Asterisk config iax.conf

Business SIP Providers
Provider Plan Details Monthly Rate *
Vonage Business SIP Trunking
  • One provider & nationwide coverage
  • Easily integrated into your existing infrastructure
  • More uptime, flexibility and disaster recovery options
$25.00
Details
8x8 8x8 IP Trunking
  • Unlimited calls to US and Canada
  • Softphone and mobile app available
  • 2012 Market Leader Award
$29.99
Details
DID for Sale SIP SIP Trunking
  • Unlimited Minutes, No Minimum
  • DIDs as low as $0.20
  • Free Trial, No Commitment
$8.99
Details
Business PBX Solutions
Provider Solution Details
Bicom VoIP Become an ITSP Now!
  • Become a serious competitor in VoIP Immediately
  • FULL Consultancy, Installation, Training & Support
  • Sell Hosted IP PBXs, Biz Lines, Call Centre
  • Turnkey Provisioning at your data center
Details
3CX Software PBX for Windows
  • Windows Software Solution
  • Easy to Install and Manage
  • Auto Configures Phones & Trunks
  • Android, iOS, Windows & Mac clients
Details
In iax.conf you configure the Inter-asterisk ( IAX ) connections.
The configuration of iax.conf is well documented in the Asterisk handbook.

Configuring IAX clients

From the sample IAX.CONF in the distribution:

Further user sections may be added, specifying a context and a secret used for connections with that given authentication name. Limited IP based access control is allowed by use of "permit" and "deny" keywords. Multiple rules are permitted. Multiple permitted contexts may be specified, in which case the first will be the default.

You can also override caller*ID so that when you receive a call you set the Caller*ID to be what you want instead of trusting what the remote user provides.

There are three authentication methods that are supported: md5, plaintext and rsa. The least secure is "plaintext", which sends passwords cleartext across the net. "md5" uses a challenge/response md5 sum arrangement, but still requires both ends have plain text access to the secret. "rsa" allows unidirectional secret knowledge through public/private keys. If "rsa" authentication is used, "inkeys" is a list of acceptable public keys on the local system that can be used to authenticate the remote peer, separated by the ":" character. "outkey" is a single, private key to use to authenticate to the other side.

Public keys are named /var/lib/asterisk/keys/<name>.pub while private keys are named /var/lib/asterisk/keys/<name>.key. Private keys should always be 3DES encrypted.


Examples


Codecs

The follow codecs are valid for the allow/disallow parameter:
  • g723.1
  • gsm
  • ulaw
  • alaw
  • g726
  • slinear
  • lpc10
  • adpcm
  • g729
  • speex
  • ilbc
  • h261
  • h263
  • all

Controlling the media path

With notransfer=yes you can prohibit Asterisk from stepping out of the media path and connecting the two endpoints directly to each other. This, of course, effects your call detail records (CDR) and billing information.
Note: This is quite similar to the sip.conf setting canreinvite=no

This has been changed in 1.4 to transfer=yes, options are yes no and mediaonly

TOS


Alternatively you can directly set the bit vlues:

tos=0x18 ; where the tos bits are set individually and in combination

For example

tos=0x10 = low delay
tos=0x08 = high throughput
tos=0x04 = high reliability
tos=0x02 = ECT bit set
tos=0x01 = CE bit set

or set multiple bits, such as

tos=0x18

to set both low delay and high throughput.

The qualify option

Please see:

Simplifying dial strings in extensions.conf


Although IAX channel details (username, secret, etc.) can be written explicitly into each dial string in extensions.conf, dial strings can be simplified/clarified by storing all of this information in the iax.conf file and then simply referencing by the channel name:

Dial(IAX2/<peer name>/<exten>)

For example, to call IAXtel you can create an entry in iax.conf like this:

[iaxtel-outbound]
type=peer
username=<username>
secret=<secret>
peercontext=iaxtel
host=iaxtel.com

Then use a Dial command of:

exten => _1700XXXXXX,1,Dial(IAX2/iaxtel-outbound/${EXTEN})

Note: The "peercontext" setting is only available in Asterisk CVS as of 2004-06-26.

Table of command or directives you can use and where.

