Asterisk How to connect to Metaswitch

The Grand Unified Theory of Connecting Asterisk to a Metaswitch



Got Asterisk? Want to connect to a Metaswitch switch at your ISP?



Here's how we did it.

Features:


  • Asterisk behind a firewall
  • Asterisk server at fixed IP
  • 6 call appearances (in my case).
  • A (local) phone number people can dial.
  • Authenticated on outgoing dial.
  • unauthenticated on incoming call, but the IP of the ISP's server is fixed, which hopefully will be secure.
  • Full CallerID (name+num) from incoming callers passed thru INVITE.



Metaswitch side:


We're doing Configured SIP bindings to Asterisk.

On the Metaswitch side, use the Default SIP MG, and set the domain of
the binding to the name of the Metaswitch or SBC. Set Use DN for
identification on, or much of this config will be wrong. I have
configured and tested authentication on the SIP binding and seems to
work.

Transport protocol should be UDP. Lastly, don't set the maximum call
appearances to 1. The rest is pretty much default.


Conventions used in this Guide


We'll use as an example the number 397-333-4444.
For the sake of example, the password set in the metaswitch is "WeirdPassword".


Let's also, for the sake of further discussion, assume that my Asterisk fixed site IP
is "1.2,3.4", and the ISP's metaswitch is accessible via IP "5.6.7.8".


Asterisk Side:


According to instructions from other Metaswitch users, DO NOT REGISTER to the metaswitch.
They say it does no good, and I tend to agree from my own experiments.



sip.conf entries:



[general]

externip=.1.2.3.4
localnet = 192.168.134.0/24         ; Internal NETWORK address
nat=yes
canreinvite=no


;; The above two entries tell Asterisk what IP address to use, and
;; what addresses are local vs. out on the internet. You can move them down into the
;; the context entries below, if they do not form good defaults for the other entries
;; in your sip.conf file.


[voipisp]
type=friend
insecure=very     ;; turns off authentication for incoming calls. the host IP restriction should hopefully suffice!
context=voipworkline
host=voip.isp.net
; according to the http header in the SIP invite, the realm is vopi, not voip
realm=vopi..isp.net
username=3973334444
~np~;; this md5secret is derived from:  echo -n "3973334444:vopi.isp.net:WeirdPassword" | md5sum~/np~
~np~;; how to get this information, I will explain later in this document~/np~
md5secret=301cca75b46a09daceb8c9b8a840c796


For users of Asterisk 1.4:

If you are able to get incoming calls, but cannot make outgoing calls, then I found that the md5secret not
the way to go. Just define:
secret=WeirdPassword
and removed the md5secret line. A quick check (via sip set debug ) will show that md5 authentification is
still being done between Asterisk and the ISP, but you no longer have to worry about building the md5secret.

For users of Asterisk 1.6:

Starting with Asterisk 1.6, extra checks are done in the SIP and SDP streams to ensure validity. One side effect of this is this is that "hairpin" calls may, that is a call from the Metaswitch, through Asterisk, and back out through the same Metaswitch, may fail. The message on my console was:

[Nov 20 03:34:39] WARNING[20072]: chan_sip.c:16944 handle_response_invite: Re-invite to non-existing call leg on other UA. SIP dialog '000032c00000122e00001c920000214f@192.168.1.1'. Giving up.


While the Metaswitch seems to conform well to Asterisk 1.6 in most cases, in this specific case the SDP owner version number is not incremented, causing Asterisk 1.6.0 (and later versions) to reject the updated SDP information. This in turn causes asterisk to send a BYE prior to sending the two re-INVITES to bridge the channels. The result is the error message above.

To fix this problem, add the following line to your peer definition in your sip.conf:

ignoresdpversion=yes

This has been tested with Asterisk 1.6.1.10 and Asterisk 1.6.0.18.



How to get the authentication information:


1. realm: plug in fake data into your sip.conf, and set up your dialplan to make calls
thru the metaswitch. On the asterisk console, enter the command:

sip debug

and then place your call-- outgoing, thru the metaswitch.

