[OpenSIPS-Users] FW: Re: 401 Unauthorized after Authentication Digest

John Quick john.quick at smartvox.co.uk
Tue Jun 6 11:00:56 EDT 2017


David,

Have you read this:
https://wiki.asterisk.org/wiki/display/AST/Migrating+from+chan_sip+to+res_pjsip#Migratingfromchan_siptores_pjsip-Disablingres_pjsipandchan_pjsip

It looks like you can only have both active together if they are listening on different ports. Do you know which port each one is using and are you 100% sure that OpenSIPS is sending its INVITE request to the port assigned to chan_sip?

John Quick
Smartvox Limited


From: David Peláez [mailto:dvlux4 at gmail.com] 
Sent: 06 June 2017 13:39
To: John Q <john.quick at smartvox.co.uk>
Cc: users at lists.opensips.org
Subject: Re: FW: Re: [OpenSIPS-Users] 401 Unauthorized after Authentication Digest

Hi John.

I configured "secure=INVITE" but the same behaivor continue. Also the extensions on Asterisk server are pjsip and the trunk is chan_sip, could it be the problem why the calls aren't reching the SIPphone? Or some problem between the ports the servers are listen to?
I just have one peer defined which is the one I am sending the calls.

And now I have seen this error on Asterisk server:

[2017-06-06 10:58:20] NOTICE[3601] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"501" <mailto:sip%3A2000 at 192.168.1.12>' failed for 'http://192.168.1.12:5060' (callid: mailto:880692485-17367-10 at BJC.BGI.B.C) - No matching endpoint found
[2017-06-06 10:58:20] NOTICE[3601] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"501" <mailto:sip%3A2000 at 192.168.1.12>' failed for 'http://192.168.1.12:5060' (callid: mailto:880692485-17367-10 at BJC.BGI.B.C) - No matching endpoint found
[2017-06-06 10:58:20] NOTICE[3601] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"501" <mailto:sip%3A2000 at 192.168.1.12>' failed for 'http://192.168.1.12:5060' (callid: mailto:880692485-17367-10 at BJC.BGI.B.C) - Failed to authenticate

What does it means?

Best regards
David 


2017-06-02 12:20 GMT+02:00 John Quick <mailto:john.quick at smartvox.co.uk>:
Hi David,

In asterisk, "insecure=INVITE" should be sufficient to disable authentication, although I have only tried it using chan_sip, not pjsip.
Is it possible you have another sip peer defined where the address for "host=" is the same? It is very difficult to know which one Asterisk will use for incoming calls when there are two with the same address for host.
If you have parameters for username and secret in your sip peer, try commenting them out and see if that helps.

I would not advise disabling authentication of SIP phones. In fact you should make sure you always use strong passwords.
All makes of SIP phone will support username/password authentication and it is vital to keep it active if you don't want your phone system to be hacked.
However, you should add this line to opensips.cfg after the SIP phone authentication section (www_authorize) and before you send the call to Asterisk (t_relay):

consume_credentials();

This will remove the headers that OpenSIPS and the SIP phone exchanged for authentication. If you don't remove those headers, Asterisk is likely to get confused and may request authorisation.

The consume_credentials function is documented here:
http://www.opensips.org/html/docs/modules/2.2.x/auth.html#idp5543680

John Quick
Smartvox Limited


From: David Peláez [mailto:mailto:dvlux4 at gmail.com]
Sent: 02 June 2017 10:56
To: mailto:john.quick at smartvox.co.uk
Cc: mailto:users at lists.opensips.org
Subject: Re: FW: Re: [OpenSIPS-Users] 401 Unauthorized after Authentication Digest

Thanks a lot for your replay. I already change the option "insecure=INVITE" as you suggested but I am still having the same problem. Find attached the peer configuration maybe I am missing something else.
About opensips authenticating calls from SIPphones how do I disabled that behavior? because my opensips sends an 407 Proxy Authentication to the Sip phone before sending the INVITE to asterisk server.
Best regards
David






More information about the Users mailing list