Needs updating: added to wiki Oct14, 2004
Directive Value General Peer User
allow <codec> Y Y Y
disallow <codec> Y Y Y
amaflags Y
auth
autocreatepeer
bandwidth Y Y Y
bindaddr Y
bindport Y
callerid
callgroup
context Y Y
defaultexpirey
defaultip
externip SIP only - N SIP only - N
fromdomain
fromuser
host
port
incominglimit
jitterbuffer Y
maxjitterbuffer Y
maxexcessbuffer Y
outgoinglimit
inkeys Y Y
outkey Y Y
insecure
language
localnet
mailbox
maxexpirey
md5secret Y Y
notransfer Y Y
peercontext
pedantic
permit Y Y
deny Y Y
pickupgroup
qualify Y Y
register Y
restrictcid
secret Y Y
srvlookup
sourceaddress Y
tos Y Y
trunkfreq Y
trunk Y Y
trustrpid
type Y
useragent
username
videosupport


For the most up to date list of directives supported by your version of Asterisk, check the source code for your version. In the file channels/chan_iax2.c, look for the functions named build_user, build_peer, and set_config. They contain directive names supported in the type=user, type=peer, and [general] sections of iax.conf, respectively. You don't have to be able to understand C to find the directive names, either; they're quite obvious. The information you find in the source will be more accurate than any list you're likely to find on a wiki page.

More Example IAX Provider


register => my_user:secret@host


[my_iaxprovider]
type=peer
auth=md5
notransfer=yes
host=IP
disallow=all
allow=gsm
allow=ulaw
allow=alaw
qualify=yes
trunk=yes

[my_user]
type=user
auth=md5
notransfer=yes
disallow=all
allow=gsm
allow=ulaw
trunk=yes
secret=XXXX
context= (context in extensions.conf where i want recive the incoming call)

N.B. Outbound calling in extensions.conf

exten =>_X.,1,Dial(IAX2/my_user:secret@my_iaxprovider/${EXTEN})


Tips

  • Register commands to connect to another IAX server has to be in the [general] section of iax.conf.
  • To set up IAX in trunk mode, add "trunk=yes" to your definition in iax.conf. IAX Trunking needs support of a hardware timer. See Asterisk timer for more information.
  • Do not use both "host=dynamic" and "defaultip=111.222.333.444", make sure it is just one or the other (see bugs 558 and 673).
  • If you do not use IP-based access control for all of your type=user entries, and you expect your Asterisk installation to be reasonably secure, your iax.conf file must contain a "guest" entry with no secret specified. When a remote system connects to yours, it can connect without specifying a username (that is, connect anonymously). If you have a type=user section which does not specify a secret, Asterisk will allow them to connect with any secret specified in the file. This means that if you have a large number of type=user entries but no guest entry in iax.conf, someone only has to guess any one of your secrets to connect to your server as that user. In other words, they do not need to know both the username and the secret; the secret alone is enough! Asterisk gives preference to a secretless user for anonymous incoming connections, though, so the inclusion of such a section will solve this problem. For more information on IAX authentication within Asterisk, see Asterisk IAX authentication.
  • Add a last entry in iax.conf with no password to force anonymous calls into a specific context.
  • If you use realtime, don't have any user without a password and without permit/deny.
  • Use the general option mailboxdetail=yes for details and the number of waiting voicemails. Works with most IAX phones like the AT-320 or softphones
  • If you have "update_registry: Restricting registration for peer 'xxxxxx' to 60 seconds (requested 1200)", you can add maxregexpire=1300 to the [general] section.

Troubleshouting

Incoming IAX calls


For troubleshooting IAX calls, turning on IAX debugging output can be very useful. In Asterisk 1.4 or later, the CLI command 'iax2 set debug on' turns on debugging output. In Asterisk 1.2, use 'iax2 debug' to enable IAX debugging output, and 'iax2 no debug' to turn it back off again.

Rejected connect attempt from 213.1.2.3, who was trying to reach '987654321@'

See also: Asterisk IAX authentication
  • Turn on iax debugging and see as which user the incoming call is trying to connect.
  • You will probably need to have a type=user section which does not specify a secret= line.
  • Check your context= lines. The first context= line listed in that section will be used if the call doesn't request a specific context.

CAUSE 50: No Authority Found

See also: Asterisk No authority found
  • Turn on iax debugging.
  • Check if the username of the incoming call exists as section name (the text in square brackets) in iax.conf. Note: it is not sufficient to have this specified only in a username= line; username= is used for outbound (i.e., type=peer) connections only. Note that this section will typically have type=user, though type=friend will also work.

