; vim:ft=dosini ; Syntax notes: like the DOS/Windows '.ini' files. In the same ; stanza, multiple lines with the same name before the '=' ; are concatenated automatically. ; Protocols: ; H.225 (UDP) Gatekeeper services ; H.225/Q.931 (TCP) Connection/call control ; H.235 (TCP) Security for H.225 ; H.245 (TCP) Media channel control for H.225 ; RTP (UDP) Video and audio data ; RTCP (UDP) Statistics on RTP ; Signaling: ; Setup: Q.931 setup (connect directly to an endpoint) ; RAS: Registration, Admission and Security ; LRQ: Location ReQuest (ask another gatekeeper about endpoint) ; GRQ: Gatekeeper ReQuest (connect to gatekeeper) ; RRQ: Registration ReQuest (log into gatekeeper) ; IRQ: Information ReQuest (gatekeeper queries endpoint) ; ARQ: Admission ReQuest (call another endpoint via gatekeeper) ; BRQ: Bandwidth ReQuest (ask gatekeeper for bandwidth change) ; DRQ: Disengage ReQuest (close call to another endpoint) ; URQ: Unregister ReQuest (log out of gatekeeper) ; Ports: ; Setup: 1720/tcp ; RAS: 1718/udp 1719/udp [Gatekeeper::Main] Fourtytwo =42 Name =GNUGK ; Home =82.69.39.138/32 ; NetworkInterfaces =82.69.39.138/32,10.0.0.1/32 StatusPort =7400 UseBroadcastListener =0 ; TimeToLive =600 ; TotalBandwidth =100000 ; Failover support. ; EndpointIDSuffix =_gk1 ; AlternateGKs =1.2.3.4:1719:false:120:GK2 ; Sendto =1.2.3.4:1719 ; SkipForwards =4.3.2.1 ; RedirectGK =Calls > 50 ; You should never need to change any of the following values. ; They are mainly used for testing or very sophisticated applications. ; EndpointSignalPort =1720 ; UnicastRasPort =1719 ; MulticastPort =1718 ; MulticastGroup =224.0.1.41 ; ListenQueueLength =1024 ; SignalReadTimeout =3000 # [ms], default 1000 ; StatusReadTimeout =5000 # [ms], default 3000 ; StatusWriteTimeout =5000 [RoutedMode] GKRouted =1 H245Routed =1 SupportNATedEndpoints =1 RemoveH245AddressOnTunneling =1 CallSignalPort =0 Q931PortRange =30011-30020 H245PortRange =30000-30010 CallSignalHandlerNumber =1 AcceptNeighborsCalls =1 AcceptUnregisteredCalls =1 ConnectTimeout =60000 RemoveCallOnDRQ =1 SendReleaseCompleteOnDRQ =1 DropCallsByReleaseComplete =1 ; ForwardOnFacility =1 ; ShowForwarderNumber =1 ; ScreenDisplayIE = ; ScreenCallingPartyNumberIE = [Proxy] Enable =1 InternalNetwork =10.0.0.0/8,127.0.0.0/8 RTPPortRange =5000-5010 T120PortRange =40000-40010 ProxyForNAT =1 ProxyForSameNAT =1 [GkStatus::Auth] ; This determines who may connect to the status port for the gatekeeper. ; The parameter "rule" may be one of the following: ; forbid: disallow any connection (default when no rule us given) ; allow: allow any connection ; explicit reads the parameter #"="# with ip is the ; ip4-address if the peering client. ## is resolved ; with #Toolkit::AsBool#. If the ip is not listed the param ; "default" is used. ; regex: the ## of the client is matched against the given ; regular expression. ; First the ip-rules (like "explicit") are tested. Only if no such param ; exists the regex is tried. Example: "regex=^195\.71\.(129|131)\.[0-9]+$" rule =allow ; rule =deny ; rule =explicit ; rule =regex ; - 195.71.129.* ; - 195.71.100.* ; - 62.52.26.[1-2][0-9][0-9] ; regex =^(195\.71\.(129|100)\.[0-9]+)|(62\.52\.26\.