[OpenSIPS-Users] 401 Unauthorized after Authentication Digest

John Quick john.quick at smartvox.co.uk
Tue Jun 6 10:30:09 EDT 2017


Hello David,

I'm not familiar with the pjsip implementation on Asterisk so cannot really help. Are you sure you can mix chan_sip with pjsip? How does Asterisk know which one to use when it receives a SIP request?
If you are getting "no matching endpoint" warnings it suggests to me that you need to define the sip peer somewhere else or that you are not giving the correct IP address in your sip peer definition, but this is only a guess. 
Perhaps there is an Asterisk forum where you could get help. The underlying problem seems to be that Asterisk is demanding authentication when you don't want it to - in which case your problem is with Asterisk, not with OpenSIPS.

John Quick
Smartvox Limited


From: David Peláez [mailto:dvlux4 at gmail.com] 
Sent: 06 June 2017 13:39
To: John Q <john.quick at smartvox.co.uk>
Cc: users at lists.opensips.org
Subject: Re: FW: Re: [OpenSIPS-Users] 401 Unauthorized after Authentication Digest

Hi John.

I configured "secure=INVITE" but the same behaivor continue. Also the extensions on Asterisk server are pjsip and the trunk is chan_sip, could it be the problem why the calls aren't reching the SIPphone? Or some problem between the ports the servers are listen to?
I just have one peer defined which is the one I am sending the calls.

And now I have seen this error on Asterisk server:

[2017-06-06 10:58:20] NOTICE[3601] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"501" <mailto:sip%3A2000 at 192.168.1.12>' failed for 'http://192.168.1.12:5060' (callid: mailto:880692485-17367-10 at BJC.BGI.B.C) - No matching endpoint found
[2017-06-06 10:58:20] NOTICE[3601] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"501" <mailto:sip%3A2000 at 192.168.1.12>' failed for 'http://192.168.1.12:5060' (callid: mailto:880692485-17367-10 at BJC.BGI.B.C) - No matching endpoint found
[2017-06-06 10:58:20] NOTICE[3601] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"501" <mailto:sip%3A2000 at 192.168.1.12>' failed for 'http://192.168.1.12:5060' (callid: mailto:880692485-17367-10 at BJC.BGI.B.C) - Failed to authenticate

What does it means?

Best regards
David 


2017-06-02 12:20 GMT+02:00 John Quick <mailto:john.quick at smartvox.co.uk>:
Hi David,

In asterisk, "insecure=INVITE" should be sufficient to disable authentication, although I have only tried it using chan_sip, not pjsip.
Is it possible you have another sip peer defined where the address for "host=" is the same? It is very difficult to know which one Asterisk will use for incoming calls when there are two with the same address for host.
If you have parameters for username and secret in your sip peer, try commenting them out and see if that helps.

I would not advise disabling authentication of SIP phones. In fact you should make sure you always use strong passwords.
All makes of SIP phone will support username/password authentication and it is vital to keep it active if you don't want your phone system to be hacked.
However, you should add this line to opensips.cfg after the SIP phone authentication section (www_authorize) and before you send the call to Asterisk (t_relay):

consume_credentials();

This will remove the headers that OpenSIPS and the SIP phone exchanged for authentication. If you don't remove those headers, Asterisk is likely to get confused and may request authorisation.

The consume_credentials function is documented here:
http://www.opensips.org/html/docs/modules/2.2.x/auth.html#idp5543680

John Quick
Smartvox Limited


From: David Peláez [mailto:mailto:dvlux4 at gmail.com]
Sent: 02 June 2017 10:56
To: mailto:john.quick at smartvox.co.uk
Cc: mailto:users at lists.opensips.org
Subject: Re: FW: Re: [OpenSIPS-Users] 401 Unauthorized after Authentication Digest

Thanks a lot for your replay. I already change the option "insecure=INVITE" as you suggested but I am still having the same problem. Find attached the peer configuration maybe I am missing something else.
About opensips authenticating calls from SIPphones how do I disabled that behavior? because my opensips sends an 407 Proxy Authentication to the Sip phone before sending the INVITE to asterisk server.
Best regards
David






More information about the Users mailing list