CallToken Support required

if you get
Nov 2 15:58:47 ERROR[823]: chan_iax2.c:4040 handle_call_token: Call rejected, CallToken Support required. If unexpected, resolve by placing address 192.168.1.1 in the calltokenignore list or setting user iaxhorst requirecalltoken=no
Since AST-2009-006 there is a check for a call token performed. Older clients (e.g. Asterisk 1.2 before 1.2.35) don't support call tokens, so there is a parameter
requirecalltoken=no

per peer or
calltokenoptional = 192.168.1.0/255.255.255.0

per subnet.

See also




Asterisk | Asterisk Configuration | IAX Channels
In iax.conf you configure the Inter-asterisk ( IAX ) connections.
The configuration of iax.conf is well documented in the Asterisk handbook.

Configuring IAX clients

From the sample IAX.CONF in the distribution:

Further user sections may be added, specifying a context and a secret used for connections with that given authentication name. Limited IP based access control is allowed by use of "permit" and "deny" keywords. Multiple rules are permitted. Multiple permitted contexts may be specified, in which case the first will be the default.

You can also override caller*ID so that when you receive a call you set the Caller*ID to be what you want instead of trusting what the remote user provides.

There are three authentication methods that are supported: md5, plaintext and rsa. The least secure is "plaintext", which sends passwords cleartext across the net. "md5" uses a challenge/response md5 sum arrangement, but still requires both ends have plain text access to the secret. "rsa" allows unidirectional secret knowledge through public/private keys. If "rsa" authentication is used, "inkeys" is a list of acceptable public keys on the local system that can be used to authenticate the remote peer, separated by the ":" character. "outkey" is a single, private key to use to authenticate to the other side.

Public keys are named /var/lib/asterisk/keys/<name>.pub while private keys are named /var/lib/asterisk/keys/<name>.key. Private keys should always be 3DES encrypted.


Examples


Codecs

The follow codecs are valid for the allow/disallow parameter:
  • g723.1
  • gsm
  • ulaw
  • alaw
  • g726
  • slinear
  • lpc10
  • adpcm
  • g729
  • speex
  • ilbc
  • h261
  • h263
  • all

Controlling the media path

With notransfer=yes you can prohibit Asterisk from stepping out of the media path and connecting the two endpoints directly to each other. This, of course, effects your call detail records (CDR) and billing information.
Note: This is quite similar to the sip.conf setting canreinvite=no

This has been changed in 1.4 to transfer=yes, options are yes no and mediaonly

TOS


Alternatively you can directly set the bit vlues:

tos=0x18 ; where the tos bits are set individually and in combination

For example

tos=0x10 = low delay
tos=0x08 = high throughput
tos=0x04 = high reliability
tos=0x02 = ECT bit set
tos=0x01 = CE bit set

or set multiple bits, such as

tos=0x18

to set both low delay and high throughput.

The qualify option

Please see:

Simplifying dial strings in extensions.conf


Although IAX channel details (username, secret, etc.) can be written explicitly into each dial string in extensions.conf, dial strings can be simplified/clarified by storing all of this information in the iax.conf file and then simply referencing by the channel name:

Dial(IAX2/<peer name>/<exten>)

For example, to call IAXtel you can create an entry in iax.conf like this:

[iaxtel-outbound]
type=peer
username=<username>
secret=<secret>
peercontext=iaxtel
host=iaxtel.com

Then use a Dial command of:

exten => _1700XXXXXX,1,Dial(IAX2/iaxtel-outbound/${EXTEN})

Note: The "peercontext" setting is only available in Asterisk CVS as of 2004-06-26.

Table of command or directives you can use and where.

Needs updating: added to wiki Oct14, 2004
Directive Value General Peer User
allow <codec> Y Y Y
disallow <codec> Y Y Y
amaflags Y
auth
autocreatepeer
bandwidth Y Y Y
bindaddr Y
bindport Y
callerid
callgroup
context Y Y
defaultexpirey
defaultip
externip SIP only - N SIP only - N
fromdomain
fromuser
host
port
incominglimit
jitterbuffer Y
maxjitterbuffer Y
maxexcessbuffer Y
outgoinglimit
inkeys Y Y
outkey Y Y
insecure
language
localnet
mailbox
maxexpirey
md5secret Y Y
notransfer Y Y
peercontext
pedantic
permit Y Y
deny Y Y
pickupgroup
qualify Y Y
register Y
restrictcid
secret Y Y
srvlookup
sourceaddress Y
tos Y Y
trunkfreq Y
trunk Y Y
trustrpid
type Y
useragent
username
videosupport


For the most up to date list of directives supported by your version of Asterisk, check the source code for your version. In the file channels/chan_iax2.c, look for the functions named build_user, build_peer, and set_config. They contain directive names supported in the type=user, type=peer, and [general] sections of iax.conf, respectively. You don't have to be able to understand C to find the directive names, either; they're quite obvious. The information you find in the source will be more accurate than any list you're likely to find on a wiki page.

