Gateway


  1. Gateway description
    1. Voice connection
      1. Digium E1 (T2) card
      2. SIP Trunk
    2. SMS connection
      1. SMSCenter
      2. SMS USB Modem
  2. Gateway installation guide
    1. Network and VPN configuration
      1. Configure VPN in Puppet configuration files
        1. emerginov.pp
        2. openvpn.pp
      2. Apply configuration on Gardien and Routing
      3. Configure VPN on Gateway
        1. Install OpenVPN
        2. Get back configuration files from Gardien
        3. Start OpenVPN
        4. Check connection
    2. Install Gateway with puppet
      1. Prepare your machine
      2. Start the installation using puppet
      3. Restart services
    3. Tweaking Gateway parts
      1. Requirements
      2. SIP Trunk configuration
      3. T2 Dahdi
      4. USB Modem
      5. SMS Center
      6. Apply configuration
    4. Testing

Gateway description

The Gateway is a machine used in Emerginov installation in order to communicate with regular telecom networks (such as PSTN, PLMN, RTC - Réseau Téléphonique Commuté ou réseau mobile en français).

Basicaly, the gateway needs to:

  • make/receive voice calls to PSTN/PLMN
  • send/receive SMS

Gateways are critical elements and usually involves Telecom resources (minutes of call, bundle of SMS). It is thus very important to keep in mind the risks associated to these elements.

There are lots of possible options according to the Emerginov solution and your environment.

Voice connection

You have 2 choices to connect a voice gateway to the Telecom network (PSTN/PLMN),

Digium E1 (T2) card

An E1 connection (T2 in France: accès primaire France Télécom/Orange qui comprend 30 canaux B à 64 kb/s) can be performed with a specific Digium Card (e.g. TE220):

http://www.astelcom.fr/images/stories/DigitalCards/te220-lrg.jpg

SIP Trunk

Instead of using a E1, you can use a SIP Trunk from a SIP provider (e.g. ippi.fr).

SMS connection

To send SMS, you have 2 choices as well:

  • SMS USB Modem with a SIM card
  • SMSCenter

SMSCenter

If you can have a direct IP connection to a SMS Center (SMPP account), this would be perfect!

SMS USB Modem

Or you can use a USB Modem with a SIM card. We recommand the Huawei E220:

http://www.huaweie220.com/HuaweiE220.jpg

Gateway installation guide

Network and VPN configuration

Depending on your configuration, the Gateway machine might not be in the same subnet as the other machines. In fact, usually the Gateway is not a Virtual Machine while Routing, Gardien, Content and Dev are.

But, to work correctly, the Gateway must have a direct access to the subnet of other machines. To do so, you must add a Virtual Private Connection using OpenVPN between your Gateway and Routing.

Fortunately, your Puppet Master on Gardien machine will generate for you all the configuration files for both Routing and Gateway machines!

Configure VPN in Puppet configuration files

On Gardien machine, you must activate the use of VPN.

emerginov.pp

Edit emerginov.pp:

vim /etc/emerginov/emerginov.pp

Scroll down the file to the Gateways nodes section:

######################################################################################################
## Gateways nodes for enterprise installation
######################################################################################################

Set the $use_vpn variable to true:

    $use_vpn = true

Also, set the 'vpn' value of the gateway node to true:

    $nodes['gateway'] = {
                   ...
                   'vpn'               => true,
                   ...
                    }

openvpn.pp

Edit openvpn.pp:

vim /etc/emerginov/openvpn.pp

Set $vpn_bridge_eth_interface to the private interface of your Routing machine:

    $vpn_bridge_eth_interface    = "eth1"

Set $vpn_bridge_eth_ip, $vpn_bridge_eth_netmask and $vpn_bridge_eth_broadcast accordingly to your private subnet

    $vpn_bridge_eth_ip               = $nodes['routing']['ip']
   $vpn_bridge_eth_netmask    = "255.255.255.0"
   $vpn_bridge_eth_broadcast  = "192.168.0.255"

Set $vpn_bridge_eth_gw to the correct ip gateway of your private network:

    $vpn_bridge_eth_gw           = $nodes['routing']['ip']

Be sure that your Gateway IP is between: $vpn_bridge_first_client_ip and $vpn_bridge_last_client_ip.
If you are not sure, check the Gateway IP you set in emerginov.pp.

