On Fri, 2003-12-19 at 13:31, Rodrigo Gonzalez wrote: > who is the vendor of the other gk and its model? Its a Cisco 7206. > Send too you configuration file (please delete all private information) It is just a vanilla config file with these changes.
--- /etc/gatekeeper.ini 2003-09-29 06:51:54.000000000 -0500 +++ gatekeeper.ini 2003-12-11 11:03:43.000000000 -0600 @@ -1,463 +1,473 @@ # File: ~/.pwlib_config/Gatekeeper.ini # comments may start with # or ; ###################################### ## Boolean values. ## Boolean Values are retresented by a case insensitive string ## - "t"..., "y"... or "1" for TRUE ## - all other for FALSE ## ## Params used in Gatekeeper::Main() ## ## NOTE: This parameters may be loaded at program startup and not influenced by the HUP signal. [Gatekeeper::Main] ## 'config is present' indicator. Has to be 42. Fourtytwo=42 # Includes in some RAS-Msgs Name=OpenH323GK # overwritten from command line parameter #Home=195.71.129.69 #NetworkInterfaces= #TimeToLive=600 #TotalBandwidth=100000 -#StatusPort=7000 +StatusPort=7000 #UseBroadcastListener=0 ## ## Failover support ## #AlternateGKs=1.2.3.4:1719:false:120:OpenH323GK2 #Sendto=1.2.3.4:1719 #EndpointIDSuffix=_gk1 #SkipForwards=4.3.2.1 #RedirectGK=Calls > 50 ## ## You should never need to change any of the following values. ## They are mainly used for testing or very sophisticated applications. ## #UnicastRasPort=1719 #MulticastPort=1718 #MulticastGroup=224.0.1.41 #EndpointSignalPort=9999 #EndpointSignalPort=1720 #ListenQueueLength=1024 # [ms], default 1000 #SignalReadTimeout=3000 # [ms], default 3000 #StatusReadTimeout=5000 #StatusWriteTimeout=5000 [RoutedMode] GKRouted=1 -H245Routed=0 +H245Routed=1 CallSignalPort=1721 CallSignalHandlerNumber=1 RemoveH245AddressOnTunneling=0 AcceptNeighborsCalls=1 -AcceptUnregisteredCalls=0 +AcceptUnregisteredCalls=1 SupportNATedEndpoints=1 DropCallsByReleaseComplete=1 #RemoveCallOnDRQ=1 #SendReleaseCompleteOnDRQ=0 #ScreenDisplayIE= #ScreenCallingPartyNumberIE= #ForwardOnFacility=1 #ShowForwarderNumber=1 #Q931PortRange=20000-20999 #H245PortRange=30000-30999 #ConnectTimeout=180000 [Proxy] #Enable=1 #InternalNetwork=10.0.1.0/255.255.255.0,127.0.0.0/8 #T120PortRange=40000-40999 #RTPPortRange=50000-59999 #ProxyForNAT=1 #ProxyForSameNAT=0 #[Endpoint] #Gatekeeper=auto #Gatekeeper=210.58.112.188 #Type=Gateway #H323ID=CitronProxy #E164=18888600000 #Password= #Prefix=18888600,1888890003 #TimeToLive=900 #RRQRetryInterval=10 #ARQTimeout=2 #UnregisterOnReload=0 #NATRetryInterval=60 #NATKeepaliveInterval=86400 #[Endpoint::RewriteE164] #188889000=9 ## ## Prefixes of e164 numbers for gateways. ## Separate list elements by one of " .,\t". ## @see RasTbl::addPrefixes ## This parameters should consider a HUP signal. [RasSrv::GWPrefixes] ## Test-Gateways # 195.71.226.162 #rossi-gt2=80,90 #rossi-gt2=0 # 195.71.226.165 #rossi-gt3=80,90 #rossi-gt3=05241,0521,5241,521 # 195.71.129.254 #ip400-v1=12 #ip400-wi1=0 [RasSrv::RRQFeatures] #OverwriteEPOnSameAddress=1 #AcceptEndpointIdentifier=1 #AcceptGatewayPrefixes=1 [RasSrv::ARQFeatures] ArjReasonRouteCallToSCN=0 ArjReasonRouteCallToGatekeeper=1 CallUnregisteredEndpoints=1 RemoveTrailingChar=# [RasSrv::RRQAuth] ## On a RRQ the h323-alias is queried from this section. ## If there is an entry the endpint is authenticated against the given rules. ## If there is no entry the default action is performed. The default action ## is to confirm the RRQ, unless the parameter "default=reject" is given. ## ## Notation: ## <authrules> := empty | <authrule> "&" <authrules> ## <authrule> := <authtype> ":" <authparams> ## <authtype> := "sigaddr" | "sigip" ## <autparams> := [!