If all goes well, you will get a nonsense recording about
"All circuits busy", and the log messages will appear on the console. Go the beginning
of the output (which should also appear in the /var/log/asterisk/messages file), and
look for a packet that looks like this:

<-- SIP read from 5.6.7.8:5060:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 1.2.3.4:5060;received=1.2.3.4;branch=z9hG4bK2eddd092;rport=5060
From: "Steves Exten" <sip:3973334444@1.2.3.4>;tag=as58a98f0d
To: <sip:5878001@voip.tctwest.net>;tag=SDdd1if99-voip.isp.net+1+2abc0f+1120c1c5
Call-ID: 278b591334a4fb0b0757d6904fbdf488@1.2.3.4
CSeq: 102 INVITE
WWW-Authenticate: Digest realm="vopi.isp.net",nonce="f6e09090494e09df4df77f9eeb3bd30a",stale=false,algorithm=MD5,qop="auth"
Server: DC-SIP/2.0
Supported: 100rel
Content-Length: 0

This packet is a "challenge" packet. It's the metaswitch telling you, "What's your password?".
The key line is the WWW-Authenticate: header. The realm it provides, is the one you need
to enter in your sip.conf file, in the "voipisp" context (or whatever you decide to call it).

To generate the md5secret, go to the command line and enter:

echo -n "<acct number>:<realm>:<password>" | md5sum

which, in this particular case would be:


echo -n "3973334444:vopi.isp.net:WeirdPassword" | md5sum

which results in:

301cca75b46a09daceb8c9b8a840c796 -

the string of hex digits that results is what you use for the md5secret= line in the
sip.config file. It should be 32 hex digits long.


The extensions.conf file:



;; the most important points to remember is that you use the context you
;; defined in the sip.conf file for the peer, to dial out.
;; and the metaswitch seems to love full dialing numbers like "12025551212", especially
;; if the number to dial isn't local!
;; Set up the callerID to your account number, and then dial the number.

;; Fixed extension, dial fixed number:
exten => 798,1,Set,CALLERID(num)=3973334444
exten => 798,2,Dial(SIP/12025551212@voipisp|20)
exten => 798,3,Congestion

;; so, extensions with this in their context, can pick up a phone and dial 798,
;; and you'll get directory assistance in area code 202, via your ISP.

;; NOTE!  on older versions of Asterisk, the SetCallerID() application can be used
;; instead of the Set(CALLERID(num)=xxx) used above. Just remember that it's
;; deprecated, and at some point when you update things, you'll have to change
;; the dialplan!

;; Dial a variable number, with "84" as a prefix:

exten => _84.,1,Set,CALLERID(num)=3973334444
exten => _84.,2,Dial(SIP/${EXTEN:2}@voipisp,60,r)
exten => _84.,3,Congestion

;; so, you can pick up an extension, and dial 8412025551212, and get directory assistance
;; in area code 202.


;;; INCOMING CALLS

[voipworkline]
exten => 3973334444,1,Answer   ;; it is a good practice to Answer a line before doing anything else!!!
exten => 3973334444,2,TrySystem(/usr/local/bin/who-is-it ${CALLERIDNUM} "${CALLERIDNAME}"&)  ;; a little script to announce the caller over speakers
exten => 3973334444,3,;;;.... here it is... present a menu, set up extensions to dial, etc. etc


!!!!;;; INCOMING CALLS FOR MORE THAN ONE DID

The above works well for one number, but after a lot of research and a few tests, below is the code for multiple DID's:

[voipworkline]
exten => 3973334444,1,Answer
exten => 3973334444,2,Goto(voipworkline-dids,${SIP_HEADER(To):5:10},1)
exten => 3973334444,3,Hangup

[voipworkline-dids]
exten => 3973334444,1,Macro(didextendial,${EX-111},${VM-111}) ; insert your Macro Dial command here...
exten => 3973334445,1,Macro(didextendial,${EX-112},${VM-112})
exten => 3973334446,1,Macro(didextendial,${EX-113},${VM-113})
exten => 3973334447,1,Macro(didextendial,${EX-114},${VM-114})

etc


Created: Thu 15 of Dec, 2005 (06:39 UTC)
Updated: Thu 2 of Mar, 2006
Hits: 37913




The Grand Unified Theory of Connecting Asterisk to a Metaswitch



Got Asterisk? Want to connect to a Metaswitch switch at your ISP?



