we are trying to handle incoming sip_calls on our asterisk server, but somehow we always end up getting either 403 or 603 (which should be the same?)
what should happen if it works:
user calls service number
-> remote asterisk accepts call from pstn and forwards to our asterisk -> our asterisk accepts incoming sip call -> depending on the DDI/DID according to the dialplan our server starts an external call to "whatever_target"(could be an internal ip phone or external pstn number)
what works so far:
if we configure the primary caller phone as an extension, it works properly as our asterisk correctly accepts it and forwards
the big problem with this:
we obivously can not configure incoming extensions as it is a service line random people will call
the error log:
492212XXXXXXXX – being a real phone number behind the service number
43650XXXXXXX – customer phone that is calling the service number
<--- SIP read from UDP:remote-server-ip:5060 --->
INVITE sip:492212XXXXXXXX6@our-server-ip:5060 SIP/2.0
Via: SIP/2.0/UDP remote-server-ip:5060;rport;branch=z9hG4bK-6d70-1406058084-1272-462
Call-ID: 64d6-439-6222014194124-inCGN2-2-remote-server-ip
CSeq: 2 INVITE
Max-Forwards: 70
To: <sip:492212XXXXXXXX6@our-server-ip:5060>
From: "43650XXXXXXX"<sip:43650XXXXXXX@remote-server-ip>;tag=95ffcd055e0f78f7d5d397020e89288df0ec4476
User-Agent: Dialogic-SIP/10.5.3.372 inCGN2 2
Contact: <sip:43650XXXXXXX@remote-server-ip:5060>
Allow: INVITE, BYE, REGISTER, ACK, OPTIONS, CANCEL, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE
Supported: path, replaces, timer, tdialog
Session-Expires: 1800
Expires: 300
Organization: Dialogic
Authorization: Digest username="", realm="asterisk", nonce="10ecaeef", response="69597a5b260ecf8c217193b054463175", algorithm=MD5, uri="sip:our-server-ip"
Content-Type: application/sdp
Content-Length: 434
v=0
o=Dialogic_SDP 1919001 0 IN IP4 remote-server-ip
s=Dialogic-SIP
c=IN IP4 83.125.45.83
t=0 0
m=audio 8228 RTP/AVP 0 8 18 4 96 97 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=yes
a=rtpmap:4 G723/8000
a=fmtp:4 bitrate=6.3
a=rtpmap:96 iLBC/8000
a=fmtp:96 mode=30
a=rtpmap:97 iLBC/8000
a=fmtp:97 mode=20
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=silenceSupp:off - - - -
<------------->
--- (17 headers 19 lines) ---
Sending to remote-server-ip:5060 (no NAT)
Using INVITE request as basis request - 64d6-439-6222014194124-inCGN2-2-remote-server-ip
No matching peer for '43650XXXXXXX' from 'remote-server-ip:5060'
[Jul 22 19:41:24] NOTICE[30280]: chan_sip.c:22518 handle_request_invite: Sending fake auth rejection for device "43650XXXXXXX"<sip:43650XXXXXXX@remote-server-ip>;tag=95ffcd055e0f78f7d5d397020e89288df0ec4476
<--- Transmitting (no NAT) to remote-server-ip:5060 --->
SIP/2.0 403 Forbidden (Bad auth)
Via: SIP/2.0/UDP remote-server-ip:5060;branch=z9hG4bK-6d70-1406058084-1272-462;received=remote-server-ip;rport=5060
From: "43650XXXXXXX"<sip:43650XXXXXXX@remote-server-ip>;tag=95ffcd055e0f78f7d5d397020e89288df0ec4476
To: <sip:492212XXXXXXXX6@our-server-ip:5060>;tag=as52e8819e
Call-ID: 64d6-439-6222014194124-inCGN2-2-remote-server-ip
CSeq: 2 INVITE
Server: Asterisk PBX 1.8.10.1~dfsg-1ubuntu1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Content-Length: 0
<------------>
Scheduling destruction of SIP dialog '64d6-439-6222014194124-inCGN2-2-remote-server-ip' in 32000 ms (Method: INVITE)
<--- SIP read from UDP:remote-server-ip:5060 --->
ACK sip:492212XXXXXXXX6@our-server-ip:5060 SIP/2.0
Via: SIP/2.0/UDP remote-server-ip:5060;rport;branch=z9hG4bK-6d70-1406058084-1272-462
Call-ID: 64d6-439-6222014194124-inCGN2-2-remote-server-ip
CSeq: 2 ACK
Max-Forwards: 70
To: <sip:492212XXXXXXXX6@our-server-ip:5060>;tag=as52e8819e
From: "43650XXXXXXX"<sip:43650XXXXXXX@remote-server-ip>;tag=95ffcd055e0f78f7d5d397020e89288df0ec4476
User-Agent: Dialogic-SIP/10.5.3.372 inCGN2 2
Content-Length: 0
sip.conf for incoming calls
name: incoming
defaultuser: 492212XXXXXX
regexten: null
secret: null
context: home
canreinvite: yes
host: remote-server-ip
ipaddr: null
insecure: invite
port: 5060
disallow: all
allow: g729;ilbc;gsm;ulaw;alaw
dtmfmode: rfc2833
fromdomain: our-server-ip (we also tested with remote server ip)
nat: yes
qualify: yes
type: friend
outboundproxy: our-server-ip (we also tested with remote server ip)
allowguest: yes (in the hopes it would allow all calls, it didnt)
exentions configuration:
'297', 'home', '492212XXXXXX', '1', 'Dial', 'SIP/101'
'298', 'home', '492212XXXXXX101', '1', 'Dial', 'SIP/101'
'296', 'home', '_43ZX.', '1', 'Dial', 'SIP/101'
What would be the correct way to implement a general whitelist for calls incoming on "remote-server-ip"?
Do you see any cpt. obvious flaws in the above configuration? I have to admit i increasinglly become blind to seeing errors in this as i tried to switch all the parameters around to find a solution.
Can I somehow append a method of authentication to be appended to incoming calls via the remotesecret/proxy settings?
I have to admit that my previous asterisk experience mostly was about configuring a few inhouse ip-phones and thats it ^^
Best Answer
From what I can see, you're missing a peer definition for your "43650XXXXXXX" peer in your sip.conf
I also note that your "dial" commands are using "101" and not "43650XXXXXXX". Your "dial" command should be referencing your SIP peer to which you want to direct the call.
So, you're getting 403 because there is no match at all for the attempted SIP connection.
Recommended Reading:
http://www.asteriskdocs.org/en/3rd_Edition/asterisk-book-html-chunk/DeviceConfig_id216341.html