路由传入的星号 SIP 呼叫 - 虚假身份验证被拒绝

路由传入的星号 SIP 呼叫 - 虚假身份验证被拒绝

我们正在尝试在星号服务器上处理传入的 sip_calls,但不知何故我们总是最终得到 403 或 603(应该是相同的吗?)

如果它有效,会发生什么:

用户呼叫服务号码 -> 远程星号接受来自 pstn 的呼叫并转发到我们的星号 -> 我们的星号接受传入的 sip 呼叫 -> 根据拨号计划的 DDI/DID,我们的服务器开始向“whatever_target”发出外部呼叫(可以是内部 ip 电话或外部 pstn 号码)

目前有效的方法:

如果我们将主呼叫者电话配置为分机,则它可以正常工作,因为我们的 Aterisk 可以正确接受并转发它

最大的问题是:

我们显然无法配置传入分机,因为这是一条随机人员会拨打的服务线路

错误日志:

492212XXXXXXXX - 是服务号码背后的真实电话号码

43650XXXXXXX - 拨打服务号码的客户电话

<--- SIP read from UDP:remote-server-ip:5060 --->
INVITE sip:492212XXXXXXXX6@our-server-ip:5060 SIP/2.0
Via: SIP/2.0/UDP remote-server-ip:5060;rport;branch=z9hG4bK-6d70-1406058084-1272-462
Call-ID: 64d6-439-6222014194124-inCGN2-2-remote-server-ip
CSeq: 2 INVITE
Max-Forwards: 70
To: <sip:492212XXXXXXXX6@our-server-ip:5060>
From: "43650XXXXXXX"<sip:43650XXXXXXX@remote-server-ip>;tag=95ffcd055e0f78f7d5d397020e89288df0ec4476
User-Agent: Dialogic-SIP/10.5.3.372 inCGN2 2
Contact: <sip:43650XXXXXXX@remote-server-ip:5060>
Allow: INVITE, BYE, REGISTER, ACK, OPTIONS, CANCEL, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE
Supported: path, replaces, timer, tdialog
Session-Expires: 1800
Expires: 300
Organization: Dialogic
Authorization: Digest username="", realm="asterisk", nonce="10ecaeef", response="69597a5b260ecf8c217193b054463175", algorithm=MD5, uri="sip:our-server-ip"
Content-Type: application/sdp
Content-Length: 434

v=0
o=Dialogic_SDP 1919001 0 IN IP4 remote-server-ip
s=Dialogic-SIP
c=IN IP4 83.125.45.83
t=0 0
m=audio 8228 RTP/AVP 0 8 18 4 96 97 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=yes
a=rtpmap:4 G723/8000
a=fmtp:4 bitrate=6.3
a=rtpmap:96 iLBC/8000
a=fmtp:96 mode=30
a=rtpmap:97 iLBC/8000
a=fmtp:97 mode=20
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=silenceSupp:off - - - -
<------------->
--- (17 headers 19 lines) ---
Sending to remote-server-ip:5060 (no NAT)
Using INVITE request as basis request - 64d6-439-6222014194124-inCGN2-2-remote-server-ip
No matching peer for '43650XXXXXXX' from 'remote-server-ip:5060'
[Jul 22 19:41:24] NOTICE[30280]: chan_sip.c:22518 handle_request_invite: Sending fake auth rejection for device "43650XXXXXXX"<sip:43650XXXXXXX@remote-server-ip>;tag=95ffcd055e0f78f7d5d397020e89288df0ec4476

<--- Transmitting (no NAT) to remote-server-ip:5060 --->
SIP/2.0 403 Forbidden (Bad auth)
Via: SIP/2.0/UDP remote-server-ip:5060;branch=z9hG4bK-6d70-1406058084-1272-462;received=remote-server-ip;rport=5060
From: "43650XXXXXXX"<sip:43650XXXXXXX@remote-server-ip>;tag=95ffcd055e0f78f7d5d397020e89288df0ec4476
To: <sip:492212XXXXXXXX6@our-server-ip:5060>;tag=as52e8819e
Call-ID: 64d6-439-6222014194124-inCGN2-2-remote-server-ip
CSeq: 2 INVITE
Server: Asterisk PBX 1.8.10.1~dfsg-1ubuntu1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Content-Length: 0


<------------>
Scheduling destruction of SIP dialog '64d6-439-6222014194124-inCGN2-2-remote-server-ip' in 32000 ms (Method: INVITE)

<--- SIP read from UDP:remote-server-ip:5060 --->
ACK sip:492212XXXXXXXX6@our-server-ip:5060 SIP/2.0
Via: SIP/2.0/UDP remote-server-ip:5060;rport;branch=z9hG4bK-6d70-1406058084-1272-462
Call-ID: 64d6-439-6222014194124-inCGN2-2-remote-server-ip
CSeq: 2 ACK
Max-Forwards: 70
To: <sip:492212XXXXXXXX6@our-server-ip:5060>;tag=as52e8819e
From: "43650XXXXXXX"<sip:43650XXXXXXX@remote-server-ip>;tag=95ffcd055e0f78f7d5d397020e89288df0ec4476
User-Agent: Dialogic-SIP/10.5.3.372 inCGN2 2
Content-Length: 0

sip.conf 用于来电

name: incoming
defaultuser: 492212XXXXXX
regexten: null
secret: null
context: home
canreinvite: yes
host: remote-server-ip
ipaddr: null
insecure: invite
port: 5060
disallow: all
allow: g729;ilbc;gsm;ulaw;alaw
dtmfmode: rfc2833
fromdomain: our-server-ip (we also tested with remote server ip)
nat: yes
qualify: yes
type: friend
outboundproxy: our-server-ip (we also tested with remote server ip)
allowguest: yes (in the hopes it would allow all calls, it didnt)

扩展配置:

'297', 'home', '492212XXXXXX', '1', 'Dial', 'SIP/101'
'298', 'home', '492212XXXXXX101', '1', 'Dial', 'SIP/101'
'296', 'home', '_43ZX.', '1', 'Dial', 'SIP/101'

为“remote-server-ip”上的来电实施通用白名单的正确方法是什么?

您是否发现上述配置中存在任何明显的缺陷?我不得不承认,当我尝试切换所有参数来寻找解决方案时,我越来越看不到其中的错误。

我是否可以通过 remotesecret/proxy 设置以某种方式附加一种身份验证方法到来电?

我必须承认,我之前的 Asterisk 经验主要是配置一些内部 IP 电话,仅此而已 ^^

答案1

据我所知,您的 sip.conf 中缺少“43650XXXXXXX”对等点的定义

我还注意到您的“拨号”命令使用的是“101”,而不是“43650XXXXXXX”。您的“拨号”命令应该引用您想要将呼叫定向到的 SIP 对等方。

因此,您收到 403 是因为尝试的 SIP 连接根本没有匹配项。

推荐阅读:

http://www.asteriskdocs.org/en/3rd_Edition/asterisk-book-html-chunk/DeviceConfig_id216341.html

相关内容