    $vpn_bridge_first_client_ip  = "192.168.0.200"
   $vpn_bridge_last_client_ip  = "192.168.0.240"

Apply configuration on Gardien and Routing

On Gardien node, apply the configuration:

emerginov-apply

On Routing node, apply the configuration as well:

emerginov-apply

Your Routing machine is now ready to accept VPN connection from your Gateway machine.

Configure VPN on Gateway

To let the Gateway machine connect to Routing machine, you'll need to configure the VPN on Gateway machine.

Install OpenVPN

Firstly, you'll need to install OpenVPN on Gateway:

apt-get install openvpn

Get back configuration files from Gardien

Secondly, the configuration files for Gateway have been generated by Puppet on Gardien in previous section. Let's get back these files:

On Gardien:

cd /etc/puppet/files/certs/emerginov.localnet/gateway.emerginov.localnet/
tar -czf gateway_openvpn_conf.tar.gz *

Now, you can transfer the gateway_openvpn_conf.tar.gz from Gardien to Gateway by the way you want. Here, we do that over SSH with scp:

cd /tmp/
scp gateway_openvpn_conf.tar.gz user@PUBLIC_IP_ADDRESS_OF_GATEWAY:/tmp/

Back on Gateway: decompress the tar.gz file into openvpn config dir:

mv /tmp/gateway_openvpn_conf.tar.gz /etc/openvpn/
cd /etc/openvpn/
tar -xzf gateway_openvpn_conf.tar.gz

Check that the files have been transfered correclty:

ls -alh

Should produce something like:

total 36K
drwxr-xr-x  2 root root 4,0K nov.   7 17:30 .
drwxr-xr-x 87 root root 4,0K nov.   7 17:24 ..
-rw-r-----  1 root  114 1,2K oct.  30 16:45 ca.crt
-rw-r--r--  1 root root  224 nov.   7 17:10 client.conf
-rw-r-----  1 root  114 3,3K oct.  30 16:45 gateway.emerginov.localnet.crt
-rw-r-----  1 root  114  745 oct.  30 16:45 gateway.emerginov.localnet.csr
-rw-r-----  1 root  114  916 oct.  30 16:45 gateway.emerginov.localnet.key
-rw-r--r--  1 root root 3,7K nov.   7 17:29 gateway_openvpn_conf.tar.gz
-rwxr-xr-x  1 root root 1,4K sept. 30 21:14 update-resolv-conf

Start OpenVPN

On Gateway:

service openvpn restart

Check connection

On Gateway, try to ping other machines:

ping 192.168.0.251 # this is Routing
ping 192.168.0.226 # this is Gardien

Both pings should produce something like:

PING 192.168.0.226 (192.168.0.226) 56(84) bytes of data.
64 bytes from 192.168.0.226: icmp_req=1 ttl=64 time=1.30 ms
64 bytes from 192.168.0.226: icmp_req=2 ttl=64 time=1.45 ms
^C
--- 192.168.0.226 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.302/1.377/1.453/0.084 ms

If everything went fine, congratulation, your VPN is working very well!
If not, check your network connectivity, you can also contact us. 

Install Gateway with puppet

Before going further, be sure that the Gateway is able to communicate with Gardien (with VPN if you followed previous section, without if your Gateway is already in your private subnet).

