Categories
Knowledge Base

Sip debugging with wireshark

Wireshark and Cloudshark are invaluable tools for debugging sip and iax issues on your Asterisk server.

Here we have a short Video that goes over the basics of getting a call captured and opened in Cloudshark

we also have a short tutorial for download here in PDF format

First we need to get the packets we want. This is far simpler than its thought. We use a simple command line tool called tcpdump, if its not installed install it now, You wont be able to live without it.

Here we have 2 commands, The first captures packets on interface eth0, -n means we won’t convert addresses, -w means we just capture raw packets and udp means its only the udp packets we want and finally port 5060 means its only the sip messaging we want. In the second we dont specify port 5060 so that we get the rtp stream as well.

/usr/sbin/tcpdump -n -i eth0 -w /tmp/wireshark.pcap -s2000 udp port 5060
 /usr/sbin/tcpdump -n -i eth0 -w /tmp/wireshark.pcap -s2000 udp
screen -S "udpDump" -dm tcpdump -n -i eth0 -C 9 -W 15 -w /var/log/asterisk/dumpsip.pcap -s2000 udp port 5060

The command above will write to file in the background and will rotate at 9 meg so suitable for cloudshark

Once you have started the capture and made a call as required you will get a file called for example /tmp/wireshark.pcap copy this to your workstation via ftp or sftp as you would copy any file.

Categories
Asterisk Support Elastix Support Knowledge Base

Backing up to Amazon s3 from Elastix

We decided to do this as we have recently installed a new elastix server in the office which had limited disk space and wanted to keep offsite backups of recordings

s3cmd is a command line client for copying files to/from Amazon S3 (Simple Storage Service) and performing other related tasks, for instance creating and removing buckets, listing objects, etc.

Install s3cmd

wget http://sourceforge.net/projects/s3tools/files/s3cmd/1.5.2/s3cmd-1.5.2.tar.gz
 tar -xzvf s3cmd-1.1.0-beta3.tar.gz
 mkdir /usr/local/s3cmd/
 cd s3cmd-1.1.0-beta3
 cp -Rf * /usr/local/s3cmd/
 cd /usr/local/s3cmd/
 ./s3cmd --configure

Follow the prompts and enter your keys.

Test the installation
./s3cmd ls s3://yourbucket/

If the test works then the script below is a simple backup script to backup elastix monitor files and backups daily.

vi /etc/cron.daily/rec2s3c.sh

#!/bin/sh
 /usr/local/s3cmd/s3cmd --config=/some/where/.s3cfg sync /var/spool/asterisk/monitor s3://yourbucket
 /bin/rm -f /var/spool/asterisk/monitor/*.gsm
 /bin/rm -f /var/spool/asterisk/monitor/*.wav
 /usr/local/s3cmd/s3cmd --config=/some/where/.s3cfg ls s3://yourbucket/monitor/ > /var/log/s3dirlist.log
 /usr/local/s3cmd/s3cmd --config=/some/where/.s3cfg sync /var/www/backup s3://yourbucket
 /usr/local/s3cmd/s3cmd --config=/some/where/.s3cfg ls s3://yourbucket/backup/ >> /var/log/s3dirlist.log

 

enjoy :-)

For more details of what can be done with s3cmd see http://linux.die.net/man/1/s3cmd and http://aws.amazon.com/s3/

 

Categories
Knowledge Base

ISDN alarms and what they mean.

AIS (Alarm Indication Signal) CFA
The AIS is also known as a “Keep Alive” or “Blue Alarm” signal. This consists of an UNFRAMED all-ones signal sent to maintain transmission continuity. The AIS CFA signal is declared when both the AIS state and RED CFA persist simultaneously.


OOF (Out-Of-Frame) Condition

Occurs whenever Network or DTE equipment senses errors in the incoming framing pattern. Depending upon the equipment, this can occur when 2 of 4, 2 of 5, or 3 of 5 framing bits are in error. A reframe clears the OOF condition.
Red CFA (Carrier Failure Alarm)
Occurs after detection of CONTINUOUS OOF condition for 2.5 seconds. This alarm state is cleared when no OOF conditions occur for AT LEAST 1 second. Some applications (AT&T DACS services) may not clear the CFA state for UP TO 15 seconds of NO Out-Of-Frame occurrences.


