Probably the 401 didn’t make it to the client and what you are seeing are retransmission.
-ovidiu On Tue, Aug 24, 2021 at 11:54 오택경 <o...@kaist.ac.kr> wrote: > I tried to use all of the algorithms which fhoss can support, but they did > not work. > > Fortunately, I found that my UE did not send the digest response for the > received nonce to the server after 401 unauthorized. > (digest response content is empty in the 2nd register packet.) > > I think this is the cause of the authentication problem. So I changed to > another smartphone, but the same problem has occurred. > > > > -----Original Message----- > From: "Yuriy Gorlichenko" <ovoshl...@gmail.com> > To: "오택경" <o...@kaist.ac.kr>; > Cc: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org>; > Sent: 2021-08-24 (화) 21:37:36 (UTC+09:00) > Subject: Re: Re: [SR-Users] [VoLTE] 401 unauthorized error > > I do not remember, to be honest, if IMS supports basic md5 auth > algorithms. You need to go through specs about algo supported. Also try to > look into docs of kamailio ims modules which algorithms it implements. If > you find one which satisfies your device for negotiation then just use it. > If no - try to update your client to have support of one of the proper > algorithms. > > On Tue, 24 Aug 2021, 10:45 오택경, <o...@kaist.ac.kr> wrote: > > Thank you for your help! > > I looked into the UE's IMS register request as you told me. (the content > of request is shown below) > > As my thinking, my UE can support only two algorithms: hmac-sha1-96 and > hmac-md5-96. > > But fhoss cannot support above auth algorithms (fhoss can support > digest-akav1-md5, digest-akav2-md5, digest, http_digest_md5, > early-ims-security, nass-bundled and sip digest). > > What algorithm should I switch to for authentication in fhoss? Or do I > have to change the UE device (smartphone) for auth? > > Very thanks, > Taekkyung Oh. > > *<IMS register request from the UE>* > *Frame 4153: 840 bytes on wire (6720 bits), 840 bytes captured (6720 bits) > on interface 0* > *Ethernet II, Src: 02:42:ac:16:00:16 (02:42:ac:16:00:16), Dst: > 02:42:ac:16:00:06 (02:42:ac:16:00:06)* > *Internet Protocol Version 4, Src: 172.22.0.22, Dst: 172.22.0.6* > *User Datagram Protocol, Src Port: 2152, Dst Port: 2152* > *GPRS Tunneling Protocol* > *Internet Protocol Version 4, Src: 192.168.101.3, Dst: 172.22.0.21* > *Transmission Control Protocol, Src Port: 5060, Dst Port: 5060, Seq: 1021, > Ack: 1, Len: 750* > *[2 Reassembled TCP Segments (1770 bytes): #4147(1020), #4153(750)]* > *Session Initiation Protocol (REGISTER)* > * Request-Line: REGISTER sip:ims.mnc001.mcc001.3gppnetwork.org > <http://ims.mnc001.mcc001.3gppnetwork.org> SIP/2.0* > * Method: REGISTER* > * Request-URI: sip:ims.mnc001.mcc001.3gppnetwork.org > <http://ims.mnc001.mcc001.3gppnetwork.org>* > * Request-URI Host Part: ims.mnc001.mcc001.3gppnetwork.org > <http://ims.mnc001.mcc001.3gppnetwork.org>* > * [Resent Packet: False]* > * Message Header* > * To: <sip:001010000031...@ims.mnc001.mcc001.3gppnetwork.org > <sip:001010000031...@ims.mnc001.mcc001.3gppnetwork.org>>* > * SIP to address: > sip:001010000031...@ims.mnc001.mcc001.3gppnetwork.org > <sip:001010000031...@ims.mnc001.mcc001.3gppnetwork.org>* > * SIP to address User Part: 001010000031094* > * SIP to address Host Part: > ims.mnc001.mcc001.3gppnetwork.org > <http://ims.mnc001.mcc001.3gppnetwork.org>* > * From: <sip:001010000031...@ims.mnc001.mcc001.3gppnetwork.org > <sip:001010000031...@ims.mnc001.mcc001.3gppnetwork.org>>;tag=qyecbkJ* > * SIP from address: > sip:001010000031...@ims.mnc001.mcc001.3gppnetwork.org > <sip:001010000031...