Prepare your machine

First, be root:

sudo -s

Update your machine

apt-get update
apt-get upgrade
apt-get dist-upgrade

Eventually, reboot:

reboot

Add the emerginov launchpad repo:

apt-get install python-software-properties
add-apt-repository ppa:emerginovteam/emerginov
apt-get update

Start the installation using puppet

In the same way you did for all the other machines, install the emerginov-agent package:

apt-get install emerginov-agent

Run a first emerginov-apply to connect to the puppet master (which is on Gardien):

emerginov-apply

On Gardien machine, run the following commands to let puppet master accept the Gateway machine:

# Run on Gardien
puppet cert sign gateway.emerginov.localnet
emerginov-nursery-auth.sh --create

Back on Gateway machine, run again emerginov-apply twice:

emerginov-apply

# ...
# Wait for completion..
# ...

emerginov-apply

At the end, you must have run emerginov-apply at least 3 times.

Restart services

Depending on your installation, you may need to restart both dadhi and asterisk services:

service dahdi restart
service asterisk restart

Tweaking Gateway parts

Remember that all the puppet configuration is located in Gardien machine. So every tweak on configuration must be done on Gardien and then applyied on Gateway (using emerginov-apply).

Requirements

In Enterprise installation, you can use:

  • SIP Trunk or T2 Dahdi for vocal calls
  • USB Modem or SMS Center for SMS

If your Gateway machine is a Virtual Machine, you may have some issue to plug the USB Modem and T2 card...
If you are using proxmox as Virtual Machine server, we know that some installation work with USB passthrough:
https://pve.proxmox.com/wiki/USB_physical_port_mapping

SIP Trunk configuration

If you choose to use a SIP Trunk for the vocal calls, most of the configuration is inside the asterisk_gw puppet module.

The main file is sip.conf.erb, open it:

vim /etc/puppet/modules/asterisk_gw/templates/sip.conf.erb

Take a look at the end of the file:

;-----------------------------------------------------------------------
; SIP TRUNK REGISTRATIONS
;-----------------------------------------------------------------------

; Here are some registration sample to use when Asterisk is also used as
; a GW to go through an external SIP account provider (aka sip trunk)

; Asterisk can register as a SIP user agent to a SIP proxy (provider)
; Format for the register statement is:
;       register => [peer?][transport://]user[@domain][:secret[:authuser]]@host[:port][/extension][~expiry]

register => sip-outside?USER:PASSWORD@DOMAIN_OR_IP_OF_YOUR_SIPTRUNK_PROVIDER/332xxxxxxxx

[sip-outside]
type=peer
host=DOMAIN_OR_IP_OF_YOUR_SIPTRUNK_PROVIDER
outboundproxy=DOMAIN_OR_IP_OF_YOUR_SIPTRUNK_PROVIDER,force
username=USER
secret=PASSWORD
context=pstn2ip
insecure=invite,port

You will need to edit the line starting from register and replace the values to the correct values from your SIP Trunk provider.

T2 Dahdi

If you have a valid T2 configuration (only available for Enterprise version), everything should work fine without any modification.
Some information regarding DAHDI cards can be found here:
http://www.voip-info.org/wiki/view/DAHDI

Once the T2 is up&running, you must configure the routing within your Emerginov platform.

You must

  • login on the administration page https://<your_emerginov>/admin
  • select the "VoIP" menu
  • login on the VoIP admin (same creds)
  • select the "System" menu
  • select the "Dynamic Routing" menu

the following page shall be displayed:

EmerginovVoIP7.png

The first time you access this page, the list of gateway shall be empty. The configuration of this page is required to connect the gateway to the VoIP solution.

You must then click on "Add New", a new window will be displayed to configure the window:

  • GWID: the ID of the gateway, the system can managed several gateways. This id shall be unique
  • Type: select "2-PSTN"
  • Address: enter the IP address of the gateway
  • Strip: 0
  • PRI Prefix: not used
  • Probe Mode: 0 - Never (default option)
  • Attributes: empty
  • Description: you can enter the description of the platform

Then click on "Add" and "Apply changes to server" to take the modification into account.