Here's how we did it.

Features:


  • Asterisk behind a firewall
  • Asterisk server at fixed IP
  • 6 call appearances (in my case).
  • A (local) phone number people can dial.
  • Authenticated on outgoing dial.
  • unauthenticated on incoming call, but the IP of the ISP's server is fixed, which hopefully will be secure.
  • Full CallerID (name+num) from incoming callers passed thru INVITE.



Metaswitch side:


We're doing Configured SIP bindings to Asterisk.

On the Metaswitch side, use the Default SIP MG, and set the domain of
the binding to the name of the Metaswitch or SBC. Set Use DN for
identification on, or much of this config will be wrong. I have
configured and tested authentication on the SIP binding and seems to
work.

Transport protocol should be UDP. Lastly, don't set the maximum call
appearances to 1. The rest is pretty much default.


Conventions used in this Guide


We'll use as an example the number 397-333-4444.
For the sake of example, the password set in the metaswitch is "WeirdPassword".


Let's also, for the sake of further discussion, assume that my Asterisk fixed site IP
is "1.2,3.4", and the ISP's metaswitch is accessible via IP "5.6.7.8".


Asterisk Side:


According to instructions from other Metaswitch users, DO NOT REGISTER to the metaswitch.
They say it does no good, and I tend to agree from my own experiments.



sip.conf entries:



[general]

externip=.1.2.3.4
localnet = 192.168.134.0/24         ; Internal NETWORK address
nat=yes
canreinvite=no


;; The above two entries tell Asterisk what IP address to use, and
;; what addresses are local vs. out on the internet. You can move them down into the
;; the context entries below, if they do not form good defaults for the other entries
;; in your sip.conf file.


[voipisp]
type=friend
insecure=very     ;; turns off authentication for incoming calls. the host IP restriction should hopefully suffice!
context=voipworkline
host=voip.isp.net
; according to the http header in the SIP invite, the realm is vopi, not voip
realm=vopi..isp.net
username=3973334444
~np~;; this md5secret is derived from:  echo -n "3973334444:vopi.isp.net:WeirdPassword" | md5sum~/np~
~np~;; how to get this information, I will explain later in this document~/np~
md5secret=301cca75b46a09daceb8c9b8a840c796


For users of Asterisk 1.4:

If you are able to get incoming calls, but cannot make outgoing calls, then I found that the md5secret not
the way to go. Just define:
secret=WeirdPassword
and removed the md5secret line. A quick check (via sip set debug ) will show that md5 authentification is
still being done between Asterisk and the ISP, but you no longer have to worry about building the md5secret.

For users of Asterisk 1.6:

Starting with Asterisk 1.6, extra checks are done in the SIP and SDP streams to ensure validity. One side effect of this is this is that "hairpin" calls may, that is a call from the Metaswitch, through Asterisk, and back out through the same Metaswitch, may fail. The message on my console was:

[Nov 20 03:34:39] WARNING[20072]: chan_sip.c:16944 handle_response_invite: Re-invite to non-existing call leg on other UA. SIP dialog '000032c00000122e00001c920000214f@192.168.1.1'. Giving up.


While the Metaswitch seems to conform well to Asterisk 1.6 in most cases, in this specific case the SDP owner version number is not incremented, causing Asterisk 1.6.0 (and later versions) to reject the updated SDP information. This in turn causes asterisk to send a BYE prior to sending the two re-INVITES to bridge the channels. The result is the error message above.

To fix this problem, add the following line to your peer definition in your sip.conf:

ignoresdpversion=yes

This has been tested with Asterisk 1.6.1.10 and Asterisk 1.6.0.18.



How to get the authentication information:


1. realm: plug in fake data into your sip.conf, and set up your dialplan to make calls
thru the metaswitch. On the asterisk console, enter the command:

sip debug

and then place your call-- outgoing, thru the metaswitch.

