Gateway
- Gateway description
- Gateway installation guide
Gateway description
The Gateway is a machine used in Emerginov installation in order to communicate with regular telecom networks (such as PSTN, PLMN, RTC - Réseau Téléphonique Commuté ou réseau mobile en français).
Basicaly, the gateway needs to:
- make/receive voice calls to PSTN/PLMN
- send/receive SMS
Gateways are critical elements and usually involves Telecom resources (minutes of call, bundle of SMS). It is thus very important to keep in mind the risks associated to these elements.
There are lots of possible options according to the Emerginov solution and your environment.
Voice connection
You have 2 choices to connect a voice gateway to the Telecom network (PSTN/PLMN),
Digium E1 (T2) card
An E1 connection (T2 in France: accès primaire France Télécom/Orange qui comprend 30 canaux B à 64 kb/s) can be performed with a specific Digium Card (e.g. TE220):
SIP Trunk
Instead of using a E1, you can use a SIP Trunk from a SIP provider (e.g. ippi.fr).
SMS connection
To send SMS, you have 2 choices as well:
- SMS USB Modem with a SIM card
- SMSCenter
SMSCenter
If you can have a direct IP connection to a SMS Center (SMPP account), this would be perfect!
SMS USB Modem
Or you can use a USB Modem with a SIM card. We recommand the Huawei E220:
Gateway installation guide
Network and VPN configuration
Depending on your configuration, the Gateway machine might not be in the same subnet as the other machines. In fact, usually the Gateway is not a Virtual Machine while Routing, Gardien, Content and Dev are.
But, to work correctly, the Gateway must have a direct access to the subnet of other machines. To do so, you must add a Virtual Private Connection using OpenVPN between your Gateway and Routing.
Fortunately, your Puppet Master on Gardien machine will generate for you all the configuration files for both Routing and Gateway machines!
Configure VPN in Puppet configuration files
On Gardien machine, you must activate the use of VPN.
emerginov.pp
Edit emerginov.pp:
Scroll down the file to the Gateways nodes section:
## Gateways nodes for enterprise installation
######################################################################################################
Set the $use_vpn variable to true:
Also, set the 'vpn' value of the gateway node to true:
...
'vpn' => true,
...
}
openvpn.pp
Edit openvpn.pp:
Set $vpn_bridge_eth_interface to the private interface of your Routing machine:
Set $vpn_bridge_eth_ip, $vpn_bridge_eth_netmask and $vpn_bridge_eth_broadcast accordingly to your private subnet
$vpn_bridge_eth_netmask = "255.255.255.0"
$vpn_bridge_eth_broadcast = "192.168.0.255"
Set $vpn_bridge_eth_gw to the correct ip gateway of your private network:
Be sure that your Gateway IP is between: $vpn_bridge_first_client_ip and $vpn_bridge_last_client_ip.
If you are not sure, check the Gateway IP you set in emerginov.pp.
$vpn_bridge_last_client_ip = "192.168.0.240"
Apply configuration on Gardien and Routing
On Gardien node, apply the configuration:
On Routing node, apply the configuration as well:
Your Routing machine is now ready to accept VPN connection from your Gateway machine.
Configure VPN on Gateway
To let the Gateway machine connect to Routing machine, you'll need to configure the VPN on Gateway machine.
Install OpenVPN
Firstly, you'll need to install OpenVPN on Gateway:
Get back configuration files from Gardien
Secondly, the configuration files for Gateway have been generated by Puppet on Gardien in previous section. Let's get back these files:
On Gardien:
tar -czf gateway_openvpn_conf.tar.gz *
Now, you can transfer the gateway_openvpn_conf.tar.gz from Gardien to Gateway by the way you want. Here, we do that over SSH with scp:
scp gateway_openvpn_conf.tar.gz user@PUBLIC_IP_ADDRESS_OF_GATEWAY:/tmp/
Back on Gateway: decompress the tar.gz file into openvpn config dir:
cd /etc/openvpn/
tar -xzf gateway_openvpn_conf.tar.gz
Check that the files have been transfered correclty:
Should produce something like:
drwxr-xr-x 2 root root 4,0K nov. 7 17:30 .
drwxr-xr-x 87 root root 4,0K nov. 7 17:24 ..