Yellow CFA (Carrier Failure Alarm)

When a Terminal/Network equipment enters a RED CFA state, it transmits a “Yellow Alarm” in the opposite direction.
A Yellow Alarm is transmitted by setting Bit #2 of each timeslot to a 0 (zero), SPACE state for D4 Framed facilities. For ESF facilities, a Yellow Alarm is transmitted by sending a repetitive 16-bit pattern consisting of 8 MARKS (1) followed by 8 SPACES (0) in the Datalink bits. This is transmitted for a MINIMUM of 1 second.
LOS (Loss Of Signal)
A LOS condition is declared when no pulses have been detected in a 175 +/- 75 pulse window (100 to 250 bit times).

Notes taken from Digiums Realease notes

Alarm Types

An alarm indicates that a port is not available for some reason. Thus it is probably not a good idea to try to call out through it.

Red Alarm

Your T1/E1 port will go into red alarm when it cannot maintain synchronization with the remote switch. A red alarm typically indicates either a physical wiring problem, loss of connectivity, or a framing and/or line-coding mismatch with the remote switch.

When your T1/E1 port loses sync, it will transmit a yellow alarm to the remote switch to indicate that it’s having a problem receiving signal from the remote switch.

The easy way to remember this is that the R in red stands for “right here” and “receive”… indicating that we’re having a problem right here receiving the signal from the remote switch.

Yellow Alarm

(RAI — Remote Alarm Indication)

Your T1/E1 port will go into yellow alarm when it receives a signal from the remote switch that the port on that remote switch is in red alarm. This essentially means that the remote switch is not able to
maintain sync with you, or is not receiving your transmission.

The easy way to remember this is that the Y in yellow stands for “yonder”… indicating that the remote switch (over yonder) isn’t able to see what you’re sending.

Blue Alarm

(AIS — Alarm Indication Signal)

Your T1/E1 port will go into blue alarm when it receives all unframed 1s on all timeslots from the remote switch. This is a special signal to indicate that the remote switch is having problems with its
upstream connection. dahdi_tool and Asterisk don’t correctly indicate a blue alarm at this time. The easy way to remember this is that streams are blue, so a blue alarm indicates a problem upstream from
the switch you’re connected to.

Categories
Knowledge Base

Better SIP security

In Seven Steps

Original Text by J Todd March 28th, 2009

In case any of you were wondering why there has been a fairly notable upswing in the attacks happening on SIP endpoints, the answer is “script kiddies.”  In the last few months, a number of new tools have made it easy for knuckle-draggers to attack and defraud SIP endpoints, Asterisk-based systems included.  There are easily-available tools that scan networks looking for SIP hosts, and then scan hosts looking for valid extensions, and then scan valid extensions looking for passwords.You can take steps, NOW, to eliminate many of these problems.  I think the community is interested in coming up with an integrated Asterisk-based solution that is much wider in scope for dynamic protection (community-shared blacklists is the current thinking) but that doesn’t mean you should wait for some new tool to defend your systems.  You can IMMEDIATELY take fairly common-sense measures to protect your Asterisk server from the bulk of the scans and attacks that are on the increase. The methods and tools for protection already exists – just apply them, and you’ll be able to sleep more soundly at night.

Seven Easy Steps to Better SIP Security on Asterisk:

 

1) Don’t accept SIP authentication requests from all IP addresses.  Use the “permit=” and “deny=” lines in sip.conf to only allow a reasonable subset of IP addresess to reach each listed extension/user in your sip.conf file.  Even if you accept inbound calls from “anywhere” (via [default]) don’t let those users reach authenticated elements!

 

2) Set “alwaysauthreject=yes” in your sip.conf file.  This option has been around for a while (since 1.2?) but the default is “no”, which allows extension information leakage.  Setting this to “yes” will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks.

