Freepbx VPN SIP Client (SIP/2.0 401 Unauthorized)

Home » Asterisk Users » Freepbx VPN SIP Client (SIP/2.0 401 Unauthorized)
Asterisk Users 2 Comments

Hello, i try to connect my SIP Client (linphone) via VPN to FreePBX. The routing looks OK. I can ping the Endpoints and traffic is routing. I can also Register my Sip Client.

debpbx*CLI> pjsip list contacts

Contact:

==========================================================================================

Contact: 731/sip:731@192.168.30.132:5060 163a967d99
Avail 15.722
Contact: 734/sip:734@10.8.0.143:5060 1b1aa8cbac Avail 62.180

So far so good. When I try to an other extension I get a timeout. tcpdump:

root@debpbx:/etc/asterisk# tcpdump -ni enp0s15 host 10.8.0.143 and not port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s15, link-type EN10MB (Ethernet), capture size 262144 bytes
13:03:04.086687 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP: INVITE
sip:731@asterisk.kes SIP/2.0
13:03:04.087364 IP 192.168.30.28.5060 > 10.8.0.143.5060: SIP: SIP/2.0
401 Unauthorized
13:03:04.126101 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP: ACK
sip:731@asterisk.kes SIP/2.0
13:03:09.054643 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP
13:03:14.112561 IP 192.168.30.28.5060 > 10.8.0.143.5060: SIP: OPTIONS
sip:734@10.8.0.143:5060 SIP/2.0
13:03:14.162609 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP: SIP/2.0 200 Ok
13:03:19.057752 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP
13:03:29.060765 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP
13:03:44.672509 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP

I think the SIP/2.0 401 Unauthorized is the problem. I also had add the VPN IP range to the local_net but that does not solve the problem.

root@debpbx:/etc/asterisk# grep -ri 10.8.0
sip_general_additional.conf:localnet=10.8.0.0/24
pjsip.transports.conf:local_net=10.8.0.0/24

2 thoughts on - Freepbx VPN SIP Client (SIP/2.0 401 Unauthorized)

  • Your tcpdump doesn’t show the full data of the invite and the 401
    response. You’d probably be better of logging the sip messages from asterisk console with something like:

    pjsip set logger host 10.8.0.143

    It’s quite normal to have an initial 401 response to the first unauthorized INVITE. The 401 should contain an authentication header. The 401 response should be followed up by a second INVITE containing an authorization header. Maybe credentials are not setup correctly on the sip client.

    John