&]* ## The notation and meaning of <authparams> depends on <authtype>: ## - sigaddr: extended regular expression that has to match agains the ## "PrintOn(ostream)" representation of the signal address of the request. ## Example: "sigaddr:.*ipAddress .* ip = .* c3 47 e2 a5 .*port = 1720.*" ## - sigip: specialized form of "sigaddr". Write the signalling ip adresse ## using (commonly used) decimal notation: "byteA.byteB.byteC.byteD:port" ## Example of the above sigaddr: "sigip:195.71.226.165:1720" ## ## This parameters should consider a HUP signal. #rossi-gt1=sigaddr:.*ipAddress .* ip = .* c3 47 e2 a2 .*port = 1720.* #rossi-gt2=sigaddr:.*ipAddress .* ip = .* c3 47 e2 a5 .*port = 1720.* #rossi-gt3=sigip:195.71.226.165:1720 default=confirm ## The parameter "rule" may be one of the following: ## - "forbid" disallow any connection (default when no rule us given) ## - "allow" allow any connection ## - "explicit" reads the parameter #"<ip>=<value>"# with ip is the ip4-address ## if the peering client. #<value># is resolved with #Toolkit::AsBool#. If the ip ## is not listed the param "default" is used. ## - "regex" the #<ip># of the client is matched against the given regular expression. ## First the ip-rules (like "explicit") are tested. Olny of no such param exists ## the regex is tried. ## Example: "regex=^195\.71\.(129|131)\.[0-9]+$" [GkStatus::Auth] rule=allow #rule=deny #rule=explicit #rule=regex # - 195.71.129.* # - 195.71.100.* # - 62.52.26.[1-2][0-9][0-9] #regex=^(195\.71\.(129|100)\.[0-9]+)|(62\.52\.26\.[1-2][0-9][0-9])$ # only used when "rule=explicit" #default=forbid #Shutdown=disable ## ## Beside other things every number to rewrite has its ## own key/value-line. The implemententation is such that ## all numbers that shell be rewritten have to begin ## with a common prefix given by 'Fastmatch'. ## ## Doc From the code: ## // Do rewrite to #newE164#. Append the suffix too. ## // old: 01901234999 ## // 999 Suffix ## // 0190 Fastmatch ## // 01901234 prefix, Config-Rule: 01901234=0521321 ## // new: 0521321999 ## ## The rewrite-numbers function take care of reloads/a HUP signal. [RasSrv::RewriteE164] ## Only if an e164 number begins with #Fastmatch# the ## the further rewriting is done. Only one #Fastmatch# can be given. #Fastmatch= #0190703100=052418088663 #01903142=0521178260 #5241908601903142=521178260 ## ## The GK would send LRQ to its neighbors if the destination of ARQ is unknown. ## A neighbor is selected if its prefix match the destination or ## it has prefix '*'. ## Currently only one prefix is supported. ## # # GKID=ip[:port;prefix;password;dynamic] # [RasSrv::Neighbors] -#GK1=203.60.151.5:1719;*;gk1 +GK1=10.0.0.1:1719;* #GK2=203.60.151.9:1719;02 [RasSrv::LRQFeatures] #NeighborTimeout=2 #ForwardHopCount=2 -#AlwaysForwardLRQ=0 -#AcceptForwardedLRQ=1 -#IncludeDestinationInfoInLCF=1 -#CiscoGKCompatible=1 +AlwaysForwardLRQ=1 +AcceptForwardedLRQ=1 +IncludeDestinationInfoInLCF=0 +CiscoGKCompatible=1 ## ## In this section you can put endpoints that don't have RAS support ## or that you don't want to be expired. The records will always ## in GK's registration table. ## However, You can still unregister it via status thread. ## # # ip[:port]=alias,alias,...