 

3) Use STRONG passwords for SIP entities.  This is probably the most important step you can take.  Don’t just concatenate two words together and suffix it with “1? – if you’ve seen how sophisticated the tools are that guess passwords, you’d understand that trivial obfuscation like that is a minor hinderance to a modern CPU.  Use symbols, numbers, and a mix of upper and lowercase letters at least 12 digits long.

 

4) Block your AMI manager ports.  Use “permit=” and “deny=” lines in manager.conf to reduce inbound connections to known hosts only.  Use strong passwords here, again at least 12 characters with a complex mix of symbols, numbers, and letters.

 

5) Allow only one or two calls at a time per SIP entity, where possible.  At the worst, limiting your exposure to toll fraud is a wise thing to do.  This also limits your exposure when legitimate password holders on your system lose control of their passphrase – writing it on the bottom of the SIP phone, for instance, which I’ve seen.

 

6) Make your SIP usernames different than your extensions.  While it is convenient to have extension “1234? map to SIP entry “1234? which is also SIP user “1234?, this is an easy target for attackers to guess SIP authentication names.  Use the MAC address of the device, or some sort of combination of a common phrase + extension MD5 hash (example: from a shell prompt, try “md5 -s ThePassword5000?)

 

7) Ensure your [default] context is secure.  Don’t allow unauthenticated callers to reach any contexts that allow toll calls.  Permit only a limited number of active calls through your default context (use the “GROUP” function as a counter.)  Prohibit unauthenticated calls entirely (if you don’t want them) by setting “allowguest=no” in the [general] part of sip.conf.

 

These 7 basics will protect most people, but there are certainly other steps you can take that are more complex and reactive.  Here is a fail2ban recipe which might allow you to ban endpoints based on volume of requests.  There is discussion on the asterisk-user and asterisk-dev mailing lists of incorporating this type of functionality into Asterisk – let’s hear your ideas!

 

If you’d like to see an example of the tools that you’re up against, see this demo video of an automated attack tool that does scan, guess, and crack methods via a click-and-drool interface.
In summary: basic security measures will protect you against the vast majority of SIP-based brute-force attacks.  Most of the SIP attackers are fools with tools – they are opportunists who see an easy way to defraud people who have not considered the costs of insecure methods.  Asterisk has some methods to prevent the most obvious attacks from succeeding at the network level, but the most effective method of protection are the administrative issues of password robustness and username obscurity.

 

JTodd
Digium
Categories
Asterisk Support Elastix Support Knowledge Base OpenVox

Asterisk pickup groups

The aim here is to explain the relationship between the callgroup and pickup group settings in extension conf files of an Asterisk server.

Call Pickup is the abilty to pickup a ringing phone from another phone.

The ability to do this is defined in the extensions conf file.

In many systems there is only on setting to do this normally “pickup group” you add etensions to this group and they can pickup calls ringing at members of the group. Obvious realy.

Now Asterisk goes one better. You can define the callgroup and pickup group, This way you define who you can pickup and who can pickup you. This is very useful for operators, who for example dont want calls picked up of them but do want to pickup calls from all other users.

So how do you define it.

In our example we will have 4 phones defined as follows

Callgroup Pickupgroup
201 2 1-2
202 1-4 1-4
203 2,4 2,4
204 1 1

And who can do what when trying t pickup is as follows

Ringing Phones attempting Pickup
Call to 201 204 PU failed 203 PU Passed
Call to 202 201 PU passed 203 PU Passed
Call to 203 201 PU passed 204 PU failed
Call to 204 201 PU passed 203 PU failed

So from this we can see that its the Pickupgroup that defines what callgroup can be picked up.

So because 201 has a callgroup of 2 Only sets whos pickup group includes 2 can pck up the call. whereas as 201 has a pickupgroup of 1-2 it can pickup calls from callgroups 1-2.

For example you may have 6 pickup groups defined with users only allowed to pickup their own group members except an operato who wishes to be able to pick everyone up and a PA who has a collegue who she wants to be able to pickup

So all normal users would have their pickup and callgroup the same. The PA would have the pickupgroup defined with both the group numbers but only its own call group. And finally the operator would have a callgroup of 0 and its pickupgroup of 1-6.

