PJ-SIP and IPv6 - No Go?

Hi,

I have my FreePBX 14 Asterisk 13 box set up for IPv6. SSH over IPv6 works as well as web admin and UCP.

I get errors when trying to connect via IPv6 using extensions set up with CHAN-SIP as it says the address family is not supported. No problem, so I went to set up PJ-SIP using IPv6.

I added my entire /56 subnet to the firewall trusted list to start. Responsive firewall is enabled for PJ-SIP and in the services section PJ-SIP is set to allow local as well.

My extensions, when forced to IPv6 mode only, can’t seem to connect at all. There are no entries in the PBX logs.

I have TLS set up for CHAN-SIP and PJ-SIP and SRTP which all works over IPv4.

I noticed in pjsip.transports that there is no bind=IPv6 address and only a bind=IPv4 so I added the NIC’s address in as bind=[XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX]:5062. That didn’t seem to work so I also tried bind=XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:5062 since my polycom vvx300 reported a connection error in that format, but still nothing.

Anyone at Sangoma or the community have a working IPv6 step-by-step guide for PJ-SIP?

Thanks in advance!

P.S. Here is my ifcfg-eth0 file:

DEVICE=eth0
BOOTPROTO=static
ONBOOT='yes’
IPADDR=XXX.XXX.XXX.XXX
NETMASK=255.255.255.248
GATEWAY=XXX.XXX.XXX.XXX
ZONE=external
DESCRIPTION="unset"
IPV6INIT=yes
IPV6ADDR=XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/128
IPV6_MTU=1492
DEFROUTE=yes
IPV6_AUTOCONF=yes
IPV6FORWARDING=no
NM_CONTROLLED=no

https://wiki.asterisk.org/wiki/display/AST/IPv6+Support

Thanks for the quick reply!

I will give the res_pjsip for IPv6 a try in that guide but just to give a heads up I did try all the options for https://wiki.asterisk.org/wiki/display/AST/Configuring+chan_sip+for+IPv6 and they were a no go.

Also, what do the ACLs for IPv6 do?

Configuring for IPv6

Named ACLs can use ipv6 addresses just like normal ACLs.

[ipv6_example_1]
deny = ::
permit = ::1/128

[ipv6_example_2]
permit = fe80::21d:bad:fad:2323

Added the following into pjsip.transports_custom.conf

[transport-auto-ipv6]
type=transport
protocol=tls
bind=[XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:5061]

but still no luck connecting.

Don’t you need to add this to the existing context, like this?

[transport-auto-ipv6](+)

I’m not sure exactly how to do that. What does the (+) do?

It’s the “Asterisk Way” of telling the system to add this context to any existing context with the same name. It lets you extend the context instead of it being ignored because that context already exists.

I gave your suggesstion a try based on what I found already generated by FreePBX in pjsip.transports.conf as seen below:

;--------------------------------------------------------------------------------;
; Do NOT edit this file as it is auto-generated by FreePBX. ;
;--------------------------------------------------------------------------------;
; For information on adding additional paramaters to this file, please visit the ;
; FreePBX.org wiki page, or ask on IRC. This file was created by the new FreePBX ;
; BMO - Big Module Object. Any similarity in naming with BMO from Adventure Time ;
; is totally deliberate. ;
;--------------------------------------------------------------------------------;
#include pjsip.transports_custom.conf

[0.0.0.0-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
external_media_address=XXX.XXX.XXX.XXX
external_signaling_address=XXX.XXX.XXX.XXX
cert_file=/etc/asterisk/keys/cloud4a.crt
priv_key_file=/etc/asterisk/keys/cloud4a.key
ca_list_file=/etc/asterisk/keys/cloud4a-ca-bundle.crt
method=tlsv1
verify_client=no
verify_server=yes
allow_reload=yes
local_net=XXX.XXX.XXX.XXX/29
local_net=XXXX:XXXX:XXXX:XXXX::/56

So in pjsip.transports_custom.conf I added:

0.0.0.0-tls
type=transport
protocol=tls
bind=[XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:5061]

Still however, no pjsip registration attempts appear in the logs from any of my endpoints. Just a reminder I can SSH, ping, wed admin, and UCP all over IPv6 into FreePBX. I even disabled the firewall completely on FreePBX but still nothing.

