Index of /log/Interweb/index.html

After lots of trying and giving up, I've finally configured an asterisk server on my Ubuntu server. I got it to accept connections from my SIP client, and to connect to XS4ALL's "Bellen" SIP service.

First, the easy bit: installing asterisk. You can do this with the following command: apt-get install asterisk (note: as Joe Terranova points out, you should pay attention to the security side of this. Installing on a machine inside your LAN isn't too much of a risk, but if you install it on a machine with a public IP address, make sure you have all security fixes installed, and set up iptables.)

Then you have to configure the beast. This can look hard, because there are almost 80 config files in /etc/asterisk. Furtunately, you can ignore most of them for now.

SIP accounts

First, add a SIP account to sip.conf. An entry for a SIP account look like this:

[connection_nickname]
type=peer
nat=yes        ; Or "no", if your client has a public IP
username=the_username
secret=password123
canreinvite=no ; Ekiga needs this
context=default

Once you've configured this, restart asterisk, and tell your favorite SIP client it to connect to your server using the username you just added. Then use it to call 1000, and you should get a test system.

Now you have a working SIP server with one client, you can add more clients… and there's the first problem: there's no way to make a call to the SIP clients. To make this possible, you have to add entries to the dialplan in extensions.conf.

Find the [default] section, and for every SIP client, add lines like these to the section. You may want to remove the include => demo line: it provides the "test" you called earlier.

exten => 2001,1,Dial(SIP/connection_nickname,30)

Give all your clients unique extensions (you can even use names!). Restart asterisk when you've added all extensions, and try calling other logged-in extensions. Congratulations! You now have a basic, working SIP PBX (without a connection to anywhere else, though).

The sections in extensions.conf are called contexts, and you can use them for access control. Every connection to/from the Asterisk server has a context, and can only call extensions in that context. You can use this to make sure that only some people can make expensive calls.

The Outside World

To connect to the "normal" phone system, you can use a SIP account. I have an account at XS4ALL, so I created a SIP account in their service centre. Then I added this to the [general] section in sip.conf (replace the xxxxxx bit with the phone number you got):

register => xxxxxxxxxx:password123@sip.xs4all.nl/xs4all-in

This makes asterisk register with the XS4ALL SIP server, with incoming calls going to extension "xs4all-in". All you have to do to accept these calls, is define the extension in extensions.conf:

[incoming]
exten => xs4all-in,1,Dial(SIP/2001) ; When there's an incoming call from the
                                       ; SIP provider, step 1 is: forward to 
                                       ; SIP/2001 

Note that it's in its own context, so it can't call your extensions (or other SIP accounts!) directly.

You probably also want to use this SIP account to call other people. For that, you'll need another change in both sip.conf and extensions.conf:

sip.conf:
[xs4all]
type=friend
context=incoming
nat=no
username=xxxxxxxxxx
fromuser=xxxxxxxxxx
host=sip.xs4all.nl
fromdomain=sip.xs4all.nl
secret=password123
canreinvite=no
dtmfmode=inband
insecure=very ; Don't worry
disallow=all
allow=gsm
allow=alaw
allow=ulaw
qualify=yes

extensions.conf:
[outgoing]
exten =" _X.,1,Dial(SIP/xs4all/${EXTEN},60,r)

This adds an outgoing SIP line to Asterisk, and adds an extension for "all numbers with one or more digits 0-9", that calls that number on the outgoing SIP line. Make sure you include the "outgoing" context in the context your SIP client is in, so this extension is found when you dial a number.

More information

Lots of information on configuring asterisk and related programs can be found at the VOIP Wiki.

I've recently tried to get XS4ALL Mobiel UMTS working a GlobeSurfer iCON 7.2 on Ubuntu. This isn't as easy as it should be, so I'm documenting how I did it here.

usb_modeswitch

The device starts in disk mode, which autostarts and installs the driver on Windows. These drivers are useless to us (the option driver is available in the default Ubuntu kernel), and the device won't do serial things unless it's "switched" to serial mode.