Numeric call pickup groups

A numeric callgroup and pickupgroup can be set to a comma separated list of ranges (e.g., 1-4) or numbers that can have a value of 0 to 63. There can be a maximum of 64 numeric groups. This is important to note as Freepbx does not sanity check what you put in there, So you can put 70 in the Gui and it will show 70 but do a sip show peer or a pjsip show endpoint and you will see its not set.

Named call pickup groups

Named pickup groups are new with Asterisk 11. But are not yet supported in FreePBX upto and including 13, So be carefull and dont add them to your pickup/call group settings yet in Freepbx as they will not work eventhough it shows in the GUI.

A named callgroup and pickupgroup can be set to a comma separated list of case sensitive name strings. The number of named groups is unlimited. The number of named groups you can specify at once is limited by the line length supported.

SYNTAX
namedcallgroup=[name[,name[,...]]]
namedpickupgroup=[name[,name[,...]]]
  • namedcallgroup – specifies which named pickup groups that this channel is a member.
  • namedpickupgroup – specifies which named pickup groups this channel can pickup.
Configuration Example
namedcallgroup=engineering,sales,netgroup,protgroup
namedpickupgroup=sales

Configuration should be supported in several channel drivers, including:

  • chan_dahdi.conf
  • misdn.conf
  • sip.conf
  • pjsip.conf

pjsip.conf uses snake case:

named_call_group=engineering,sales,netgroup,protgroup
named_pickup_group=sales

Icon

You can use named pickup groups in parallel with numeric pickup groups. For example, the named pickup group ‘4’ is not the same as the numeric pickup group ‘4’.

 

Categories
Knowledge Base

Checking registered SIP peers

We got a call recently from a customer who uses skype trunks for some international incoming numbers. We have found that these lose registration on a regular basis, We could let them be set try and register indefinitely but this can have performance effects on the server.

This is not our only customer with this problem, We have also of late noticed a similar problem with Voip-unlimited where registration times out every day at 8pm, we have noted this on ours and other dealers servers.

So what to do?

Well we have written a quick script to check registration details and reload if not correct.

#!/bin/bash

HITS=`asterisk -r -x “sip show registry” | grep Registered |grep $1| wc -l`

if [ $HITS != $2 ]; then

echo “Incorrect number of $1 trunks are registered, we wanted $2  ”

echo “We will now reload asterisk ”

asterisk -r -x “reload chan_sip.so”

exit 0

else

echo “$HITS $1 trunks are registered, we wanted $2  ALL OK”

exit 0

fi

 

the syntax for running the script is

 

script_name.sh hostname 2

with hostname being part of the string you get when doing a sip show registry.

and the number is the number of registered trunks you expect with that name.

if all is well:”2 sipgate trunks are registered, we wanted 2 :-) ALL OK”and nothing happens

if not correct number then:

“Incorrect number of sipgate trunks are registered, we wanted 2

“We will now reload asterisk”

we only relaod the sip channel driver as this is enough to sort the problem normally

Categories
Knowledge Base Technical

Nagios plugin for reading the Asterisk Database

This is a simple plugin that is based on one by Jason Rivers We have changed it now to read the ASTDB (Asterisk internal Database and then based on ok and Critical keys it will report OK or Critical staus reports to Nagios.

This was written for reporting if an Elastix system is in Day or Night mode.

You can define the Database Family, Key, Critical value and OK value. This means you can cutomise it to what ever you need to report.

 

The Code is below, make you may need to change /usr/bin/nc for what ever you use for netcat.

any issues email us, but dont forget this is given for free not supported for free.