-rw-r----- 1 root 114 1,2K oct. 30 16:45 ca.crt
-rw-r--r-- 1 root root 224 nov. 7 17:10 client.conf
-rw-r----- 1 root 114 3,3K oct. 30 16:45 gateway.emerginov.localnet.crt
-rw-r----- 1 root 114 745 oct. 30 16:45 gateway.emerginov.localnet.csr
-rw-r----- 1 root 114 916 oct. 30 16:45 gateway.emerginov.localnet.key
-rw-r--r-- 1 root root 3,7K nov. 7 17:29 gateway_openvpn_conf.tar.gz
-rwxr-xr-x 1 root root 1,4K sept. 30 21:14 update-resolv-conf
Start OpenVPN
On Gateway:
Check connection
On Gateway, try to ping other machines:
ping 192.168.0.226 # this is Gardien
Both pings should produce something like:
64 bytes from 192.168.0.226: icmp_req=1 ttl=64 time=1.30 ms
64 bytes from 192.168.0.226: icmp_req=2 ttl=64 time=1.45 ms
^C
--- 192.168.0.226 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.302/1.377/1.453/0.084 ms
If everything went fine, congratulation, your VPN is working very well!
If not, check your network connectivity, you can also contact us.
Install Gateway with puppet
Before going further, be sure that the Gateway is able to communicate with Gardien (with VPN if you followed previous section, without if your Gateway is already in your private subnet).
Prepare your machine
First, be root:
Update your machine
apt-get upgrade
apt-get dist-upgrade
Eventually, reboot:
Add the emerginov launchpad repo:
add-apt-repository ppa:emerginovteam/emerginov
apt-get update
Start the installation using puppet
In the same way you did for all the other machines, install the emerginov-agent package:
Run a first emerginov-apply to connect to the puppet master (which is on Gardien):
On Gardien machine, run the following commands to let puppet master accept the Gateway machine:
puppet cert sign gateway.emerginov.localnet
emerginov-nursery-auth.sh --create
Back on Gateway machine, run again emerginov-apply twice:
# ...
# Wait for completion..
# ...
emerginov-apply
At the end, you must have run emerginov-apply at least 3 times.
Restart services
Depending on your installation, you may need to restart both dadhi and asterisk services:
service asterisk restart
Tweaking Gateway parts
Remember that all the puppet configuration is located in Gardien machine. So every tweak on configuration must be done on Gardien and then applyied on Gateway (using emerginov-apply).
Requirements
In Enterprise installation, you can use:
- SIP Trunk or T2 Dahdi for vocal calls
- USB Modem or SMS Center for SMS
If your Gateway machine is a Virtual Machine, you may have some issue to plug the USB Modem and T2 card...
If you are using proxmox as Virtual Machine server, we know that some installation work with USB passthrough:
https://pve.proxmox.com/wiki/USB_physical_port_mapping
SIP Trunk configuration
If you choose to use a SIP Trunk for the vocal calls, most of the configuration is inside the asterisk_gw puppet module.
The main file is sip.conf.erb, open it:
Take a look at the end of the file:
; SIP TRUNK REGISTRATIONS
;-----------------------------------------------------------------------
; Here are some registration sample to use when Asterisk is also used as
; a GW to go through an external SIP account provider (aka sip trunk)
; Asterisk can register as a SIP user agent to a SIP proxy (provider)
; Format for the register statement is:
; register => [peer?][transport://]user[@domain][:secret[:authuser]]@host[:port][/extension][~expiry]
register => sip-outside?USER:PASSWORD@DOMAIN_OR_IP_OF_YOUR_SIPTRUNK_PROVIDER/332xxxxxxxx
[sip-outside]
type=peer
host=DOMAIN_OR_IP_OF_YOUR_SIPTRUNK_PROVIDER
outboundproxy=DOMAIN_OR_IP_OF_YOUR_SIPTRUNK_PROVIDER,force
username=USER
secret=PASSWORD
context=pstn2ip
insecure=invite,port
You will need to edit the line starting from register and replace the values to the correct values from your SIP Trunk provider.
T2 Dahdi
If you have a valid T2 configuration (only available for Enterprise version), everything should work fine without any modification.
Some information regarding DAHDI cards can be found here:
http://www.voip-info.org/wiki/view/DAHDI
Once the T2 is up&running, you must configure the routing within your Emerginov platform.