To do this, you need to download usb_modeswitch, and compile it using the compile.sh command (the build-essential and libusb-dev packages are required for this).

Then edit usb_modeswitch.conf, comment the configuration variables that are active in the distributed config file, and uncomment the ones for the "Option GlobeSurfer Icon 7.2". After editing the file, copy it to /etc. Also copy the compiled binary (usb_modeswitch) to /usr/local/bin.

Now you need to set up the system so it will run the mode-switch tool automatically when you insert the UMTS device. You can do this by creating a custom udev rule. Create a file called 80-usb_modeswitch.rules in /etc/udev/rules.d with the following content:

SUBSYSTEM=="usb", SYSFS{idProduct}=="1000", SYSFS{idVendor}=="05c6", RUN+="/usr/local/bin/usb_modeswitch"

Note that you might have to undo most of this once usb_modeswitch has been packaged properly.

PPP

The PPP configuration tools are currently a bit buggy, so it's easier to just create your own chat scripts and ppp configuration files. This isn't very interesting, so I'll just list the filenames and their contents.

/usr/local/bin/umts_chatscript

#! /bin/bash
/usr/sbin/chat -V -f /etc/chatscripts/umts-pin || /usr/sbin/chat -V -f /etc/chatscripts/umts-nopin
/usr/sbin/chat -v -f /etc/chatscripts/umts

Note that this file should be executable! Also note that the first script (umts-prep) sends the PIN to the modem. If this fails, the modem probably already has the PIN, so the dial script continues. If the PIN sending was in the same chat script as the dialing, it would be much harder to ignore the error.

/etc/ppp/peers/xs4all-umts

/dev/ttyUSB0 460800
connect "/usr/local/bin/umts_chatscript"
lock

defaultroute

modem
crtscts

usepeerdns
noipdefault

user xs4allusername
password ""

Use the username from the letter XS4ALL sent you with your SIM, or it won't work.

/etc/chatscripts/umts-pin

ABORT BUSY
ABORT ERROR
ABORT 'NO CARRIER'
REPORT CONNECT
TIMEOUT 10
# Set your pin here 
"" "AT+CPIN=0000"

Don't forget to set your pin!

/etc/chatscripts/umts-nopin

ABORT BUSY
ABORT ERROR
ABORT 'NO CARRIER'
REPORT CONNECT
TIMEOUT 10
# Set your pin here 
"" "ATZ"

Don't forget to set your pin!

/etc/chatscripts/umts

ABORT BUSY
ABORT 'NO CARRIER'
ABORT ERROR
REPORT CONNECT
# Prefer UMTS, but switch back to GPRS if it's not available 
"" "AT_OPSYS=3,2"
OK "AT+CGDCONT=1,\"ip\",\"umts.xs4all.nl\""
TIMEOUT 10
OK "ATD*99***1#"
CONNECT \c

Conclusion

You can now connect using Network Manager, or manually using pon xs4all-umts on the command line. Network Manager currently has a bug: it doesn't detect that the network connection is established, so it won't tell the desktop environment that there's a network connection, so some programs might insist on being in "offline mode".

I haven't found a simple signal level monitoring application. This should either be incorporated into Network Manager, or maybe a small applet-like program is needed.

I think this should all work out of the box, or with minimal configuration. It's way too hard now.

After setting up IPsec with pre-shared keys (in the previous post), I upgraded my setup to use X.509 certificates. This makes it possible to revoke keys (which makes it impossible to connect using those keys.. always nice if a machine gets compromised), and you'll get a key that's generated by something that knows how to generate secure keys (openssl), which is always better than a short 'human-generated' pre-shared key.

It's probably easiest to set up your own CA for this. You can do this by hand using the CA.pl file included with the openssl package, but it's easier to install the tinyca package, and create the certificates from there.