#!/bin/bash
#
# Program : check_asterisk_ami
# :
# Author : Original code by Jason Rivers < jason@jasonrivers.co.uk >
# : Modified by Cyber-cottage.co.uk for checking the asterisk Database
# :
# Purpose : Nagios plugin to return Information from an Asterisk host using AMI
# :
# Parameters : --help
# : --version
# :
# Returns : Standard Nagios status_* codes as defined in utils.sh
# :
# Licence : GPL
#
# Notes : See --help for details
#============:==============================================================
PROGNAME=`basename $0`
PROGPATH=`echo $0 | /bin/sed -e 's,[\/][^\/][^\/]*$,,'`
REVISION=`echo '$Revision: 1.1.0.6 $' | sed -e 's/[^0-9.]//g'`
. $PROGPATH/utils.sh
print_usage() {
echo "Usage: $PROGNAME [-H hostname] [-u username] [-p password] [-P port] [-k DBkey] [-c critical] [-o ok] [-f family]"
echo " -H Hostname"
echo " -u AMI Username"
echo " -p AMI Password"
echo " -P (optional) AMI PORT"
echo " -k Database key"
echo " -f Database family"
echo " -c Critical Key"
echo " -o OK KEY"
echo ""
echo "SupportedCommands:"
echo " Most DB familiys that toggle such as DayNight in elastix"
echo "Usage: $PROGNAME --help"
echo "Usage: $PROGNAME --version"
}
print_help() {
print_revision $PROGNAME $REVISION
echo ""
echo "Nagios Plugin to check Asterisk ASTDB using AMI"
echo ""
print_usage
echo ""
echo "Asterisk Call Status Check. orignal version by © Jason Rivers 2011 changes to do ASTDB by cyber-cottage.co.uk"
echo ""
exit 0
# support
}
# If we have arguments, process them.
#
exitstatus=$STATE_WARNING #default
while test -n "$1"; do
case "$1" in
--help)
print_help
exit $STATE_OK
;;
-h)
print_help
exit $STATE_OK
;;
--version)
print_revision $PROGNAME $REVISION
exit $STATE_OK
;;
-V)
print_revision $PROGNAME $REVISION
exit $STATE_OK
;;
-H)
REMOTEHOST=$2;
shift;
;;
-P) AMIPORT=$2;
shift;
;;
-u) AMIUSER=$2;
shift;
;;
-p) AMIPASS=$2;
shift;
;;
-c)
CRITICALNAME=$2
shift;
;;
-o)
OKNAME=$2
shift;
;;
-k)
DBKEY=$2;
shift;
;;
-f)
FAMIL=$2;
shift;
;;
*)
echo "Unknown argument: $1"
print_usage
exit $STATE_UNKNOWN
;;
esac
shift
done
if [ "${AMIPORT}" = "" ]; then
AMIPORT="5038"
fi
if [ "${FAMIL}" = "" ]; then
##WARNING
echo="CRITICAL: Unknown KEY"
print_help
exit=$STATE_CRITICAL
else
## Checking Astdb
CHANNELS=`/bin/echo -e "Action: login Username: ${AMIUSER} Secret: ${AMIPASS} Events: off Action: DBGet Family: ${FAMIL} Key: ${DBKEY} Action: Logoff " | /usr/bin/nc $REMOTEHOST ${AMIPORT} | awk '/Val/ {print $2}'|tr -d " "`
if [ "$CHANNELS" = "" ]; then
echo "UNKNOWN: Unable to get ASTDB status"
exit $STATUS_UNKNOWN
fi
if [ "$CHANNELS" = "${OKNAME}" ]; then
exitstatus=$STATU_OK
MSG="OK: ${DBKEY} Asterisk Emergency message not active"
elif [ "$CHANNELS" = "" ]; then
exitstatus=$STATU_WARNING
MSG="WARNING: Asterisk Unknown status"
elif [ "$CHANNELS" = "$CRITICALNAME" ]; then
exitstatus=$STATU_CRITICAL
MSG="CRITICAL: ${DBKEY} Asterisk Emergency message active"
fi
fi
echo $MSG
exit $exitstatus

Categories
Knowledge Base Technical

Installing Webdav on Centos with untrusted ssl certificates

Webdav (Web-based Distributed Authoring and Versioning) is a set of methods based on the Hypertext Transfer Protocol (HTTP) that facilitates collaboration between users in editing and managing documents and files stored on World Wide Web servers.This can be useful to allow backing up of data between servers. In Linux there is a command line client called cadaver that in theory allows you to script its use.