If all goes well, you will get a nonsense recording about
"All circuits busy", and the log messages will appear on the console. Go the beginning
of the output (which should also appear in the /var/log/asterisk/messages file), and
look for a packet that looks like this:

<-- SIP read from 5.6.7.8:5060:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 1.2.3.4:5060;received=1.2.3.4;branch=z9hG4bK2eddd092;rport=5060
From: "Steves Exten" <sip:3973334444@1.2.3.4>;tag=as58a98f0d
To: <sip:5878001@voip.tctwest.net>;tag=SDdd1if99-voip.isp.net+1+2abc0f+1120c1c5
Call-ID: 278b591334a4fb0b0757d6904fbdf488@1.2.3.4
CSeq: 102 INVITE
WWW-Authenticate: Digest realm="vopi.isp.net",nonce="f6e09090494e09df4df77f9eeb3bd30a",stale=false,algorithm=MD5,qop="auth"
Server: DC-SIP/2.0
Supported: 100rel
Content-Length: 0

This packet is a "challenge" packet. It's the metaswitch telling you, "What's your password?".
The key line is the WWW-Authenticate: header. The realm it provides, is the one you need
to enter in your sip.conf file, in the "voipisp" context (or whatever you decide to call it).

To generate the md5secret, go to the command line and enter:

echo -n "<acct number>:<realm>:<password>" | md5sum

which, in this particular case would be:


echo -n "3973334444:vopi.isp.net:WeirdPassword" | md5sum

which results in:

301cca75b46a09daceb8c9b8a840c796 -

the string of hex digits that results is what you use for the md5secret= line in the
sip.config file. It should be 32 hex digits long.


The extensions.conf file:



;; the most important points to remember is that you use the context you
;; defined in the sip.conf file for the peer, to dial out.
;; and the metaswitch seems to love full dialing numbers like "12025551212", especially
;; if the number to dial isn't local!
;; Set up the callerID to your account number, and then dial the number.

;; Fixed extension, dial fixed number:
exten => 798,1,Set,CALLERID(num)=3973334444
exten => 798,2,Dial(SIP/12025551212@voipisp|20)
exten => 798,3,Congestion

;; so, extensions with this in their context, can pick up a phone and dial 798,
;; and you'll get directory assistance in area code 202, via your ISP.

;; NOTE!  on older versions of Asterisk, the SetCallerID() application can be used
;; instead of the Set(CALLERID(num)=xxx) used above. Just remember that it's
;; deprecated, and at some point when you update things, you'll have to change
;; the dialplan!

;; Dial a variable number, with "84" as a prefix:

exten => _84.,1,Set,CALLERID(num)=3973334444
exten => _84.,2,Dial(SIP/${EXTEN:2}@voipisp,60,r)
exten => _84.,3,Congestion

;; so, you can pick up an extension, and dial 8412025551212, and get directory assistance
;; in area code 202.


;;; INCOMING CALLS

[voipworkline]
exten => 3973334444,1,Answer   ;; it is a good practice to Answer a line before doing anything else!!!
exten => 3973334444,2,TrySystem(/usr/local/bin/who-is-it ${CALLERIDNUM} "${CALLERIDNAME}"&)  ;; a little script to announce the caller over speakers
exten => 3973334444,3,;;;.... here it is... present a menu, set up extensions to dial, etc. etc


!!!!;;; INCOMING CALLS FOR MORE THAN ONE DID

The above works well for one number, but after a lot of research and a few tests, below is the code for multiple DID's:

[voipworkline]
exten => 3973334444,1,Answer
exten => 3973334444,2,Goto(voipworkline-dids,${SIP_HEADER(To):5:10},1)
exten => 3973334444,3,Hangup

[voipworkline-dids]
exten => 3973334444,1,Macro(didextendial,${EX-111},${VM-111}) ; insert your Macro Dial command here...
exten => 3973334445,1,Macro(didextendial,${EX-112},${VM-112})
exten => 3973334446,1,Macro(didextendial,${EX-113},${VM-113})
exten => 3973334447,1,Macro(didextendial,${EX-114},${VM-114})

etc


Created: Thu 15 of Dec, 2005 (06:39 UTC)
Updated: Thu 2 of Mar, 2006
Hits: 37913




Created by: murf, Last modification: Tue 24 of Apr, 2012 (00:15 UTC) by admin
Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+