When you've generated a server key for every host you want to set up IPsec on, and exported the public CA certificate and a CRL, you should put the following things in /etc/racoon/certs:

1. The CA certificate (the same on all machines)
2. The CRL (the same on all machines)
3. The certificate (different on all hosts)
4. The private key (different on all hosts)

You should make sure the private key isn't encrypted. Racoon can't handle that yet. The easiest way to do this is to export the certificate/key pair from tinyca using the 'tar' option, then extract the files from the .tar file into the /etc/racoon/certs directory, and run openssl rsa -in my_key.pem -out my_key.pem on it, to remove the password from the key.

After this, you need to let racoon be able to find your CRL. This is done by giving it a filename that's identical to the CA certificate hash. You can do this by running the following command:

# ln -s yourca.crl `openssl x509 -noout -hash -in yourca-cacert.pem`.r0

Now all that's left is actually configuring racoon itself. You need to point it at the certificates you just installed, and have it verify the certificate the other side sends us. All the linked config does is check if it's signed by the same CA, and the signature hasn't been revoked. Check the racoon.conf manual page for more info on the config file format, and the possibility of stricter checks.

I've set up an IPsec tunnel between my network at home and my colocated server. This makes a few things easier: I can now connect to all my machines at home from my server without having to set up port forwarding first (using SSH, of course), and it'll always be encrypted, so if I wanted to, I could even use "unsafe" protocols over the internet. It also exercises the Padlock bits of my VIA C3 CPUs, which means there's almost no slowdown.

First, you have to determine a few things (the values I'll assume in this post are between parentheses):

• The server's (public) IP address (172.16.0.1)
• The client's (public) IP address (172.17.0.1)
• The network you want to use on the server side (10.0.1.0/24)
• The network you want to use on the client side (10.0.2.0/24; this should be a different network from the one on the server)

When you've figured those bits out, install Racoon (it's in the 'racoon' package). Racoon is an IKE daemon. It will listen on port 500 (UDP) for incoming requests and negotiate the keys and encryption methods to use on the IPsec (encrypted) link.

Then it's time to configure racoon. I chose the "old-fashioned" way (not using racoon-tool), because racoon-tool in 6.06LTS is too buggy for me. If you do it like this, you have to edit two files: /etc/racoon/racoon.conf and /etc/ipsec-tools.conf

On the server, you will need a configuration like these racoon.conf and ipsec-tools.conf files. You can read the racoon.conf and setkey manual pages to understand what they're doing.

The configuration files on the client are almost the same, but in the IPs and subnets are in reverse (racoon.conf, ipsec-tools.conf). There's one other difference: the client configuration contains passive off; while the server config contains passive on;. This means that the server will never initiate the connection, so the client will always have to do this first (sending one packet through the tunnel should be enough). If you want the server to be able to initiate the connection as well, you need to set passive to off there too.

After this, all you need to do is set up the shared key, and restart some services. After that, everything should work. Shared keys are configured in /etc/racoon/psk.txt, in the format identifier key. In our case, the identifier is the IP address (of the host we're connecting to), so on the server you put 172.17.0.1 yourkeyhere in there, and on the client you use 172.16.0.1 yourkeyhere.

Make sure both keys are identical, then execute the following commands, and everything should start working the moment you try to send the first packet over the network: /etc/init.d/racoon stop; /etc/init.d/setkey restart; /etc/init.d/racoon start

Please note that you shouldn't use simple words or sentences as a key. The pre-shared key is (afaik) the weakest part in the security of this setup. I'll explain how to use X.509 certificates instead of pre-shared keys in a later post.

If you're also doing firewalling or some kind of NAT on one of the IPsec endpoints, make sure you allow traffic with protocol 'esp' to the remote endpoint.

In the coming weeks I'll extend this with X.509 certificates and a "Roadwarrior" setup, which will allow clients without a known IP address (like travelers with a laptops) to connect.

Loe, it's easy to set up Ekiga to work with your XS4ALL VOIP account: just make sure that traffic to the SIP port (5060) is being forwarded to the right computer on your network (if you're using NAT), and configure Ekiga as follows (the greyed out parts are my XS4ALL phone number):

I got my new ADSL connection/speed today (with minimal downtime, too!). I'm at 12004/1029 Kbit/sec now. And no data limits! :)