This isnt as staight forward as it could have been and we spent half a day and a lot of Googling to get to the bottom of common problems, Such as auto loging in, Untrusted ssl certificates and scripting.

So here is a simple run down on what you have to do to script with webdav and cadaver

Install cadaver

yum install cadaver

once installed you will need to install the certificate for the untrusted ssl site

for example
wget http://website/untrusted.server.com.cer
now convert this to a .pem file
openssl x509 -inform der -in untrusted.server.com.cer -out untrusted.server.com.pem

now add this to your cert.pem file.

in centos this seems to be in the  /usr/share/ssl/ directory
cat untrusted.server.com.pem >> /usr/share/ssl/cert.pem

you now need to edit the ./netrc file with the server and logon details
vi ~/.netrc

machine untrusted.server.com
login   user
password        secret

save the file.

now when you connect you wont be promted for accepting the certificate or a username and password

cadaver -et  https://untrusted.server.com
dav:/>

Ok now we want to script the actions.
This is as simple as creating a script file.

for example

vi ~/.cadavscript
ls
pwd
quit

will give the following output

cadaver -et  https://untrusted.server.com/ < ~/.cadavscript
dav:/> Listing collection `/’: succeeded.
test.txt                              35  Aug 19 15:04
dav:/> Current collection is `https://untrusted.server.com/’.
dav:/> Connection to `untrusted.server.com’ closed.

So create a script to do what you want and your done

Categories
Knowledge Base

Asterisk Music on Hold

Music on hold is always an issue, We get asked many times “can we put such and such mp3 on as hold music” Well the answer is always the same, Yes and no.

Yes in that we can convert any mp3 to be played as MOH as long as you have the relevent PRS licence.

So the answer is then normaly No we wont do it then, Just look at the costs detailed here and you will see why.

So why are we mentioning it here.

Well Asterisk has Music files loaded for MOH and it was always assumed these were licenced correctly and required no additional licence or agreement. Well it seems that some countries are challenging this.

See the following from Digium..

Open Source Asterisk has had for quite some time the ability to play Music On Hold (MOH) to callers as an optionally configured call feature.  Of course, as soon as the code had the ability to play music, there was a general request and obvious concept that Asterisk should include a few default music-on-hold files.  At that point, several people within Digium looked around at the possible files we could use, but all of them had some type of license issues, which is understandable.  We found a company which sold rights to music, and we discussed in specific, painstaking detail what we wanted to do with the files and how they were going to be used.  They agreed that we could do what we wanted and distribute the files with Asterisk and that they were able to provide to us the appropriate license, so we paid our fee and proceeded to pick some likely music.  We then included them in Asterisk in the hopes that the community would find them useful as part of the system without having to search out selections which complied with various copyright issues.  This was a good-faith gesture on our part, and we had a quite reasonable expectation that the vendor from whom we purchased the license was authorized to provide to us a global right-to-use and redistribution capability to the Asterisk community for these sound files.

Apparently, that assumption is now being questioned.  In some nations (Australia and France, to pick two that have been brought to our attention) there are some who are claiming that we do not have the rights outlined above, and that our users therefore are in a similar situation where they may be in violation of license terms.

In the interests of space here I will not outline the exact organizations, laws, and claims in question.  Suffice it to say they are complex and unclear with a broad range of possible interpretations. Currently, at least two organizations disagree that we are complying with a set of license terms.  This is very far outside of Digium’s ability or interest to manage, nor do we wish to become involved in the protracted series of legal proceedings required to sort out this licensing issue.  So we have chosen another path that is more clear to us: we will eliminate the files of questionable license from Asterisk, and replace them with music that has  clearly defined and more acceptable licensing terms which are compatible with both the Asterisk license, and with any reasonable redistribution methods that might be used by others who re-package Asterisk.