@ims.mnc001.mcc001.3gppnetwork.org>* > * SIP from address User Part: 001010000031094* > * SIP from address Host Part: > ims.mnc001.mcc001.3gppnetwork.org > <http://ims.mnc001.mcc001.3gppnetwork.org>* > * SIP from tag: qyecbkJ* > * Contact: <sip:001010000031094@192.168.101.3:5060 > <http://sip:001010000031094@192.168.101.3:5060>>;+sip.instance="<urn:gsma:imei:86355804-632692-0>";+g.3gpp.accesstype="cellular2";audio;video;+g.3gpp.smsip;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"* > * Contact URI: sip:001010000031094@192.168.101.3:5060 > <http://sip:001010000031094@192.168.101.3:5060>* > * Contact URI User Part: 001010000031094* > * Contact URI Host Part: 192.168.101.3* > * Contact URI Host Port: 5060* > * Contact parameter: > +sip.instance="<urn:gsma:imei:86355804-632692-0>"* > * Contact parameter: +g.3gpp.accesstype="cellular2"* > * Contact parameter: audio* > * Contact parameter: video* > * Contact parameter: +g.3gpp.smsip* > * Contact parameter: > +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"\r\n* > * Expires: 600000* > * P-Access-Network-Info: > 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100010019B01* > * access-type: 3GPP-E-UTRAN-FDD* > * utran-cell-id-3gpp: 0010100010019B01* > * Supported: path,sec-agree* > * Allow: > INVITE,ACK,OPTIONS,BYE,CANCEL,UPDATE,PRACK,NOTIFY,MESSAGE,REFER* > * Require: sec-agree* > * Proxy-Require: sec-agree* > * [truncated]Security-Client: > ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=des-ede3-cbc;spi-c=10559690;spi-s=65664952;port-c=31112;port-s=31803,ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=aes-cbc;spi-c=10559690;spi-s=65664* > * [Security-mechanism]: ipsec-3gpp* > * alg: hmac-sha-1-96* > * prot: esp* > * mod=trans* > * ealg: des-ede3-cbc* > * spi-c: 10559690 (0x00a120ca)* > * spi-s: 65664952 (0x03e9f7b8)* > * port-c: 31112* > * port-s: 31803* > * [Security-mechanism]: ipsec-3gpp* > * alg: hmac-sha-1-96* > * prot: esp* > * mod=trans* > * ealg: aes-cbc* > * spi-c: 10559690 (0x00a120ca)* > * spi-s: 65664952 (0x03e9f7b8)* > * port-c: 31112* > * port-s: 31803* > * [Security-mechanism]: ipsec-3gpp* > * alg: hmac-sha-1-96* > * prot: esp* > * mod=trans* > * ealg: null* > * spi-c: 10559690 (0x00a120ca)* > * spi-s: 65664952 (0x03e9f7b8)* > * port-c: 31112* > * port-s: 31803* > * [Security-mechanism]: ipsec-3gpp* > * alg: hmac-md5-96* > * prot: esp* > * mod=trans* > * ealg: des-ede3-cbc* > * spi-c: 10559690 (0x00a120ca)* > * spi-s: 65664952 (0x03e9f7b8)* > * port-c: 31112* > * port-s: 31803* > * [Security-mechanism]: ipsec-3gpp* > * alg: hmac-md5-96* > * prot: esp* > * mod=trans* > * ealg: aes-cbc* > * spi-c: 10559690 (0x00a120ca)* > * spi-s: 65664952 (0x03e9f7b8)* > * port-c: 31112* > * port-s: 31803* > * [Security-mechanism]: ipsec-3gpp* > * alg: hmac-md5-96* > * prot: esp* > * mod=trans* > * ealg: null* > * spi-c: 10559690 (0x00a120ca)* > * spi-s: 65664952 (0x03e9f7b8)* > * port-c: 31112* > * port-s: 31803* > * Authorization: Digest > username="001010000031...@ims.mnc001.mcc001.3gppnetwork.org > <001010000031...@ims.mnc001.mcc001.3gppnetwork.org>",realm="ims.mnc001.mcc001.3gppnetwork.org > <http://ims.mnc001.mcc001.3gppnetwork.org>",uri="sip:ims.mnc001.mcc001.3gppnetwork.org > <http://ims.mnc001.mcc001.3gppnetwork.org>",nonce="",response=""* > * Authentication Scheme: Digest* > * Username: "001010000031...@ims.mnc001.mcc001.3gppnetwork.org > <001010000031...@ims.mnc001.mcc001.3gppnetwork.org>"* > * Realm: "ims.mnc001.mcc001.3gppnetwork.org > <http://ims.mnc001.mcc001.3gppnetwork.org>"* > * Authentication URI: "sip:ims.mnc001.mcc001.3gppnetwork.org > <http://ims.mnc001.mcc001.3gppnetwork.org>"* > * Nonce Value: ""* > * Digest Authentication Response: ""* > * Call-ID: txecbknlk@192.168.101.3 <txecbknlk@192.168.101.3>* > * CSeq: 1 REGISTER* > * Sequence Number: 1* > * Method: REGISTER* > * Max-Forwards: 70* > * Via: SIP/2.0/TCP > 192.168.101.3:5060;branch=z9hG4bKrzecbkJzsat7Xk6daqm5;rport* > * Transport: TCP* > * Sent-by Address: 192.168.101.3* > * Sent-by port: 5060* > * Branch: z9hG4bKrzecbkJzsat7Xk6daqm5* > * RPort: rport* > * User-Agent: IM-client/OMA1.0 HW-Rto/V1.0* > * Content-Length: 0* > > > > > -----Original Message----- > From: "Yuriy Gorlichenko" <ovoshl...