Hi, people: I´ve installed an openh323 gatekeeper in this scenario LAN1----- PACKET FILTER --------- BASTION HOST --------- ROUTER ------ INTERNET openh323gk is installed in the Bastion Host and its configured in proxy mode. Here is my config file [Gatekeeper::Main] ## 'config is present' indicator. Has to be 42. Fourtytwo=42 # Includes in some RAS-Msgs Name=OpenH323GK # overwritten from command line parameter #Home=195.71.129.69 #TimeToLive=600 AcceptUnregisteredCalls=1 TotalBandwidth=100000 [RoutedMode] GKRouted=1 H245Routed=1 CallSignalPort=1721 CallSignalHandlerNumber=1 RemoveH245AddressOnTunneling=0 Q931PortRange=20000-20020 H245PortRange=30000-30010 SupportNATedEndpoints=1 [Proxy] Enable=1 T120PortRange=40000-40010 RTPPortRange=50000-59999 InternalNetwork=192.168.0.0/255.255.255.0,127.0.0.0/8 [Failover] [Gatekeeper::TCP] UnicastRasPort=1719 MulticastPort=1718 MulticastGroup=224.0.1.41 EndpointSignalPort=9999 StatusPort=7000 ListenQueueLength=1024 SignalReadTimeout=3000 StatusReadTimeout=5000 [RasSvr::GWPrefixes] [RasSvr::ARQFeatures] ArjReasonRouteCallToSCN=0 ArjReasonRouteCallToGatekeeper=1 [RasSrv::RRQAuth] default=confirm [GkStatus::Auth] rule=allow ## ## Beside other things every number to rewrite has its ## own key/value-line. The implemententation is such that ## all numbers that shell be rewritten have to begin ## with a common prefix given by 'Fastmatch'. ## ## Doc From the code: ## // Do rewrite to #newE164#. Append the suffix too. ## // old: 01901234999 ## // 999 Suffix ## // 0190 Fastmatch ## // 01901234 prefix, Config-Rule: 01901234=0521321 ## // new: 0521321999 ## ## The rewrite-numbers function take care of reloads/a HUP signal. [RasSvr::RewriteE164] ## Only if an e164 number begins with #Fastmatch# the ## the further rewriting is done. Only one #Fastmatch# can be given. #Fastmatch= #0190703100=052418088663 #01903142=0521178260 #5241908601903142=521178260 ## ## The GK would send LRQ to its neighbors if the destination of ARQ is unknown. ## A neighbor is selected if its prefix match the destination or ## it has prefix '*'. ## Currently only one prefix is supported. ## # # GKID=ip[:port;prefix;password;dynamic] # [RasSvr::Neighbors] #GK1=203.60.151.5:1719;*;gk1 #GK2=203.60.151.9:1719;02 ## ## In this section you can put endpoints that don't have RAS support ## or that you don't want to be expired. The records will always ## in GK's registration table. ## However, You can still unregister it via status thread. ## # # ip[:port]=alias,alias,...[;prefix,prefix,...] # [RasSvr::PermanentEndpoints] # For gateway #10.0.1.5=Citron;009,008 # For terminal #10.0.1.10=798 ## ## Authentication mechanism ## ## Syntax: ## authrule=actions ## ## <authrule> := SimplePasswordAuth | LDAPPasswordAuth ## | AliasAuth | LDAPAliasAuth | ... ## <actions> := <control>[;<ras>,<ras>,...] ## <control> := optional | required | sufficient ## <ras> := GRQ | RRQ | URQ | ARQ | BRQ | DRQ | LRQ | IRQ ## ## Currently supported modules: ## ## SimplePasswordAuth/MySQLAuth/LDAPPasswordAuth ## ## The module checks the tokens or cryptoTokens ## fields of RAS message. The tokens should contain ## at least generalID and password. For cryptoTokens, ## cryptoEPPwdHash tokens hashed by simple MD5 and ## nestedcryptoToken tokens hashed by HMAC-SHA1-96 ## (libssl must be installed!) are supported now. ## The ID and password are read from [Password] section ## / MySQL / LDAP. Support for other backend databases ## is easily to add. ## ## NeighborPasswordAuth ## ## The module only check LRQs from neighbors. The ID and ## password are defined in [RasSvr::Neighbors] section. ## ## AliasAuth/ ## LDAPAliasAuth The IP of an endpoint with given alias should ## match a specified pattern. For AliasAuth the pattern ## is defined in [RasSrv::RRQAuth] section. ## For LDAPAliasAuth the alias (default: mail attribute) ## and IP (default: voIPIpAddress attribute) must be found ## in one LDAP entry. ## ## A rule may results in one of the three codes: ok, fail, pass. ## ## ok The request is authenticated by this module ## fail The authentication fails and should be rejected ## next The rule cannot determine the request ## ## There are also three ways to control a rule: ## ## optional If the rule cannot determine the request, it is passed ## to next rule. ## required The requests should be authenticated by this module, ## or it would be rejected. The authenticated request would ## then be passwd to next rule. ## sufficient If the request is authenticated, it is accepted, ## or it would be rejected. That is, the rule determines ## the fate of the request. No rule should be put after ## a sufficient rule, since it won't take effect. ## ## You can also configure a rule to check only for some particular RAS ## messages. For example, to configure SimplePasswordAuth as a required ## rule to check RRQ, ARQ and LRQ: ## SimplePasswordAuth=required;RRQ,ARQ,LRQ # [Gatekeeper::Auth] #SimplePasswordAuth=optional #LDAPPasswordAuth=optional #AliasAuth=sufficient;RRQ #LDAPAliasAuth=sufficient;RRQ #default=reject default=allow ## ## Destination analysis mechanism ## (must be enabled with compiler option WITH_DEST_ANALYSIS_LIST) ## ## Syntax: ## authrule=actions ## ## <authrule> := OverlapSendDestAnalysis ## <actions> := <control>[;<message>,<message>,...] ## <control> := optional | required | sufficient ## <message> := ARQ | LRQ ## ## Currently supported modules: ## ## OverlapSendDestAnalysis This module checks for incomplete destination ## addresses (not fully implemented up to now). ## ## A rule may results in one of the three codes: ok, fail, pass. ## There are also three ways to control a rule: optional, required, sufficient. ## Additionally you can configure a rule to check only for some particular ## messages. ## (see Authentication mechanism for details informations). # [Gatekeeper::DestAnalysis] #OverlapSendDestAnalysis=required;ARQ #default=reject default=allow ## ## Use 'make addpasswd' to generate the utility addpasswd ## Usage: ## addpasswd config userid password ## #[Password] #KeyFilled=123 #CkeckID=FALSE #PasswordTimeout=0 #(id=cwhuang, password=123456) #cwhuang=UGwUtpy837k= [MySQLAuth] #Host=localhost #Database=billing #User=cwhuang #Password=123456 #Table=customer #IDField=IPN #PasswordField=Password #ExtraCriterion=Kind < 2 [CallTable] #GenerateNBCDR=TRUE #GenerateUCCDR=TRUE #DefaultCallTimeout=21600 // 6hr # the attribute names used for LDAP access, the default is the names # from the VoIP-scheme which is provided within this distribution [GkLDAP::LDAPAttributeNames] #UserIdentity=uid #H323ID=cn #TelephonNo=telephoneNumber #H245PassWord=plaintextPassword #aliasH3232ID=voIPnickName #CountryCode=voIPcountryCode #AreaCode=voIPareaCode #LocalAccessCode=voIPlocalAccessCode #NationalAccessCode=voIPnationalAccessCode #InternationalAccessCode=voIPinternationalAccessCode #CallingLineIdPresentation=voIPcallingLineIdPresentation #PrefixBlacklist=voIPprefixBlacklist #PrefixWhitelist=voIPprefixWhitelist # Settings for LDAP access [GkLDAP::Settings] #ServerName=ldap #ServerPort=389 #SearchBaseDN=o=University of Michigan, c=US #BindUserDN=cn=Babs Jensen,o=University of Michigan, c=US #BindUserPW=ReallySecretPassword #sizelimit=0 #timelimit=0 # EOF Now, I'm trying to connect to the gatekeeper from MS Netmeeting behind NAT unsuccessfully. I'm obtaining this errors. The strange message for me is "Resource temporarily unavailable". Have you any idea why this happens?. May be a missconfiguration? Best Regards. Ivan 2005/03/04 17:29:35 1 gkauth.cxx(222) GkAuth Add default rule with flag ff 2005/03/04 17:29:35 1 gkDestAnalysis.cxx(195) GkDestAnalysis Add default rule with flag ff 2005/03/04 17:29:35 2 ProxyThread.cxx(363) ProxyL Listen to 0.0.0.0:1721 2005/03/04 17:29:35 2 ProxyThread.cxx(291) ProxyListener 28122 started 2005/03/04 17:29:35 2 ProxyThread.cxx(291) ProxyHandleThread 4178 started 2005/03/04 17:29:35 5 ProxyThread.cxx(489) ProxyH(0) waiting... 2005/03/04 17:29:35 2 ProxyThread.cxx(545) Proxy Create a new ConnectThread, total 1 2005/03/04 17:29:35 2 ProxyThread.cxx(291) ProxyConnectThread 29809 started 2005/03/04 17:29:35 2 ProxyThread.cxx(291) ProxyHandleThread 29523 started 2005/03/04 17:29:35 5 ProxyThread.cxx(489) ProxyLC(0) waiting... 2005/03/04 17:29:35 2 RasSrv.cxx(379) GK Using Routed Signalling 2005/03/04 17:29:35 2 RasSrv.cxx(380) GK H.245 Routed Enabled 2005/03/04 17:29:35 2 RasSrv.cxx(1652) GK Entering connection handling loop 2005/03/04 17:29:45 4 ProxyThread.cxx(76) Q931s Delete socket 127.0.0.1:0 2005/03/04 17:29:45 1 MulticastGRQ.cxx(73) GK Multicast thread: Read error: Connection timed out 2005/03/04 17:29:45 1 RasSrv.cxx(1669) GK RAS thread: Read error: Connection timed out 2005/03/04 17:29:55 4 ProxyThread.cxx(76) Q931s Delete socket 127.0.0.1:0 2005/03/04 17:29:55 1 MulticastGRQ.cxx(73) GK Multicast thread: Read error: Connection timed out 2005/03/04 17:29:55 1 RasSrv.cxx(1669) GK RAS thread: Read error: Connection timed out 2005/03/04 17:29:56 1 RasSrv.cxx(1669) GK RAS thread: Read error: Resource temporarily unavailable 2005/03/04 17:30:01 1 RasSrv.cxx(1669) GK RAS thread: Read error: Resource temporarily unavailable 2005/03/04 17:30:05 4 ProxyThread.cxx(76) Q931s Delete socket 127.0.0.1:0 2005/03/04 17:30:05 1 MulticastGRQ.cxx(73) GK Multicast thread: Read error: Connection timed out 2005/03/04 17:30:06 1 RasSrv.cxx(1669) GK RAS thread: Read error: Resource temporarily unavailable 2005/03/04 17:30:12 1 RasSrv.cxx(1669) GK RAS thread: Read error: Resource temporarily unavailable 2005/03/04 17:30:15 4 ProxyThread.cxx(76) Q931s Delete socket 127.0.0.1:0 2005/03/04 17:30:15 1 MulticastGRQ.cxx(73) GK Multicast thread: Read error: Connection timed out 2005/03/04 17:30:17 1 RasSrv.cxx(1669) GK RAS thread: Read error: Resource temporarily unavailable 2005/03/04 17:30:25 4 ProxyThread.cxx(76) Q931s Delete socket 127.0.0.1:0 2005/03/04 17:30:25 1 MulticastGRQ.cxx(73) GK Multicast thread: Read error: Connection timed out 2005/03/04 17:30:27 1 RasSrv.cxx(1669) GK RAS thread: Read error: Connection timed out ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________________ List: Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Homepage: http://www.gnugk.org/