So how can we be assured this won’t happen again?  The new music we’ve included is under the Creative Commons 2.5 license – which quite frankly didn’t have much of a following for media back when we first were looking for a set of MOH files.  Certainly, the selection of good-quality music files that would suffice did not exist in an easy-to-obtain fashion, or we would have gone this route in the first place.  Hopefully you’ll like the new music on hold, and will be customers of the artists who have so graciously given their work out under such a reasonable license.   We found the new music on Opsound for those of you who are looking for an even wider selection of freely available music.

We apologize for putting people through this aggravation – we sincerely wish that the recording industry would standardize license terms and avoid treating customers like enemies.  Perhaps there is a silver lining here –  this may be a good opportunity for you to freshen up your hold music – maybe “Calm River” was getting under people’s skin after the thousandth time you put them on hold.

The Gory Tech Details:

The new files can be found here: http://downloads.asterisk.org/pub/telephony/sounds/

The new files have names that contain “opsound” replacing the term “freeplay” in the file names.  It’s really that simple.  We’ve removed the old “freeplay” files and symlinked the old names to the new “opsound” versions, just in case.  The contents of the .tar archives are different, but Asterisk should “just work” when the file contents are put in place unless you’ve extensively modified your music on hold configurations.

If you have an existing Asterisk system it is our suggestion that you delete any and all copies of the existing “freeplay” music on hold set on your system(s) and replace them with the new “opsound” module sets.  The good news is that this is very simple – very little configuration is required on your system – just a simple file copy and then restart Asterisk to see the new files.

What happens if you don’t update your music on hold?  The state of the FreePlay license currently is in question, and even if it is determined that the Freeplay files were not provided under the necessary license terms,  it’s unlikely that enforcement actions will be brought against end-users for using unlicensed hold music.  However, we would encourage all administrators to update their instances of Asterisk to the new sound files.  This is really a distasteful process for all of us, and in order to protect ourselves from any future liability we’re going to suggest that everyone remove the older files entirely.

Categories
Knowledge Base

General Configuration Guide Skype for SIP and Asterisk

 

If you are new to SIP, Asterisk is a useful, open-source (GPL) platform with which to test and experiment with the Skype for SIP. This is a guide on how to install Skype for SIP on a system agnostic or “vanilla” Asterisk server.

 

To install Asterisk on your server, please see the Digium documentation here http://www.asterisk.org.

 

This configuration guide is based on Debian Linux (Lenny 64bit). With a basic installation of Debian you can install Asterisk by issuing the following APT command at the command line:-

apt-get install asterisk

 

 

Configuration Files for Vanilla Asterisk

 

In configuring Skype for SIP on a vanilla Asterisk system we are primarily concerned with two configuration files:-

 

  1. sip.conf (located in the /etc/asterisk/ directory)
    The sip.conf file holds the registration details for the Skype for SIP channel
  2. extensions.conf (located in the /etc/asterisk/ directory)The extensions.conf holds the dial plan telling Asterisk what to do with incoming and outgoing calls.-

 

Let’s do a walkthrough of the configuration steps.

 

Configuring the sip.conf File

 

Step 1

 

The sip.conf file has two sections that need to be completed. The “General” section (denoted in the file with the [general] heading) and peer section denoted in the file with the [peers] heading.

 

In the General section we need to add a “register” line. This tells Asterisk to register with Skype at the Skype local point of presence.

 

Add the following, under the “[general]” section in the file, substituting your 9905xxxx number and password with your actual credentials for the Skype for SIP profile you wish to use. Your SIP Profile details can be found in the Skype Business Control Panel (BCP):-

 

register => 99051000xxxxxx: PaSsW0rD@sip.skype.com /99051000xxxxxx

 

Step 2

To ensure that we also receive the callerID from Skype clients we also should add:-

 

trustrpid = no

sendrpid = yes

 

 

Step 3

Next, we add a section for the peer, in the “[peers]” section of the sip.conf file. Again we substitute the 9905xxxxx number and password with the SIP Profile credentials from the Skype Business Control Panel (BCP):-

 

[99051000xxxxxx]

type = peer

username = 99051000xxxxxx

fromdomain = sip.skype.com

fromuser = 99051000xxxxxx

realm = sip.skype.com

host = sip.skype.com

dtmfmode = rfc2833

secret = PaSsW0rD

nat = no ;This should be set to reflect your network NAT configuration

canreinvite = no

insecure = invite

qualify = yes

disallow = all

allow = alaw

allow = ulaw

;allow = g729 ; Uncomment this if you have G729 licences

amaflags = default

trustrpid = no

sendrpid = yes

context = skype_in

 

Please Note:

If your Asterisk PBX is behind a NAT device, you should set “nat = yes” in this section.

