EDITED July 12 2007
The text below is an update from the original post (June 18, 2007), that original post turned out to contain a few errors.
We have an asterisk server installed back at work and for the teleconferencing purposes I got myself a SNOM300 SIP phone. I configured the phone to do all its NAT magic using STUN and tested that with my linux based homebrewed NAT box.
That worked, but the setup did not migrate to a NATted network behind my new Speedtouch 780.
Turns out that in order to use SIP behind a Speedtouch 780, that has a SIP aware application level gateway that does all kind of weird tricks to your packets.
Having configured your SNOM to find its way through a NAT using Stun and the ALG in the Speedtouch does not work well, and generates weird timing issues that manifest themselves as ‘Authorization error” in the Sytem Information panel of the SNOM phone.
The degug output on asterisk (connect using asterisk -rc and use “sip set debug”) shows something of an explanation when following the SIP dialogue.
After the first registration attempt the server sends back a 401 Unauthorized message with all the parameters needed for proper authorization, including a so called ‘nonce’
<— Transmitting (NAT) to <public-ip>:52899 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP
(…skip…)
CSeq: 1 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
WWW-Authenticate: Digest algorithm=MD5, realm=”asterisk”, nonce=”3d58a314”
Content-Length: 0
The response to that reply is a new request from the client, without any authentication info. And the reponse from the server is again a 401 reply, with a new nonce…
<— Transmitting (NAT) to <public-ip>:52896 —>
SIP/2.0 401 Unauthorized
(… skip …) CSeq: 2 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
WWW-Authenticate: Digest algorithm=MD5, realm=”asterisk”, nonce=”1aa0547a”
Content-Length: 0
Only at the 3rd try the client registers with the authentication code… but it uses the nonce that was returned for the first request
<— SIP read from <public-ip>:52899 —>
REGISTER sip:nlnetlabs.nl SIP/2.0
(…skip…)
CSeq: 3 REGISTER
Max-Forwards: 70
Contact: ;q=1.0;flow-id=1;+sip.instance=””;audio;mobility=”fixed”;duplex=”full”;description=”snom300″;actor=”principal”;events=”dialog”;methods=”INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO”(…skip…(…
(…skip…)
Authorization: Digest username=”username”,realm=”asterisk”,nonce=”3d58a314“,uri=”sip:nlnetlabs.nl”,response=”somehexcode”,algorithm=md5Expires: 3600
Content-Length: 0
At that moment the Asterisk debug output will show some critical information
<————>[Jul 11 12:01:48] NOTICE[89797]: chan_sip.c:8167 check_auth: Correct auth, but based on stale nonce received from ‘”username” ‘
What is probably relevant is that you see this happen when you turn on “Stun” and that the frequency of the registration attempts is correlated to the Stun interval you configure in the NAT settings for a the identity on your SNOM phone. Also the port on which the dialogue happen jumps for each Cseq.
After seeing this I’ve tried a number of permutations of settings, on the snom phone I tried all sorts of timing parameters and in the asterisk configuration I turned the NAT settings on and off. All with variable results.
Turns out that one can turn off the SIP ALG in the speedtouch 780, which solves the problem. You have to use the command line interface of your speedtouch. The CLI reference guide is available on-line.
The magic words are:
{Administrator}[connection]=>appconfig application=SIP SIP_ALG=disabled
NB: I have not been able to find a way to tell if the SIP_ALG is enabled or disabled using appinfo or any other command in the CLI, but I have not really been looking hard.
As soon as the SIP application level gateway has been disabled you are in business as long as:
- You configured NAT=yes for this particular user in your Asterisk’s sip.conf
- You have configured a stun server in the NAT settings (under the identity settings) on your SNOM phone.
In other words. Do not rely on the intelligence of the ALG in the speedtouch modem, use ‘classic’ nat traversal. The meta problem here seems to be that all components in the chain try to apply their own hacks to traverse through the NAT and they do not really work nice together.
One of these days I have to figure out if I can make the SNOM, the SpeedTouch, and the Asterisk server run over IPv6 (I hear evil laughter somewhere, because AFAIK at least two of these components will not work on IPv6 natively yet). Life would be good if the ADSL modem would be able terminate a V6 tunnel, do IPv6 route advertisements or DHCP6 and would not be using silly NAT tricks.
The benefit of this particular setup is that the RTP traffic from the phone will terminate at the Asterisk server, that will therefore act as a natural IPv6/IPv4 application gateway.
Keywords: NAT, Speedtouch 780, SNOM300, SIP, Asterisk