You must
- login on the administration page https://<your_emerginov>/admin
- select the "VoIP" menu
- login on the VoIP admin (same creds)
- select the "System" menu
- select the "Dynamic Routing" menu
the following page shall be displayed:
The first time you access this page, the list of gateway shall be empty. The configuration of this page is required to connect the gateway to the VoIP solution.
You must then click on "Add New", a new window will be displayed to configure the window:
- GWID: the ID of the gateway, the system can managed several gateways. This id shall be unique
- Type: select "2-PSTN"
- Address: enter the IP address of the gateway
- Strip: 0
- PRI Prefix: not used
- Probe Mode: 0 - Never (default option)
- Attributes: empty
- Description: you can enter the description of the platform
Then click on "Add" and "Apply changes to server" to take the modification into account.
You will then see a red point in the Status case, it means that no routing rule has been created. Such routes shall be added to be sure that the traffic can be routed. By default no route is set, it is up to the administrator to decide the destination that will be allowed through the gateway.
To add new rule you must click on Rules on top of the "Dynamic Routing" menu. A new page will be displayed:
Initially the table of routes is empty, you must click on "Add New" to create a new rule.
You shall precise the following elements:
- Group ID: 0 - Regular
- prefix: it is the prefix used for routing, you can specify a country code (e.g. 221) or be more specific and allow only 1 number (e.g. 2213456789). Please note that you must also set up more controls on the PSTN side (at the switch /MSC level) and or the gateway if you want to restrict the traffic. The gateway is a critical element. In fact SIP ports are scanned frequently and attacks are very regular. It is therefore mandatory to plan a proper security policy regarding gateway for outgoing traffic.
- Priority: 0 by default
- Gateway List: 1 by default
- Attributes: empty
- description: text to explain the rules (e.g. fixed network in Brittany)
Then click on "add New" then "Apply to change server", on the Gateways menu the point shall be green now, indicating that the gateway has at least 1 rule.
Theoretically you gateway shall be ready, you just have to test....
If for any reason the call is not successful (see post installation tests), you shall debug following this way
- Check that the T2 is OK: on the gateway
- type "rasterisk -vvvv"
- type "sip set debug on"
- dial a call you shall see the traces in the console, if you do not see anything, check your T2 (see dahdi and atserisk logs)
- if you see traces in the console, then jump to the routing VM and use a network analyzer ngrep -d any port 5060 (or tshark or ..) to see if you can see the incoming traffic
- if not check your VPN and the configuration (thanks to the installation by puppet the risqk of misconfiguration is limited but if your did not indicate the right @, it will not work..)
- if yes jump into the dev machine and type rasterisk -vvv, sip set debug on you shall see the incoming call
- if not, check the logs /var/log/asterisk/messages and the configuration
Please see administration guide for further information on the dial plan management.
USB Modem
The USB Modem is handled by Kannel. We already performed most of the configuration to work with a Huawei E220 and some other modems or phones.
You'll find the kannel configuration file in the kannel puppet module.
The main file to edit is kannel.conf.erb:
You might need to edit at least the section:
And maybe:
If your SIM card needs a PIN number, do not forget to set it:
# your sim card
pin=0000
SMS Center
The SMS Center connection is handled by Kannel. We already performed most of the configuration to work with a regular SMS Center.
You'll find the kannel configuration file in the kannel puppet module.
You shall precise the section dedicated to the declaration of the modem, you shall be able to get the infromation from your SMPP provider
The main file to edit is kannel.conf.erb (under /etc/puppet/module/asterisk_gw on the machine (Compact) or the gardien VM (Enterprise):
#################
group = smsc
smsc = smpp
smsc-id = emerg
host = <the IP of your SMPP provider>
port = <the port of your SMPP provider>
smsc-username = <smsc username provided by your SMPP provider>
smsc-password = <smsc password provided by your SMPP provider>
system-type = ""
connect-allow-ip = <the IP allowed for connection on the gateway, usually you local IP>
keepalive = 60
log-file= "/var/log/kannel/smsc.log"
log-level = 1
max-error-count = 3
transceiver-mode = true
interface-version = "34"
our-host = <your local IP>
enquire-link-interval = 15
Usually a gateway with a SMSC connection will have 2 network cards, one for the connection to the core Emerginov platform and one to the SMSC. The local IP shall be the one used to bind the SMSC
See kannel documentation for more details
Apply configuration
Once your tweaks are done, apply the configuration on Gateway:
Testing
To check that everything is working fine, please follow the Post Installation Testing Suite.