 

If your Asterisk PBX has a dedicated internet IP address, set this to “nat = no”.

 

Step 4

After setting these changes, reload the Asterisk’s SIP module by typing:-

 

asterisk -rx “reload chan_sip.so”

 

…….at the command line.

 

Step 5

After the SIP Module has reloaded enter asterisk -rx “sip show peers” at the command line, which should return:

 

pbx*CLI> sip show peers

Name/username Host Dyn Nat ACL Port Status

99051000xxxxxx/99051000xx 193.120.218.68 5060 OK (52 ms)

 

Then enter asterisk -rx sip show registry” which should return:

 

pbx*CLI> sip show registry

Host Username Refresh State Reg.Time

sip.skype.com:5060 99051000xxxx 105 Registered day, dd mmm yyyy hh:mm:ss

 

If you see output similar to the above, then you are registered to the Skype SIP gateway and ready to make and receive calls.

 

We now need to setup the extensions.conf so that we have a dialplan setup and Asterisk knows how to deal with incoming and outgoing calls.

 

Configuring the extensions.conf File

 

The extensions.conf file requires a “context” and an “extension” to be added for incoming Skype calls, plus an extension to be added to the context that users use for outgoing calls.

 

Incoming “context”

 

Add the following lines to the [context] section of extensions.conf, substituting 9905xxxxxxx with the 9905 number for the SIP Profile. Again you can find the details of your Skype SIP Profiles in the Skype BCP:-

 

[skype_in]

exten => 99051xxxxxxxx,Noop(${CALLERID(name)} , ${CALLERID(num)})

exten => 99051xxxxxxxx,n,Dial(SIP/100,30,t,r)

exten => 99051xxxxxxxx,n,voicemail(100|u)

 

This is a simple “vanilla” context that shows us the callerID name and number, dials extension 100 for 30 seconds and finally, if unanswered, goes to voicemail. This sequence will need to be amended to suit your requirements. If you are planning on having many SIP Profiles or Online Numbers that all need to end up at the same destination, or the destination is decided by the Skype Business Account that the online number is registered against, a more complicated Dialplan can be used. For example:-

 

[skype_in]

exten => 99051xxxxxxxx,1,Noop(${CALLERID(name)} , ${CALLERID(num)})

exten => 99051xxxxxxxx,n,Queue(sfs|r|||40)

exten => 99051xxxxxxxx,n,voicemail(100|u)

 

 

Outgoing “Context”

 

The outgoing context must be included in the context for your user’s phones. Usual security measures apply. Do not include this in a context for incoming calls.

 

[skype_out]

 

exten => _90Z.,1,Set(CALLERID(num)= 99051xxxxxxxx)

exten => _90Z.,n,Dial(SIP/0044${EXTEN:2}@99051xxxxxxxx)

 

exten => _900.,1,Set(CALLERID(num)= 99051xxxxxxxx)

exten => _900.,n,Dial(SIP/${EXTEN:1}@99051xxxxxxxx)

 

 

In the sip.conf add the following to create user 100

 

[100]

secret=secret

mailbox=100

callerid=”myskypetrunk” <100>

type=friend

host=dynamic

context=international

;nat=no

nat=yes

canreinvite=no

dtmfmode=rfc2833

pickupgroup=1

callgroup=1

subscribecontext=default

notifyringing=yes

disallow=all

;allow=alaw

allow=ulaw

allow=gsm

 

in the extensiosn.conf add the following to the default context

 

exten => _XXX,1,Dial(SIP/${EXTEN},20)

 

Also create a context called international

 

[international]

include => default

include => skype_out