I try to set up a gnugk proxy on a NAT-machine with a dynamic IP on the WAN side. As Client i use Netmeeting. If i try to call someone on the external net, i get a ARJ (admission reject) ARJ|192.168.100.100:1720|80.190.199.55:h323_ID|robert:h323_ID=4508743:dialedDigits=robert:h323_ID=4508743:dialedDigits|false|calledPartyNotRegistered;
well - i don't want all external partys to require to register... what's wrong???
the test scenario:
(netmeeting box) 192.168.100.100 --- 192.168.100.2 (NAT, Firewall and gnugk Box) WAN-dynamic IP on ppp9 --- 80.190.199.55 (external openam test-box)
how i start gnugk: gnugk -ttttttt -c /etc/gatekeeper.ini -o gnugktest.log
My gatekeeper.ini (well somehow long... but i tried really short ones with same result)
# File: ~/.pwlib_config/Gatekeeper.ini # comments may start with # or ; ######################################
## Boolean values. ## Boolean Values are retresented by a case insensitive string ## - "t"..., "y"... or "1" for TRUE ## - all other for FALSE
##
## Params used in Gatekeeper::Main()
##
## NOTE: This parameters may be loaded at program startup and not influenced by the HUP signal.
[Gatekeeper::Main]
## 'config is present' indicator. Has to be 42.
Fourtytwo=42
# Includes in some RAS-Msgs
#Name=OpenH323GK
Name=RoSa-OpenH323GK
# overwritten from command line parameter
#Home=195.71.129.69
#Home=192.168.100.2
Home=192.168.100.2
NetworkInterfaces=192.168.100.0/24
#NetworkInterfaces=192.168.0.0/16
#TimeToLive=600
#TotalBandwidth=100000
#StatusPort=7000
#UseBroadcastListener=0
##
## Failover support
##
#AlternateGKs=1.2.3.4:1719:false:120:OpenH323GK2
#Sendto=1.2.3.4:1719
#EndpointIDSuffix=_gk1
#SkipForwards=4.3.2.1
#RedirectGK=Calls > 50
##
## You should never need to change any of the following values.
## They are mainly used for testing or very sophisticated applications.
##
#UnicastRasPort=1719
#MulticastPort=1718
#MulticastGroup=224.0.1.41
#EndpointSignalPort=9999
#EndpointSignalPort=1720
#ListenQueueLength=1024
# [ms], default 1000
#SignalReadTimeout=3000
# [ms], default 3000
#StatusReadTimeout=5000
#StatusWriteTimeout=5000
[RoutedMode] GKRouted=1 #H245Routed=0 H245Routed=0 CallSignalPort=1721 CallSignalHandlerNumber=2 RemoveH245AddressOnTunneling=1 AcceptNeighborsCalls=1 #AcceptUnregisteredCalls=0 AcceptUnregisteredCalls=1 SupportNATedEndpoints=1 DropCallsByReleaseComplete=1 #RemoveCallOnDRQ=1 #SendReleaseCompleteOnDRQ=0 #ScreenDisplayIE= #ScreenCallingPartyNumberIE= #ForwardOnFacility=1 #ShowForwarderNumber=1 Q931PortRange=20000-20999 H245PortRange=30000-30999
[Proxy] Enable=1 #InternalNetwork=10.0.1.0/255.255.255.0,127.0.0.0/8 InternalNetwork=10.0.0.0/8,192.168.0.0/16,127.0.0.0/8 T120PortRange=40000-40999 RTPPortRange=50000-59999 ProxyForNAT=1 ProxyForSameNAT=0
#[Endpoint] #Gatekeeper=auto #Gatekeeper=210.58.112.188 #Type=Gateway #H323ID=CitronProxy #E164=18888600000 #Password= #Prefix=18888600,1888890003 #TimeToLive=900 #RRQRetryInterval=10 #ARQTimeout=2 #UnregisterOnReload=0 #NATRetryInterval=60 #NATKeepaliveInterval=86400
#[Endpoint::RewriteE164] #188889000=9
## ## Prefixes of e164 numbers for gateways. ## Separate list elements by one of " .,\t". ## @see RasTbl::addPrefixes ## This parameters should consider a HUP signal. [RasSrv::GWPrefixes] ## Test-Gateways # 195.71.226.162 #rossi-gt2=80,90 #rossi-gt2=0 # 195.71.226.165 #rossi-gt3=80,90 #rossi-gt3=05241,0521,5241,521 # 195.71.129.254 #ip400-v1=12 #ip400-wi1=0
[RasSrv::RRQFeatures] #OverwriteEPOnSameAddress=1 #AcceptEndpointIdentifier=1 #AcceptGatewayPrefixes=1
[RasSrv::ARQFeatures] ArjReasonRouteCallToSCN=0 ArjReasonRouteCallToGatekeeper=1 CallUnregisteredEndpoints=1 RemoveTrailingChar=#
[RasSrv::RRQAuth]
