Since anybody have been able to fully answer my question on OpenSER-Users, I would be very grateful if you can help my to understand how is it possible to use the module... I would like to handle SIP/PSTN gateway directly with OpenSER, without Asterisk. But my gateway need to be registered, so the forward of INVITE request cannot work without previous registration.. I already have radius AAA working, NAT traversal using STUN and CDRTool to generate tickets
I used the http://www.voice-system.ro/docs/uac/ar01s06.html#ex_auth tutorial and my problem is that INVITE request are forward without a previous REGISTER one, so I get a 403 forbidden answer... Thank you for your answers... Best Regards Here is my openser.cfg file: # # $Id: openser.cfg 1827 2007-03-12 15:22:53Z bogdan_iancu $ # # simple quick-start config script # Please refer to the Core CookBook at http://www.openser.org/dokuwiki/doku.php # for a explanation of possible statements, functions and parameters. # # ----------- global configuration parameters ------------------------ debug=7 # debug level (cmd line: -dddddddddd) fork=no log_stderror=yes # (cmd line: -E) children=4 listen=192.168.95.248 alias=sip.wifirst.fr port=5060 # uncomment the following lines for TLS support #disable_tls = 0 #listen = tls:192.168.95.248:5061 #alias=sip.wifirst.fr #tls_verify_server = 1 #tls_verify_client = 1 #tls_require_client_certificate = 0 #tls_method = TLSv1 #tls_certificate = "/etc/openser/tls/user/user-cert.pem" #tls_private_key = "/etc/openser/tls/user/user-privkey.pem" #tls_ca_list = "/etc/openser/tls/user/user-calist.pem" #server_signature=yes #tos=IPTOS_LOWDELAY avp_aliases="day=i:101;time=i:102;can_uri=i:800;s_ip=i:801;billing_party=i:802;from_header=i:803;sip_proxy_ip=i:804" #;pstnuser=i:805;pstnpassword=i:806:pstnrealm=i:807" # ------------------ module loading ---------------------------------- #set module path mpath="/usr/lib/openser/modules/" # Uncomment this if you want to use SQL database loadmodule "mysql.so" loadmodule "sl.so" # Stateless Module loadmodule "tm.so" # Transaction Module loadmodule "rr.so" # Record-Route and Route Module loadmodule "maxfwd.so" # Max-Forward processor Module loadmodule "usrloc.so" # User Location Implementation Module loadmodule "registrar.so" # SIP Registrat Implementation Module loadmodule "textops.so" # Text Operation Module loadmodule "mi_fifo.so" # FIFO transport layer implementation for Management Interface loadmodule "acc.so" # Accounting Module loadmodule "avpops.so" # AVP Operation Module (user preference) loadmodule "uri.so" # Generic URI operation Module loadmodule "auth.so" # Authentification Module #loadmodule "auth_db.so" # Database-backend Authentication mMdule loadmodule "auth_radius.so" # RADIUS-backend Authentication Module loadmodule "group_radius.so" # User-groups Module with RADIUS-backend #loadmodule "avp_radius.so" # RADIUS-backend for AVP loading Module #loadmodule "presence.so" # Presence server Module #loadmodule "pua.so" # Common API for presence user agent client loadmodule "options.so" # OPTIONS server replier Module loadmodule "xlog.so" # Advanced Logger Module #loadmodule "nathelper.so" # NAT Traversal Helper Module #loadmodule "dispatcher.so" # Dispatcher (load-balancer) Module loadmodule "uac.so" # User Agent Client loadmodule "siptrace.so" # SipTrace module (storage of SIP requests) #loadmodule "exec.so" # Allows to start an external command from a OpenSER script # ----------------- setting module-specific parameters --------------- # -- exec params -- #modparam("exec", "setvars", 1) # Turn off to disable setting environment variables for executed commands #modparam("exec", "time_to_kill", 20) # longest time a program is allowed to execute # -- maxfwd params -- modparam("maxfwd", "max_limit", 10) # Default is 256 | 10 in the functions # -- sl params -- #modparam("sl", "enable_stats", 1) # -- mi_fifo params -- modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo") # -- usrloc params -- # Uncomment this if you want to use SQL