[;prefix,prefix,...] # [RasSrv::PermanentEndpoints] # For gateway #10.0.1.5=Citron;009,008 # For terminal #10.0.1.10=798 ## ## Authentication mechanism ## ## Syntax: ## authrule=actions ## ## <authrule> := SimplePasswordAuth | LDAPPasswordAuth ## | AliasAuth | LDAPAliasAuth | ... ## <actions> := <control>[;<ras>|<q931>,<ras>|<q931>,...] ## <control> := optional | required | sufficient ## <ras> := GRQ | RRQ | URQ | ARQ | BRQ | DRQ | LRQ | IRQ ## <q931> := Setup ## ## Currently supported modules: ## ## SimplePasswordAuth/MySQLAuth/LDAPPasswordAuth ## ## The module checks the tokens or cryptoTokens ## fields of RAS message. The tokens should contain ## at least generalID and password. For cryptoTokens, ## cryptoEPPwdHash tokens hashed by simple MD5 and ## nestedcryptoToken tokens hashed by HMAC-SHA1-96 ## (libssl must be installed!) are supported now. ## The ID and password are read from [Password] section ## / MySQL / LDAP. Support for other backend databases ## is easily to add. ## ## NeighborPasswordAuth ## ## The module only check LRQs from neighbors. The ID and ## password are defined in [RasSrv::Neighbors] section. ## ## AliasAuth/ ## LDAPAliasAuth The IP of an endpoint with given alias should ## match a specified pattern. For AliasAuth the pattern ## is defined in [RasSrv::RRQAuth] section. ## For LDAPAliasAuth the alias (default: mail attribute) ## and IP (default: voIPIpAddress attribute) must be found ## in one LDAP entry. ## ## RadAuth/RadAliasAuth ## ## The H.235 username/password from RRQ/ARQ message ## or endpoint alias/IP from RRQ/ARQ/Setup message ## is used to authenticate an endpoint/a call using ## RADIUS server. ## ## A rule may results in one of the three codes: ok, fail, pass. ## ## ok The request is authenticated by this module ## fail The authentication fails and should be rejected ## next The rule cannot determine the request ## ## There are also three ways to control a rule: ## ## optional If the rule cannot determine the request, it is passed ## to next rule. ## required The requests should be authenticated by this module, ## or it would be rejected. The authenticated request would ## then be passwd to next rule. ## sufficient If the request is authenticated, it is accepted, ## or it would be rejected. That is, the rule determines ## the fate of the request. No rule should be put after ## a sufficient rule, since it won't take effect. ## ## You can also configure a rule to check only for some particular RAS ## messages. For example, to configure SimplePasswordAuth as a required ## rule to check RRQ, ARQ and LRQ: ## SimplePasswordAuth=required;RRQ,ARQ,LRQ # [Gatekeeper::Auth] #SimplePasswordAuth=optional #LDAPPasswordAuth=optional #AliasAuth=sufficient;RRQ #LDAPAliasAuth=sufficient;RRQ #RadAuth=required;RRQ,ARQ #RadAliasAuth=required;Setup #default=reject default=allow ## ## Destination analysis mechanism ## (must be enabled with compiler option WITH_DEST_ANALYSIS_LIST) ## ## Syntax: ## authrule=actions ## ## <authrule> := OverlapSendDestAnalysis ## <actions> := <control>[;<message>,<message>,...] ## <control> := optional | required | sufficient ## <message> := ARQ | LRQ ## ## Currently supported modules: ## ## OverlapSendDestAnalysis This module checks for incomplete destination ## addresses (not fully implemented up to now). ## ## A rule may results in one of the three codes: ok, fail, pass. ## There are also three ways to control a rule: optional, required, sufficient. ## Additionally you can configure a rule to check only for some particular ## messages. ## (see Authentication mechanism for details informations). # [Gatekeeper::DestAnalysis] #OverlapSendDestAnalysis=required;ARQ #default=reject #default=allow ## ## Use 'make addpasswd' to generate the utility addpasswd ## Usage: ## addpasswd config userid password ## #[Password] #KeyFilled=123 #CheckID=FALSE #PasswordTimeout=0 #(id=cwhuang, password=123456) #cwhuang=UGwUtpy837k= [MySQLAuth] #Host=localhost #Database=billing #User=cwhuang #Password=123456 #Table=customer #IDField=IPN #PasswordField=Password #ExtraCriterion=Kind < 2 [CallTable] #GenerateNBCDR=TRUE #GenerateUCCDR=TRUE -#DefaultCallDurationLimit=21600 +DefaultCallDurationLimit=14400 [GkLDAP::LDAPAttributeNames] #H323ID=mail #IPAddress=voIPIpAddress #TelephonNo=telephoneNumber #H235PassWord=plaintextPassword # Settings for LDAP access [GkLDAP::Settings] #ServerName=ldap #ServerPort=389 #SearchBaseDN=o=University of Michigan, c=US #BindUserDN=cn=Babs Jensen,o=University of Michigan, c=US #BindUserPW=ReallySecretPassword #sizelimit=0 #timelimit=0 ## ## Accounting mechanism ## ## Syntax: ## authrule=actions ## ## <authrule> := RadAcct | FileAcct | ... ## <actions> := <control>[;<event>,<event>,...] ## <control> := optional | required | sufficient ## <event> := start | stop | update | on | off ## ## Currently supported modules: ## ## RadAcct ## ## Provides accounting through RADIUS protocol. ## ## FileAcct ## ## Provides accounting to a plain text file using GK status line CDR format. ## ## ## A rule may results in one of the three codes: ok, fail, pass. ## ## ok The accounting request is succesfully processed by this module ## fail The accounting request processing fails and call should be rejected ## next The rule cannot determine the request ## ## There are also three ways to control a rule: ## ## optional If the rule cannot log the accounting request, it is passed ## to next rule. ## required The accounting requests should be logged by this module, ## or it would be rejected. The accounting request would ## then be passed to next rule. ## sufficient If the accounting request is successfully logged, ## no further processing is done, otherwise the call would ## be rejected. That is, the rule determines ## the fate of the request. No rule should be put after ## a sufficient rule, since it won't take effect. ## ## You can also configure a rule to log only some particular accounting ## events. For example, to configure RadAcct as a required ## rule to log call "start" and "stop" events only, write: ## RadAcct=required;start,stop ## ## Defined accounting event types: ## ## start call start ## stop call stop ## update call update ## on GK start ## off GK stop ## [Gatekeeper::Acct] #RadAcct=optional;start,stop,on,off +RadAcct=required;stop,off + #FileAcct=sufficient;stop # if the GK can't auto detect your NATed EP # set it here [NATedEndpoints] ;704=11.1.1.111 ;705=allow # settings for inbound call distribution with virtual queue [CTI::Agents] VirtualQueue=CC CTI_Timeout=120 +[RadAcct] +Servers=10.0.0.50:1645 +SharedSecret=private +AppendCiscoAttributes=1 +IncludeEndpointIP=1 + # EOF