@gmail.com> > To: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org>; > Cc: > Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00) > Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error > > > Hi 401 is normal response for sip auth > It is also normal response for IMS service > Look into sip basic auth mechanism to clarify what is going on here and > additionally look into Spec of IMS auth. There should be only auth algo > change > I believe you did not check further request processing. > On Mon, 23 Aug 2021, 18:19 오택경, <o...@kaist.ac.kr> wrote: > > Hi. > > I am implementing the VoLTE setup with the dockerized project ( > https://github.com/herlesupreeth/docker_open5gs). > > I have almost done to run the VoLTE service, but 401 unauthorized error in > sip and auth-pending error in fhoss have occured. > > How can I fix this problem? > > I will share the discussion note in which I tried to solve some problems > including the above one. > : https://github.com/herlesupreeth/docker_open5gs/issues/55 > > Very thanks, > Taekkyung Oh. > __________________________________________________________ > Kamailio - Users Mailing List - Non Commercial Discussions > * sr-users@lists.kamailio.org > Important: keep the mailing list in the recipients, do not reply only to > the sender! > Edit mailing list options or unsubscribe: > * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > __________________________________________________________ Kamailio - > Users Mailing List - Non Commercial Discussions * > sr-users@lists.kamailio.org Important: keep the mailing list in the > recipients, do not reply only to the sender! Edit mailing list options or > unsubscribe: * > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > > > > > -----Original Message----- > From: "Yuriy Gorlichenko" <ovoshl...@gmail.com> > To: "Kamailio (SER) - Users Mailing List" <sr-users@lists.kamailio.org>; > Cc: > Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00) > Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error > > > Hi 401 is normal response for sip auth > It is also normal response for IMS service > Look into sip basic auth mechanism to clarify what is going on here and > additionally look into Spec of IMS auth. There should be only auth algo > change > I believe you did not check further request processing. > On Mon, 23 Aug 2021, 18:19 오택경, <o...@kaist.ac.kr> wrote: > > Hi. > > I am implementing the VoLTE setup with the dockerized project ( > https://github.com/herlesupreeth/docker_open5gs). > > I have almost done to run the VoLTE service, but 401 unauthorized error in > sip and auth-pending error in fhoss have occured. > > How can I fix this problem? > > I will share the discussion note in which I tried to solve some problems > including the above one. > : https://github.com/herlesupreeth/docker_open5gs/issues/55 > > Very thanks, > Taekkyung Oh. > __________________________________________________________ > Kamailio - Users Mailing List - Non Commercial Discussions > * sr-users@lists.kamailio.org > Important: keep the mailing list in the recipients, do not reply only to > the sender! > Edit mailing list options or unsubscribe: > * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > > __________________________________________________________ Kamailio - > Users Mailing List - Non Commercial Discussions * > sr-users@lists.kamailio.org Important: keep the mailing list in the > recipients, do not reply only to the sender! Edit mailing list options or > unsubscribe: * > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > __________________________________________________________ > Kamailio - Users Mailing List - Non Commercial Discussions > * sr-users@lists.kamailio.org > Important: keep the mailing list in the recipients, do not reply only to > the sender! > Edit mailing list options or unsubscribe: > * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > -- VoIP Embedded, Inc. http://www.voipembedded.com
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users