database modparam("usrloc", "db_mode", 1) # Write instantaneously in the DB modparam("usrloc", "db_url", "mysql://openser:[EMAIL PROTECTED]/openser") modparam("usrloc", "timer_interval", 10) #modparam("usrloc", "use_domain", 1) # Not working for now... modparam("usrloc", "cseq_delay", 5) # Delay before authorizing others retransmissions #modparam("usrloc", "matching_mode", 1) # 1 - CONTACT and CALLID based matching algorithm #modparam("usrloc", "nat_bflag" , 3) # -- rr params -- modparam("rr", "enable_full_lr", 1) # add value to ;lr param to make some broken UAs happy #modparam("rr", "add_username", 1) # username is added to the record-route # -- siptrace params -- modparam("siptrace", "db_url", "mysql://openser:[EMAIL PROTECTED]/openser") modparam("siptrace", "table", "sip_trace") # Default value "sip_trace" modparam("siptrace", "trace_on", 1) # -- avpops params -- #modparam("avpops", "avp_aliases", "day=i:101;time=i:102") # Deprecated # -- presence params -- #modparam("presence", "db_url", "mysql://openser:[EMAIL PROTECTED]/openser") #modparam("presence", "max_expires", 3600) #modparam("presence", "force_active", 1) #modparam("presence", "server_address", "sip:sip.wifirst.fr:5060" ) # -- pua params -- #modparam("pua", "db_url", "mysql://openser:[EMAIL PROTECTED]/openser") # -- options params -- #modparam("options", "accept", "*/*") #modparam("options", "accept", "*/sdp") #modparam("options", "accept_encoding", "") # gzip non supporte #modparam("options", "accept_language", "en") # -- registrar params -- modparam("registrar", "default_expires", 1800) #modparam("registrar", "nat_flag", 6) #modparam("registrar", "min_expires", 60) #modparam("registrar", "max_expires", 0) #modparam("registrar", "retry_after", 30) #modparam("registrar", "received_avp", "$avp(i:42)") # -- nathelper params -- #modparam("nathelper", "rtpproxy_sock", "udp:127.0.0.1:22222") #modparam("nathelper", "natping_interval", 10) #modparam("nathelper", "ping_nated_only", 1) #modparam("nathelper", "sipping_bflag", 7) ##modparam("nathelper", "sipping_method", "OPTIONS") #modparam("nathelper", "received_avp", "$avp(i:42)") # Same Value as the registrar module #modparam("nathelper", "sipping_from", "sip:[EMAIL PROTECTED]") # -- dispatcher params -- #modparam("dispatcher", "list_file", "/etc/openser/dispatcher.list") #modparam("dispatcher", "force_dst", 1) # Force overwriting of the destination #modparam("dispatcher", "flags", 3) #modparam("dispatcher", "use_default", 1) #modparam("dispatcher", "dst_avp", "$avp(i:271)") #modparam("dispatcher", "grp_avp", "$avp(i:272)") #modparam("dispatcher", "cnt_avp", "$avp(i:273)") # -- uac params -- #modparam("uac", "credential", "1401:saturne.alsion.com:7hR") modparam("uac", "credential", "0824:sip.plugandtel.net:635xyM") #modparam("uac", "auth_username_avp", "$avp(i:901)") # #modparam("uac", "auth_password_avp", "$avp(i:902)") # #modparam("uac", "auth_realm_avp", "$avp(i:903)") # modparam("uac","from_restore_mode","auto") # sequential requests and replies will be automatically updated based on stored original URI modparam("uac","from_passwd","UGKZ7DIGIVyfgugdygièè§!yF7TR67") # String password to be used to encrypt the RR storing paramter. # -- auth_db params -- # Uncomment if you are using auth module #modparam("auth_db", "db_url", "mysql://openser:[EMAIL PROTECTED]/openser") #modparam("auth_db", "calculate_ha1", yes) #modparam("auth_db", "password_column", "password") # -- auth params -- #modparam("auth", "secret", "johndoessecretphrase") # Default is random => don't set it #modparam("auth", "nonce_expire", 300) # Time before nounce expiration modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") # -- group_radius params -- modparam("group_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") modparam("group_radius", "use_domain", 1) # [EMAIL PROTECTED] will be used for lookup # -- avp_radius parameter -- #modparam("avp_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") # -- acc params (with radius )-- modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf") modparam("acc", "radius_flag", 