More Example IAX Provider


register => my_user:secret@host


[my_iaxprovider]
type=peer
auth=md5
notransfer=yes
host=IP
disallow=all
allow=gsm
allow=ulaw
allow=alaw
qualify=yes
trunk=yes

[my_user]
type=user
auth=md5
notransfer=yes
disallow=all
allow=gsm
allow=ulaw
trunk=yes
secret=XXXX
context= (context in extensions.conf where i want recive the incoming call)

N.B. Outbound calling in extensions.conf

exten =>_X.,1,Dial(IAX2/my_user:secret@my_iaxprovider/${EXTEN})


Tips

  • Register commands to connect to another IAX server has to be in the [general] section of iax.conf.
  • To set up IAX in trunk mode, add "trunk=yes" to your definition in iax.conf. IAX Trunking needs support of a hardware timer. See Asterisk timer for more information.
  • Do not use both "host=dynamic" and "defaultip=111.222.333.444", make sure it is just one or the other (see bugs 558 and 673).
  • If you do not use IP-based access control for all of your type=user entries, and you expect your Asterisk installation to be reasonably secure, your iax.conf file must contain a "guest" entry with no secret specified. When a remote system connects to yours, it can connect without specifying a username (that is, connect anonymously). If you have a type=user section which does not specify a secret, Asterisk will allow them to connect with any secret specified in the file. This means that if you have a large number of type=user entries but no guest entry in iax.conf, someone only has to guess any one of your secrets to connect to your server as that user. In other words, they do not need to know both the username and the secret; the secret alone is enough! Asterisk gives preference to a secretless user for anonymous incoming connections, though, so the inclusion of such a section will solve this problem. For more information on IAX authentication within Asterisk, see Asterisk IAX authentication.
  • Add a last entry in iax.conf with no password to force anonymous calls into a specific context.
  • If you use realtime, don't have any user without a password and without permit/deny.
  • Use the general option mailboxdetail=yes for details and the number of waiting voicemails. Works with most IAX phones like the AT-320 or softphones
  • If you have "update_registry: Restricting registration for peer 'xxxxxx' to 60 seconds (requested 1200)", you can add maxregexpire=1300 to the [general] section.

Troubleshouting

Incoming IAX calls


For troubleshooting IAX calls, turning on IAX debugging output can be very useful. In Asterisk 1.4 or later, the CLI command 'iax2 set debug on' turns on debugging output. In Asterisk 1.2, use 'iax2 debug' to enable IAX debugging output, and 'iax2 no debug' to turn it back off again.

Rejected connect attempt from 213.1.2.3, who was trying to reach '987654321@'

See also: Asterisk IAX authentication
  • Turn on iax debugging and see as which user the incoming call is trying to connect.
  • You will probably need to have a type=user section which does not specify a secret= line.
  • Check your context= lines. The first context= line listed in that section will be used if the call doesn't request a specific context.

CAUSE 50: No Authority Found

See also: Asterisk No authority found
  • Turn on iax debugging.
  • Check if the username of the incoming call exists as section name (the text in square brackets) in iax.conf. Note: it is not sufficient to have this specified only in a username= line; username= is used for outbound (i.e., type=peer) connections only. Note that this section will typically have type=user, though type=friend will also work.

CallToken Support required

if you get
Nov 2 15:58:47 ERROR[823]: chan_iax2.c:4040 handle_call_token: Call rejected, CallToken Support required. If unexpected, resolve by placing address 192.168.1.1 in the calltokenignore list or setting user iaxhorst requirecalltoken=no
Since AST-2009-006 there is a check for a call token performed. Older clients (e.g. Asterisk 1.2 before 1.2.35) don't support call tokens, so there is a parameter
requirecalltoken=no

per peer or
calltokenoptional = 192.168.1.0/255.255.255.0

per subnet.

See also




Asterisk | Asterisk Configuration | IAX Channels
Created by: oej, Last modification: Mon 02 of Jul, 2012 (05:19 UTC) by admin
Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+