[Freeswitch-users] Authenticate external calls problem

Jose Miguel Sucasas Mejuto jmsucasas at me.com
Sat Apr 14 05:11:30 MSD 2012 

Hello,

   I have installed freeSwitch 1.1beta from the git repository (FreeSWITCH-mod_sofia/1.1.beta1-git-d2edcad 2012-03-31 23-42-27 +0000).  My SIP provider (Netelip) is defined in conf/directory/default/example.conf.xml:

<include>
  <user id="$${default_provider}">
    <gateways>
      <gateway name="$${default_provider}">
	<param name="username" value="$${default_provider_username}"/>
	<param name="password" value="$${default_provider_password}"/>
	<param name="from-user" value="$${default_provider_username}"/>
	<param name="from-domain" value="$${default_provider_from_domain}"/>
	<param name="expire-seconds" value="600"/>
	<param name="register" value="$${default_provider_register}"/>
	<param name="retry-seconds" value="30"/>
	<param name="extension" value="$${default_provider_contact}"/>
	<param name="auth-calls" value="false"/>
	<!--<param name="contact-params" value="domain_name=$${domain}"/>-->
	<param name="context" value="public"/>
      </gateway>
    </gateways>
    <params>
      <param name="password" value="$${default_provider_password}"/>
    </params>
  </user>
</include>

	and doesn't authenticate inbound calls (insecure=invite in asterisk language). When I receive an inbound call,  I receive the following error:

freeswitch at internal> 
recv 1000 bytes from udp/[194.140.135.80]:5060 at 23:23:10.163377:
   ------------------------------------------------------------------------
   INVITE sip:34810101189 at sukmad.dyndns-home.com SIP/2.0
   Via: SIP/2.0/UDP 194.140.135.80:5060;branch=z9hG4bK6bb16a10;rport
   From: "916495242" <sip:916495242 at 194.140.135.80>;tag=as7a2a97e5
   To: <sip:34810101189 at sukmad.dyndns-home.com>
   Contact: <sip:916495242 at 194.140.135.80>
   Call-ID: 6c47a4064ef8d0641da415d2121e3226 at 194.140.135.80
   CSeq: 102 INVITE
   User-Agent: Netelip
   Max-Forwards: 70
   Date: Fri, 13 Apr 2012 23:23:51 GMT
   Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
   Supported: replaces
   Content-Type: application/sdp
   Content-Length: 425
   
   v=0
   o=root 1249 1249 IN IP4 194.140.135.80
   s=session
   c=IN IP4 194.140.135.80
   t=0 0
   m=audio 16474 RTP/AVP 8 0 97 3 18 4 101
   a=rtpmap:8 PCMA/8000
   a=rtpmap:0 PCMU/8000
   a=rtpmap:97 iLBC/8000
   a=fmtp:97 mode=30
   a=rtpmap:3 GSM/8000
   a=rtpmap:18 G729/8000
   a=fmtp:18 annexb=no
   a=rtpmap:4 G723/8000
   a=fmtp:4 annexa=no
   a=rtpmap:101 telephone-event/8000
   a=fmtp:101 0-16
   a=silenceSupp:off - - - -
   a=ptime:20
   a=sendrecv
   ------------------------------------------------------------------------
send 382 bytes to udp/[194.140.135.80]:5060 at 23:23:10.164409:
   ------------------------------------------------------------------------
   SIP/2.0 100 Trying
   Via: SIP/2.0/UDP 194.140.135.80:5060;branch=z9hG4bK6bb16a10;rport=5060
   From: "916495242" <sip:916495242 at 194.140.135.80>;tag=as7a2a97e5
   To: <sip:34810101189 at sukmad.dyndns-home.com>
   Call-ID: 6c47a4064ef8d0641da415d2121e3226 at 194.140.135.80
   CSeq: 102 INVITE
   User-Agent: FreeSWITCH-mod_sofia/1.1.beta1-git-d2edcad 2012-03-31 23-42-27 +0000
   Content-Length: 0
   
   ------------------------------------------------------------------------
2012-04-14 01:23:10.162331 [DEBUG] sofia.c:7598 IP 194.140.135.80 Rejected by acl "domains". Falling back to Digest auth.
send 871 bytes to udp/[194.140.135.80]:5060 at 23:23:10.166026:
   ------------------------------------------------------------------------
   SIP/2.0 407 Proxy Authentication Required
   Via: SIP/2.0/UDP 194.140.135.80:5060;branch=z9hG4bK6bb16a10;rport=5060
   From: "916495242" <sip:916495242 at 194.140.135.80>;tag=as7a2a97e5
   To: <sip:34810101189 at sukmad.dyndns-home.com>;tag=SaBHcvmm7evNF
   Call-ID: 6c47a4064ef8d0641da415d2121e3226 at 194.140.135.80
   CSeq: 102 INVITE
   User-Agent: FreeSWITCH-mod_sofia/1.1.beta1-git-d2edcad 2012-03-31 23-42-27 +0000
   Accept: application/sdp
   Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, UPDATE, INFO, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
   Supported: timer, precondition, path, replaces
   Allow-Events: talk, hold, presence, dialog, line-seize, call-info, sla, include-session-description, presence.winfo, message-summary, refer
   Proxy-Authenticate: Digest realm="194.140.135.80", nonce="bc1571d4-0957-4609-a887-7c3359b9ae9c", algorithm=MD5, qop="auth"
   Content-Length: 0

	I have read in forums that the solution to this problem is to add the IP to the acl.conf.xml, like this:

    <list name="domains" default="deny">
      <!-- domain= is special it scans the domain from the directory to build the ACL -->
      <node type="allow" domain="$${domain}"/>
      <!-- use cidr= if you wish to allow ip ranges to this domains acl. -->
      <node type="allow" cidr="194.140.135.80/24"/> 
    </list>

	But my SIP provider have a dynamic IP, and it's behind a NAT.  If my SIP provider will use any IP, ¿Where can I do this without enabling all IPs to enter calls in my system?


Thanks in advance,

Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120414/45ec6bd4/attachment.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list