1) modparam("acc", "radius_missed_flag", 2) modparam("acc", "early_media", 1) modparam("acc", "report_cancels", 1) #modparam("acc", "report_ack", 0) modparam("acc", "detect_direction", 1) #modparam("acc", "log_flag", 1) # number of the flag which will be used to mark messages for accounting #modparam("acc", "log_level", 1) # Set the reporting log level #modparam("acc", "log_missed_flag", 2) # #modparam("acc", "failed_transaction_flag", 2) modparam("acc", "service_type", 15) # Radius service type used for accounting : 15 = (SIP) #modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp") # ATTENTION: DO NOT PUT ; at the end of the radius_extra attribute modparam("acc", "radius_extra", "Sip-Src-IP=$si; Sip-Src-Port=$sp; Canonical-URI=$avp(can_uri); Billing-Party=$avp(billing_party); SIP-Proxy-IP=$avp(sip_proxy_ip); User-Agent=$ua ") #Billing-Party=$avp(billing_party) #From-Header=$hdr(from); #User-Name=$fU; #From-Header=$avp(from_header); #Digest-Realm=$fd #Sip-From-Tag=$avp(from_header); #SIP-Method=$rm; ######## Pseudo Variables ####### # http://openser.org/dokuwiki/doku.php/pseudovariables:1.2.x #modparam("acc", "radius_extra", "Sip-RPid=$avp(s:rpid); \ # Source-IP=$si; \ # Source-Port=$sp; \ # Canonical-URI=$avp(can_uri); \ # Billing-Party=$avp(billing_party); \ # Divert-Reason=$avp(s:divert_reason); \ # X-RTP-Stat=$avp(s:rtp_statistics); \ # From-Header=$hdr(from); \ # User-Agent=$hdr(user-agent); \ # Contact=$hdr(contact); \ # Event=$hdr(event); \ # SIP-Proxy-IP=$avp(s:sip_proxy_ip)") # -- acc params (with mysql) -- #modparam("acc", "db_url", "mysql://openser:[EMAIL PROTECTED]/openser") #modparam("acc", "db_flag", 1) #modparam("acc", "db_missed_flag", 2) #modparam("acc", "log_flag", 1) #modparam("acc", "log_missed_flag", 2) # -- xlog param -- #modparam("xlog", "force_color", 1) # ------------------------- request routing logic ------------------- # main routing logic route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; }; if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; }; # check if user is suspended # if(is_method("REGISTER|INVITE|MESSAGE|OPTIONS|SUBSCRIBE")){ # if (radius_is_user_in("From", "suspended")) { # sl_send_reply("403", "Forbidden - suspended"); # exit; # }; # }; # if(is_method("INVITE")) { # if (!radius_is_user_in("From","voip")) { # xlog("L_DBG","NOT IN THE voip GROUP \r\n"); # sl_send_reply("403", "Forbidden - Not in the voip group"); # } else { # xlog("L_DBG","IN THE voip GROUP\r\n"); # }; # }; # we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") { record_route(); }; # subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); if(is_method("BYE")) { # log it all the time acc_rad_request("200 ok"); acc_log_request("200 ok"); } route(1); }; #if (!uri==myself) { # mark routing logic in request # append_hf("P-hint: outbound\r\n"); # if you have some interdomain connections via TLS #if(uri=~"@tls_domain1.net") { # t_relay("tls:domain1.net"); # exit; #} else if(uri=~"@tls_domain2.net") { # t_relay("tls:domain2.net"); # exit; #} #route(1); #}; ################ SECTION USED TO ANSWER ping OPTIONS requests ################# if (uri==myself) { if (method==OPTIONS){ if (uri=~"sip:[EMAIL PROTECTED]") { rewriteuri("sip:sip.wifirst.fr"); #rewriteuri("sip:$dd"); xlog("URI AFTER rewriteuri() = $ru \r\n"); options_reply(); exit; }; if (! uri=~"sip:[EMAIL PROTECTED]") { xlog("URI USED FOR PING = $ru \r\n"); options_reply(); }; }; }; ################################################################################ #################### REDIRECT PSTN PHONE CALLS################################## # set failure route for authentication t_on_failure("3"); # reset flag to mark no authentication yet performed resetflag(7); if (method==INVITE && uri=~"sip:[EMAIL PROTECTED]") { # #append_time(); # Should add time # insert_hf("Mon-Premier-Test: [EMAIL PROTECTED]", "Call-ID"); # Add a new field to SDP # #rewritehost("10.10.10.1"); # Rewrite network address # consume_credentials(); # $avp(i:901) = "084"; # $avp(i:902) = "63yM"; # $avp(i:903) = "sip.plugandtel.net"; # rewritehostport("saturne.alsion.com"); rewritehostport("sip.plugandtel.net"); #uac_replace_from("sip:[EMAIL PROTECTED]"); # forward to PSTN #t_relay("udp:saturne.alsion.com:5060"); t_relay("udp:sip.plugandtel.net:5060"); exit; }; ################################################################################ # Set the acc flags if(is_method("INVITE") && !has_totag()) { xlog("L_INFO", "I AM SETTING THE FLAGS FOR RADIUS \r\n"); $avp(can_uri) = $ru; # SIP Request's URI $avp(billing_party) = $fu; # From URI $avp(from_header) = $fU; # From URI username $avp(sip_proxy_ip) = $Ri; # Received IP address setflag(1); # radius_flag setflag(2); # radius_missed_flag }; # Functions when calling other domains if (!uri==myself) { # check if user is allowed to do voip calls to other domains if(is_method("INVITE|MESSAGE")) { if (radius_is_user_in("From", "voip")) { sl_send_reply("403", "Forbidden VoIP"); exit; }; }; # mark routing logic in request append_hf("P-hint: outbound\r\n"); route(1); }; # if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) { if (method=="REGISTER") { sip_trace(); xlog("L_INFO", "$si IS TRYING TO REGISTER \r\n"); # Uncomment this if you want to use digest authentication # if (!www_authorize("sip.wifirst.fr", "subscriber")) { # www_challenge("sip.wifirst.fr", "1"); # qop set to 1 # xlog("L_INFO", "WWW_CHALLENGE of $si FAILED \r\n"); # exit; # }; if (!radius_www_authorize("sip.wifirst.fr")) { www_challenge("sip.wifirst.fr", "0"); # qop set to 1 xlog("L_INFO", "WWW_CHALLENGE of $si FAILED \r\n"); exit; }; # check the src ip address #if(!avp_check("$avp(i:2)", "eq/$src_ip/ig")) { # sl_send_reply("403", "Forbidden IP"); # exit; #}; save("location"); xlog("L_INFO", "SAVE LOCATION OF $si \r\n"); exit; }; # # calls to pstn # if(uri=~"sip:[0-9]*+@") { # if(is_method("INVITE") && !has_totag()) { # if (!radius_is_user_in("From", "pstn")) { # sl_send_reply("403", "Forbidden PSTN"); # exit; # }; # }; # # set gateway address # rewritehostport("sip.wifirst.fr:5090"); # route(1); # }; # load callee's avps # if(avp_load_radius("callee")) { # # check if user has time filter enabled # if(avp_check("$avp(i:3)", "eq/i:1")) { # # print time in an avp # avp_printf("$avp(i:100)", "$Tf"); # # extract day # avp_subst("$avp(i:100)/$avp(i:101)", "/(.{3}) .+/*\1*/"); # #if(!avp_check("$avp(i:6)", "fm/$avp($day)")) { # if(!avp_check("$avp(i:6)", "fm/$avp(day)")) { # sl_send_reply("403", "Forbidden - day"); # exit; # }; # # extract 'hours:minutes' # avp_subst("$avp(i:100)/$avp(i:102)", "/(.{10}) (.{5}):.+/\2/"); # if((is_avp_set("$avp(i:4)") && avp_check("$avp(i:4)", "gt/$avp(time)")) # || (is_avp_set("$avp(i:5)") && avp_check("$avp(i:5)", "lt/$avp(time)"))) { # sl_send_reply("403", "Forbidden - time"); # exit; # }; # }; # lookup("aliases"); # if (!uri==myself) { # append_hf("P-hint: outbound alias\r\n"); # route(1); # }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { # log to acc as missed call acc_rad_request("404 Not Found"); acc_log_request("404 Not Found"); xlog("L_DBG", "ACC RADIUS: 404 NOT FOUND FOR $si \r\n"); sl_send_reply("404", "Not Found"); exit; }; append_hf("P-hint: usrloc applied\r\n"); }; #if ($scr_ip != 192.168.95.248) { # ds_select_dst("1", "0"); # forward(); #}; route(1); } # Generic Forward route[1] { sip_trace(); # send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; exit; } failure_route[3] { # authentication reply received? xlog("FAILURE ROUTE 3 STARTED /r/n"); xlog("AUTHENTICATION REPLY RECEIVED /r/n"); if ( t_check_status("401|407") ) { # have we already tried to authenticate? if (isflagset(7)) { t_reply("503","Authentication failed"); exit; } if (uac_auth()) { # mark that auth was performed setflag(7); # trigger again the failure route t_on_failure("3"); # repeat the request with auth response this time append_branch(); t_relay(); } } } _______________________________________________ Devel mailing list [email protected] http://openser.org/cgi-bin/mailman/listinfo/devel