It’s been a while. Does anyone have a working IPv6 configuration that they can share?

I have it working fine with chan_sip. Did you configure it to bind to [::] ?

Looking back through your posts, it appears you might have the IPv6 syntax wrong.

The address goes in brackets and then the port outside the brackets. E.g. [::]:5060

You should not need to specify the actual address for binding; it should be enough to use [::] which is the same as 0.0.0.0 in IPv4 terms.

That’s the format I always understood denoting the port for an IPv6 address but it wasn’t working. My Polycom log files may have led me astray with a weird syntax it uses in the logs.

I’ll give it another go with chan_sip and res_pjsip now that I’m on Asterisk 14.

So, I can get my endpoint to connect via chan_sip over IPv6 by explicity telling it to bind to the global address. However, I get the following error message in my pbx logs:

[2017-10-31 12:07:26] ERROR[29616] netsock2.c: getaddrinfo(“X:X:X:X:X:X:X:X”, “42088”, …): Address family for hostname not supported
[2017-10-31 12:07:26] WARNING[29616] chan_sip.c: Could not resolve socket address for ‘[X:X:X:X:X:X:X:X:]:42088’
[2017-10-31 12:07:26] NOTICE[29616] chan_sip.c: Received SIP subscribe for peer without mailbox: 1005

…and also, no RTP seems to flow.

Also, does anyone have pj_sip working over IPv6 via TLS? The examples posted by other users above aren’t clear which config files I have to append.

This was all I needed to do for ipv6 in chan_sip (from the Asterisk SIP Settings - chan_sip tab)

I’m not quite sure how those settings are working for you and not me?

The errors you posted lead me to think there’s a misconfiguration of your IPv6 stack at the OS level, but I don’t know what exactly.

So it doesn’t work if you bind to [::] ? That would be a concern. Also make sure you don’t have both chan_sip and pjsip trying to bind to the same interface and port.

If I explicitly enter [::] into TLS bind address I get no response when an endpoint tries to connect. Haven’t tried SIP over UDP yet as this is a production system.

Can you verify what happens when you try connecting via IPv6 and SIP over TLS?

Works. Here is a Yealink phone connected:

bell*CLI> sip show peers
Name/username             Host                                    Dyn Forcerport Comedia    ACL Port     Status      Description         
...
1105/1105                 2601:98a:XXXX:6a1c:215:YYYY:fe5e:ZZZZ    D  Yes        Yes         A  1025     OK (121 ms)                    

bell*CLI> sip show peer 1105
...
  Addr->IP     : [2601:98a:XXXX:6a1c:215:YYYY:fe5e:ZZZZ]:1025
  Defaddr->IP  : (null)
  Prim.Transp. : TLS
  Allowed.Trsp : UDP,TCP,TLS
...
  Useragent    : Yealink SIP-T22P 7.73.0.50
  Reg. Contact : sip:[email protected][2601:98a:XXXX:6a1c:215:YYYY:fe5e:ZZZZ]:1025;transport=TLS

I’m curious why you need to add the following extra sip settings:

tlscapath=/etc/SSL/certs
matxh_auth_username=yes

Doesn’t FreePBX/Asterisk already know that path by default?

What do you have in your /etc/sysconfig/network-scripts for your eth0, lo, etc interfaces?

The match_auth_username setting is not relevant to TLS or IPv6. It just happened to be captured in the screen shot.

The tlscapath is needed when Asterisk is connecting to a provider over TLS. It uses the CA certs in the directory to validate the provider’s cert. If you are not connecting to providers with TLS then you probably don’t need it. I either had to define this path or turn on “Don’t Verify Server” above.

This server is a Debian instance so the network scripts are a little different but it’s just doing stateless autoconfig to get an address and routing… pretty simple.