You will then see a red point in the Status case, it means that no routing rule has been created. Such routes shall be added to be sure that the traffic can be routed. By default no route is set, it is up to the administrator to decide the destination that will be allowed through the gateway.

To add new rule you must click on Rules on top of the "Dynamic Routing" menu. A new page will be displayed:

EmerginovVoIP8.png

Initially the table of routes is empty, you must click on "Add New" to create a new rule.

You shall precise the following elements:

  • Group ID: 0 - Regular
  • prefix: it is the prefix used for routing, you can specify a country code (e.g. 221) or be more specific and allow only 1 number (e.g. 2213456789). Please note that you must also set up more controls on the PSTN side (at the switch /MSC level) and or the gateway if you want to restrict the traffic. The gateway is a critical element. In fact SIP ports are scanned frequently and attacks are very regular. It is therefore mandatory to plan a proper security policy regarding gateway for outgoing traffic.
  • Priority: 0 by default
  • Gateway List: 1 by default
  • Attributes: empty
  • description: text to explain the rules (e.g. fixed network in Brittany)

Then click on "add New" then "Apply to change server", on the Gateways menu the point shall be green now, indicating that the gateway has at least 1 rule.

Theoretically you gateway shall be ready, you just have to test....

If for any reason the call is not successful (see post installation tests), you shall debug following this way

  • Check that the T2 is OK: on the gateway
    • type "rasterisk -vvvv"
    • type "sip set debug on"
    • dial a call you shall see the traces in the console, if you do not see anything, check your T2 (see dahdi and atserisk logs)
  • if you see traces in the console, then jump to the routing VM and use a network analyzer ngrep -d any port 5060 (or tshark or ..) to see if you can see the incoming traffic
    • if not check your VPN and the configuration (thanks to the installation by puppet the risqk of misconfiguration is limited but if your did not indicate the right @, it will not work..)
    • if yes jump into the dev machine and type rasterisk -vvv, sip set debug on you shall see the incoming call
      • if not, check the logs /var/log/asterisk/messages and the configuration

Please see administration guide for further information on the dial plan management.

USB Modem

The USB Modem is handled by Kannel. We already performed most of the configuration to work with a Huawei E220 and some other modems or phones.
You'll find the kannel configuration file in the kannel puppet module.

The main file to edit is kannel.conf.erb:

vim /etc/puppet/modules/kannel/templates/kannel.conf.erb

You might need to edit at least the section:

group = smsc

And maybe:

group = modems

If your SIM card needs a PIN number, do not forget to set it:

# Uncomment following if you need to provide a pin code to unlock
# your sim card
pin=0000

SMS Center

The SMS Center connection is handled by Kannel. We already performed most of the configuration to work with a regular SMS Center.
You'll find the kannel configuration file in the kannel puppet module.

You shall precise the section dedicated to the declaration of the modem, you shall be able to get the infromation from your SMPP provider

The main file to edit is kannel.conf.erb (under /etc/puppet/module/asterisk_gw on the machine (Compact) or the gardien VM (Enterprise):

# CONFIGURE YOUR SMSC
#################
group = smsc
smsc = smpp
smsc-id = emerg
host = <the IP of your SMPP provider>
port = <the port of your SMPP provider>
smsc-username = <smsc username provided by your SMPP provider>
smsc-password = <smsc password provided by your SMPP provider>
system-type = ""
connect-allow-ip = <the IP allowed for connection on the gateway, usually you local IP>
keepalive = 60
log-file= "/var/log/kannel/smsc.log"
log-level = 1
max-error-count = 3
transceiver-mode = true
interface-version = "34"
our-host = <your local IP>
enquire-link-interval = 15

Usually a gateway with a SMSC connection will have 2 network cards, one for the connection to the core Emerginov platform and one to the SMSC. The local IP shall be the one used to bind the SMSC

See kannel documentation for more details

Apply configuration

Once your tweaks are done, apply the configuration on Gateway:

emerginov-apply

Testing

To check that everything is working fine, please follow the Post Installation Testing Suite.