## On a RRQ the h323-alias is queried from this section.
## If there is an entry the endpint is authenticated against the given rules.
## If there is no entry the default action is performed. The default action
## is to confirm the RRQ, unless the parameter "default=reject" is given.
##
## Notation:
## <authrules> := empty | <authrule> "&" <authrules>
## <authrule> := <authtype> ":" <authparams>
## <authtype> := "sigaddr" | "sigip"
## <autparams> := [!&]*
## The notation and meaning of <authparams> depends on <authtype>:
## - sigaddr: extended regular expression that has to match agains the
## "PrintOn(ostream)" representation of the signal address of the request.
## Example: "sigaddr:.*ipAddress .* ip = .* c3 47 e2 a5 .*port = 1720.*"
## - sigip: specialized form of "sigaddr". Write the signalling ip adresse
## using (commonly used) decimal notation: "byteA.byteB.byteC.byteD:port"
## Example of the above sigaddr: "sigip:195.71.226.165:1720"
##
## This parameters should consider a HUP signal.
#rossi-gt1=sigaddr:.*ipAddress .* ip = .* c3 47 e2 a2 .*port = 1720.* #rossi-gt2=sigaddr:.*ipAddress .* ip = .* c3 47 e2 a5 .*port = 1720.* #rossi-gt3=sigip:195.71.226.165:1720
default=confirm
## The parameter "rule" may be one of the following:
## - "forbid" disallow any connection (default when no rule us given)
## - "allow" allow any connection
## - "explicit" reads the parameter #"<ip>=<value>"# with ip is the ip4-address
## if the peering client. #<value># is resolved with #Toolkit::AsBool#. If the ip
## is not listed the param "default" is used.
## - "regex" the #<ip># of the client is matched against the given regular expression.
## First the ip-rules (like "explicit") are tested. Olny of no such param exists
## the regex is tried.
## Example: "regex=^195\.71\.(129|131)\.[0-9]+$"
[GkStatus::Auth]
rule=allow
#rule=deny
#rule=explicit
#rule=regex
# - 195.71.129.* # - 195.71.100.*
# - 62.52.26.[1-2][0-9][0-9]
#regex=^(195\.71\.(129|100)\.[0-9]+)|(62\.52\.26\.[1-2][0-9][0-9])$
regex=^((192\.168)|(127\.[0-9]+))\.[0-9]+\.[0-9]+$
# only used when "rule=explicit"
#default=forbid
#Shutdown=disable
##
## Beside other things every number to rewrite has its
## own key/value-line. The implemententation is such that
## all numbers that shell be rewritten have to begin
## with a common prefix given by 'Fastmatch'.
##
## Doc From the code:
## // Do rewrite to #newE164#. Append the suffix too.
## // old: 01901234999
## // 999 Suffix
## // 0190 Fastmatch
## // 01901234 prefix, Config-Rule: 01901234=0521321
## // new: 0521321999 ##
## The rewrite-numbers function take care of reloads/a HUP signal.
[RasSrv::RewriteE164] ## Only if an e164 number begins with #Fastmatch# the ## the further rewriting is done. Only one #Fastmatch# can be given. #Fastmatch= #0190703100=052418088663 #01903142=0521178260 #5241908601903142=521178260
##
## The GK would send LRQ to its neighbors if the destination of ARQ is unknown.
## A neighbor is selected if its prefix match the destination or
## it has prefix '*'.
## Currently only one prefix is supported.
##
#
# GKID=ip[:port;prefix;password;dynamic]
#
[RasSrv::Neighbors]
#GK1=203.60.151.5:1719;*;gk1
#GK2=203.60.151.9:1719;02
[RasSrv::LRQFeatures] #NeighborTimeout=2 #ForwardHopCount=2 #AlwaysForwardLRQ=0 #AcceptForwardedLRQ=1 #IncludeDestinationInfoInLCF=1 #CiscoGKCompatible=1
## ## In this section you can put endpoints that don't have RAS support ## or that you don't want to be expired. The records will always ## in GK's registration table. ## However, You can still unregister it via status thread. ## # # ip[:port]=alias,alias,...[;prefix,prefix,...] # [RasSrv::PermanentEndpoints] # For gateway #10.0.1.5=Citron;009,008 # For terminal #10.0.1.10=798
