modules such
# as: auth_db, acc, usrloc, a.s.o.
@@ -203,6 +219,16 @@
voicemail.srv_port = "5060" desc "VoiceMail Port"
#!endif
+
+#!ifdef WITH_ASTERISK
+asterisk.bindip = "127.0.0.1" desc "Asterisk IP Address"
+asterisk.bindport = "5080" desc "Asterisk Port"
+kamailio.bindip = "127.0.0.1" desc "Kamailio IP Address"
+kamailio.bindport = "5060" desc "Kamailio Port"
+#!endif
+
+mhomed = 1
+
####### Modules Section ########
# set paths to location of modules (to sources or installation folders)
@@ -216,6 +242,10 @@
loadmodule "db_mysql.so"
#!endif
+#!ifdef WITH_ODBC
+loadmodule "db_unixodbc.so"
+#!endif
+
loadmodule "mi_fifo.so"
loadmodule "kex.so"
loadmodule "corex.so"
@@ -283,6 +313,10 @@
loadmodule "debugger.so"
#!endif
+#!ifdef WITH_ASTERISK
+loadmodule "uac.so"
+#!endif
+
# ----------------- setting module-specific parameters ---------------
@@ -303,8 +337,11 @@
# add value to ;lr param to cope with most of the UAs
modparam("rr", "enable_full_lr", 1)
# do not append from tag to the RR (no need for this script)
+#!ifdef WITH_ASTERISK
+modparam("rr", "append_fromtag", 1)
+#!else
modparam("rr", "append_fromtag", 0)
-
+#!endif
# ----- registrar params -----
modparam("registrar", "method_filtering", 1)
@@ -356,11 +393,19 @@
# ----- auth_db params -----
#!ifdef WITH_AUTH
-modparam("auth_db", "db_url", DBURL)
modparam("auth_db", "calculate_ha1", yes)
-modparam("auth_db", "password_column", "password")
modparam("auth_db", "load_credentials", "")
+
+#!ifdef WITH_ASTERISK
+modparam("auth_db", "user_column", "name")
+modparam("auth_db", "password_column", "sippasswd")
+modparam("auth_db", "db_url", DBASTURL)
+modparam("auth_db", "version_table", 0)
+#!else
+modparam("auth_db", "db_url", DBURL)
+modparam("auth_db", "password_column", "password")
modparam("auth_db", "use_domain", MULTIDOMAIN)
+#!endif
# ----- permissions params -----
#!ifdef WITH_IPAUTH
@@ -405,7 +450,10 @@
#!ifdef WITH_NAT
# ----- rtpproxy params -----
-modparam("rtpproxy", "rtpproxy_sock", "udp:127.0.0.1:7722")
+#modparam("rtpproxy", "rtpproxy_sock", "udp:127.0.0.1:7722")
+modparam("rtpproxy", "rtpproxy_sock", "1 == udp:127.0.0.1:7722")
+modparam("rtpproxy", "rtpproxy_sock", "2 == udp:127.0.0.1:7723")
+modparam("rtpproxy", "rtpproxy_sock", "3 == udp:127.0.0.1:7724")
# ----- nathelper params -----
modparam("nathelper", "natping_interval", 30)
@@ -629,6 +677,10 @@
if (!save("location"))
sl_reply_error();
+#!ifdef WITH_ASTERISK
+ route(REGFWD);
+#!endif
+
exit;
}
}
@@ -649,6 +701,16 @@
route(SIPOUT);
#!endif
+#!ifdef WITH_ASTERISK
+ if(is_method("INVITE") && (!route(FROMASTERISK))) {
+ # if new call from out there - send to Asterisk
+ # - non-INVITE request are routed directly by Kamailio
+ # - traffic from Asterisk is routed also directy by Kamailio
+ route(TOASTERISK);
+ exit;
+ }
+#!endif
+
$avp(oexten) = $rU;
if (!lookup("location")) {
$var(rc) = $rc;
@@ -718,6 +780,12 @@
route[AUTH] {
#!ifdef WITH_AUTH
+#!ifdef WITH_ASTERISK
+ # do not auth traffic from Asterisk - trusted!
+ if(route(FROMASTERISK))
+ return;
+#!endif
+
#!ifdef WITH_IPAUTH
if((!is_method("REGISTER")) && allow_source_address())
{
@@ -729,7 +797,11 @@
if (is_method("REGISTER") || from_uri==myself)
{
# authenticate requests
+#!ifdef WITH_ASTERISK
+ if (!auth_check("$fd", "sip", "1")) {
+#!else
if (!auth_check("$fd", "subscriber", "1")) {
+#!endif
auth_challenge("$fd", "0");
exit;
}
@@ -779,7 +851,19 @@
if (!(isflagset(FLT_NATS) || isbflagset(FLB_NATB)))
return;
- rtpproxy_manage("co");
+ #rtpproxy_manage("co");
+ if ($Ri=="10.1.0.3" || $(hdr(Record-Route)[1]) =~ "10.1.0.3") {
+ set_rtp_proxy_set("1");
+ rtpproxy_manage("co", "10.1.0.3");
+ } else if ($Ri=="192.168.5.18" || $(hdr(Record-Route)[1]) =~ "192.168.5.18") {
+ set_rtp_proxy_set("2");
+ rtpproxy_manage("co", "192.168.5.18");
+ } else if ($Ri=="10.0.0.2" || $(hdr(Record-Route)[1]) =~ "10.0.0.2") {
+ set_rtp_proxy_set("3");
+ rtpproxy_manage("co", "10.0.0.2");
+ } else {
+ xlog("L_ALERT", "ALERT: no matching set: Ri=$Ri $(hdr(Record-Route)[0]) $(hdr(Record-Route)[1])\n");
+ }
if (is_request()) {
if (!has_totag()) {
@@ -939,3 +1023,42 @@
}
#!endif
}
+
+#!ifdef WITH_ASTERISK
+# Test if coming from Asterisk
+route[FROMASTERISK] {
+ if($si==$sel(cfg_get.asterisk.bindip)
+ && $sp==$sel(cfg_get.asterisk.bindport))
+ return 1;
+ return -1;
+}
+
+# Send to Asterisk
+route[TOASTERISK] {
+ $du = "sip:" + $sel(cfg_get.asterisk.bindip) + ":"
+ + $sel(cfg_get.asterisk.bindport);
+ route(RELAY);
+ exit;
+}
+
+# Forward REGISTER to Asterisk
+route[REGFWD] {
+ if(!is_method("REGISTER"))
+ {
+ return;
+ }
+ $var(rip) = $sel(cfg_get.asterisk.bindip);
+ $uac_req(method)="REGISTER";
+ $uac_req(ruri)="sip:" + $var(rip) + ":" + $sel(cfg_get.asterisk.bindport);
+ $uac_req(furi)="sip:" + $au + "@" + $var(rip) + ":5060";
+ $uac_req(turi)="sip:" + $au + "@" + $var(rip) + ":5060";
+ $uac_req(hdrs)="Contact: <sip:" + $au + "@"
+ + $sel(cfg_get.kamailio.bindip)
+ + ":" + $sel(cfg_get.kamailio.bindport) + ">\r\n";
+ if($sel(contact.expires) != $null)
+ $uac_req(hdrs)= $uac_req(hdrs) + "Expires: " + $sel(contact.expires) + "\r\n";
+ else
+ $uac_req(hdrs)= $uac_req(hdrs) + "Expires: " + $hdr(Expires) + "\r\n";
+ uac_req_send();
+}
+#!endif
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