##
## Authentication mechanism
##
## Syntax:
## authrule=actions
##
## <authrule> := SimplePasswordAuth | LDAPPasswordAuth
## | AliasAuth | LDAPAliasAuth | ...
## <actions> := <control>[;<ras>,<ras>,...]
## <control> := optional | required | sufficient
## <ras> := GRQ | RRQ | URQ | ARQ | BRQ | DRQ | LRQ | IRQ
##
## Currently supported modules:
##
## SimplePasswordAuth/MySQLAuth/LDAPPasswordAuth
##
## The module checks the tokens or cryptoTokens
## fields of RAS message. The tokens should contain
## at least generalID and password. For cryptoTokens,
## cryptoEPPwdHash tokens hashed by simple MD5 and
## nestedcryptoToken tokens hashed by HMAC-SHA1-96
## (libssl must be installed!) are supported now.
## The ID and password are read from [Password] section
## / MySQL / LDAP. Support for other backend databases
## is easily to add.
##
## NeighborPasswordAuth
##
## The module only check LRQs from neighbors. The ID and
## password are defined in [RasSrv::Neighbors] section.
##
## AliasAuth/
## LDAPAliasAuth The IP of an endpoint with given alias should
## match a specified pattern. For AliasAuth the pattern
## is defined in [RasSrv::RRQAuth] section.
## For LDAPAliasAuth the alias (default: mail attribute)
## and IP (default: voIPIpAddress attribute) must be found
## in one LDAP entry.
##
## A rule may results in one of the three codes: ok, fail, pass.
##
## ok The request is authenticated by this module
## fail The authentication fails and should be rejected
## next The rule cannot determine the request
##
## There are also three ways to control a rule:
##
## optional If the rule cannot determine the request, it is passed
## to next rule.
## required The requests should be authenticated by this module,
## or it would be rejected. The authenticated request would
## then be passwd to next rule.
## sufficient If the request is authenticated, it is accepted,
## or it would be rejected. That is, the rule determines
## the fate of the request. No rule should be put after
## a sufficient rule, since it won't take effect.
##
## You can also configure a rule to check only for some particular RAS
## messages. For example, to configure SimplePasswordAuth as a required
## rule to check RRQ, ARQ and LRQ:
## SimplePasswordAuth=required;RRQ,ARQ,LRQ
#
[Gatekeeper::Auth]
#SimplePasswordAuth=optional
#LDAPPasswordAuth=optional
#AliasAuth=sufficient;RRQ
#LDAPAliasAuth=sufficient;RRQ
#default=reject
prefixAuth=required;ARQ
default=allow
##
## Destination analysis mechanism
## (must be enabled with compiler option WITH_DEST_ANALYSIS_LIST)
##
## Syntax:
## authrule=actions
##
## <authrule> := OverlapSendDestAnalysis
## <actions> := <control>[;<message>,<message>,...]
## <control> := optional | required | sufficient
## <message> := ARQ | LRQ
##
## Currently supported modules:
##
## OverlapSendDestAnalysis This module checks for incomplete destination
## addresses (not fully implemented up to now).
##
## A rule may results in one of the three codes: ok, fail, pass.
## There are also three ways to control a rule: optional, required, sufficient.
## Additionally you can configure a rule to check only for some particular
## messages.
## (see Authentication mechanism for details informations).
#
[Gatekeeper::DestAnalysis]
#OverlapSendDestAnalysis=required;ARQ
#default=reject
default=allow
## ## Use 'make addpasswd' to generate the utility addpasswd ## Usage: ## addpasswd config userid password ## #[Password] #KeyFilled=123 #CheckID=FALSE #PasswordTimeout=0 #(id=cwhuang, password=123456) #cwhuang=UGwUtpy837k=
[MySQLAuth] #Host=localhost #Database=billing #User=cwhuang #Password=123456 #Table=customer #IDField=IPN #PasswordField=Password #ExtraCriterion=Kind < 2
[PrefixAuth] ALL=allow ipv4:ALL
[CallTable] #GenerateNBCDR=TRUE #GenerateUCCDR=TRUE #DefaultCallTimeout=21600 // 6hr
[GkLDAP::LDAPAttributeNames] #H323ID=mail #IPAddress=voIPIpAddress #TelephonNo=telephoneNumber #H235PassWord=plaintextPassword
# Settings for LDAP access [GkLDAP::Settings] #ServerName=ldap #ServerPort=389 #SearchBaseDN=o=University of Michigan, c=US #BindUserDN=cn=Babs Jensen,o=University of Michigan, c=US #BindUserPW=ReallySecretPassword #sizelimit=0 #timelimit=0
# if the GK can't auto detect your NATed EP # set it here [NATedEndpoints] ;704=11.1.1.111 ;705=allow
# settings for inbound call distribution with virtual queue [CTI::Agents] VirtualQueue=CC CTI_Timeout=120
# EOF
-- mit freundlichen Gruessen / with best regards
* * Robert und Sandra Schulz * Eimbeckhaeuser Str. 33 * 30459 Hannover * * Tel. : +49(511)3748730 * Fax : +49(511)4508748 * Mobil : +49(173)5108769 * e-mail: robert@rosaschulz.de * www.robert-j-schulz.de *
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ List: Openh323gk-users@lists.sourceforge.net Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Homepage: http://www.gnugk.org/