[1-2][0-9][0-9])$ ; only used when "rule =explicit" ; default =forbid ; Shutdown =disable ; PARENT GATEKEEPER [Endpoint] ; This describes the gatekeeper as an endpoint, so it may ; log onto a parent gatekeeper. ; Type =Gateway ; Gatekeeper =no ; H323ID =SABITY ; Password = ; Prefix =144865249395 ; E164 =1448652493950 ; UnregisterOnReload =1 ; TimeToLive =900 ; RRQRetryInterval =10 ; ARQTimeout =2 ; NATRetryInterval =60 ; NATKeepaliveInterval =86400 [Endpoint::RewriteE164] ; Rewrite E164 numbers; this applies to destination ; numbers for incoming calls, or source numbers for ; outgoing calls, by changing prefixes. ; Note that the rewrites specified in [RasSrv:Rewrite164] ; are done first. ;[!]oldprefix =newprefix[,newprefix]... ; 188889000 =9 ; MISCELLANEOUS [RasSrv::RRQFeatures] OverwriteEPOnSameAddress =1 AcceptEndpointIdentifier =1 AcceptGatewayPrefixes =1 [RasSrv::ARQFeatures] CallUnregisteredEndpoints =1 ArjReasonRouteCallToSCN =1 ArjReasonRouteCallToGatekeeper=1 RemoveTrailingChar =# ; DEALING WITH PHONE ROUTING [RasSrv::GWPrefixes] ; Route E164 number prefixes to other gateways. ;gw[,gw]... =prefix[,prefix].. ; rossi-gt3 =80,90 ; rossi-gt3 =05241,0521,5241,521 ; ip400-wi1 =0 MCU =9 [RasSrv::RewriteE164] ; Beside other things every number to rewrite has its own key/value-line. ; The implemententation is such that all numbers that shell be ; rewritten have to begin with a common prefix given by "Fastmatch". ; ; Doc From the code: ; // Do rewrite to #newE164#. Append the suffix too. ; // old: 01901234999 ; // 999 Suffix ; // 0190 Fastmatch ; // 01901234 prefix, Config-Rule: 01901234=0521321 ; // new: 0521321999 ; ; The rewrite-numbers function take care of reloads/a HUP signal. Only if ; an e164 number begins with "Fastmatch" the further rewriting is done. ; Only one "Fastmatch" can be given. ; Fastmatch = ; 0190703100 =052418088663 ; 01903142 =0521178260 ; 5241908601903142 =521178260 [CTI::Agents] ; Allow creating aliases that are virtual queues. Calls to these ; aliases result in an invocation of an external program that will ; return an endpoint to forward the call to. ; VirtualQueue =Sales,Support ; CTI_Timeout =120 ; STATICALLY PREDEFINED ENDPOINTS [RasSrv::PermanentEndpoints] ; In this section you can put endpoints that don't have RAS support or that ; you don't want to be expired. The records will always in GK's registration ; table. However, you can still unregister it via status thread. ;ip[:port] =alias,alias,...[;prefix,prefix,...] ; For gateway ; 10.0.1.5 =Citron;009,008 ; For terminal ; 10.0.1.10 =798 [NATedEndpoints] ; If the GK can't auto detect your NATed EP set it here ;endpoint =IP ; 704 =11.1.1.111 ; 705 =allow ; ENDPOINT AUTHENTICATION [Gatekeeper::Auth] ; Authentication mechanism ; ; Syntax: ; authrule =actions ; ; = SimplePasswordAuth | LDAPPasswordAuth ; | AliasAuth | LDAPAliasAuth | ... ; = [;|,|,...] ; = optional | required | sufficient ; = GRQ | RRQ | URQ | ARQ | BRQ | DRQ | LRQ | IRQ ; = Setup ; ; Currently supported modules: ; ; SimplePasswordAuth/MySQLAuth/LDAPPasswordAuth ; The module checks the tokens or cryptoTokens ; fields of RAS message. The tokens should contain ; at least generalID and password. For cryptoTokens, ; cryptoEPPwdHash tokens hashed by simple MD5 and ; nestedcryptoToken tokens hashed by HMAC-SHA1-96 (libssl ; must be installed!) are supported now. The ID and ; password are read from [Password] section / MySQL / ; LDAP. Support for other backend databases is easily to ; add. ; ; ExternalPasswordAuth ; Check the password using an external program as defined ; in the [ExternalPasswordAuth] section. ; ; NeighborPasswordAuth ; The module only check LRQs from neighbors. The ID and ; password are defined in [RasSrv::Neighbors] section. ; ; PrefixAuth ; This can only check LRQs and ARQs. The checks are ; deifned in the [PrefixAuth] section. ; ; AliasAuth/LDAPAliasAuth ; The IP of an endpoint with given alias should match ; a specified pattern. For AliasAuth the pattern ; is defined in [RasSrv::RRQAuth] section. For ; LDAPAliasAuth the alias (default: mail attribute) and ; IP (default: voIPIpAddress attribute) must be found in ; one LDAP entry. ; ; RadAuth/RadAliasAuth ; The H.235 username/password from RRQ/ARQ message ; or endpoint alias/IP from RRQ/ARQ/Setup message is ; used to authenticate an endpoint/a call using RADIUS ; server. ; ; A rule may results in one of the three codes: ok, fail, pass. ; ; ok The request is authenticated by this module ; fail The authentication fails and should be rejected ; next The rule cannot determine the request ; ; There are also three ways to control a rule: ; ; optional If the rule cannot determine the request, it is passed ; to next rule. ; required The requests should be authenticated by this module, ; or it would be rejected. The authenticated request would ; then be passwd to next rule. ; sufficient If the request is authenticated, it is accepted, ; or it would be rejected. That is, the rule determines ; the fate of the request. No rule should be put after ; a sufficient rule, since it won't take effect. ; ; You can also configure a rule to check only for some particular RAS ; messages. For example, to configure SimplePasswordAuth as a required ; rule to check RRQ, ARQ and LRQ: "SimplePasswordAuth=required;RRQ,ARQ,LRQ" ; Amazingly, checks are applied last-to-first, not first-to-last ; default =reject SimplePasswordAuth =optional AliasAuth =optional ; LDAPAliasAuth =required;RRQ ; RadAuth =required;RRQ,ARQ ; RadAliasAuth =required;Setup [Password] ; This is for 'SimplePasswordAuth'. ; 'addpasswd' can be used to add new entries. Usually do it on a separate ; file and then include or paste that here. CheckID =0 KeyFilled =0 PasswordTimeout =1200 [ExternalPasswordAuth] ; This is for 'ExternalPasswordAuth'. ; The program takes the ID from 'stdin' and prints the password to 'stdout'. ; PasswordProgram =/usr/sbin/ohpwdauth [RasSrv::RRQAuth] ; This is for 'AliasAuth'. ; On a RRQ the H323 alias is queried from this section. If there is an ; entry the endpint is authenticated against the given rules. If there ; is no entry the default action is performed. The default action is to ; confirm the RRQ, unless the parameter "default=reject" is given. ; These parameters should consider a HUP signal. ; ;ALIAS =(sigaddr:[!&]RE|sigip:[!&]IPADDR:PORT)[& ...] ; ; sigaddr: extended regular expression that has to match agains the ; "PrintOn(ostream)" representation of the signal address ; of the request. Example: ; sigaddr:.*ipAddress .* ip = .* c3 47 e2 a5 .*port = 1720.* ; ; sigip: specialized form of "sigaddr". Write the signalling ip ; address using (commonly used) decimal notation. Example of ; the above sigaddr: "sigip:195.71.226.165:1720" ; default =reject ; default =confirm [RasSrv::Neighbors] ; This is for 'NeighborPasswordAuth'. ; The GK would send LRQ to its neighbors if the destination of ARQ is ; unknown. A neighbor is selected if its prefix match the destination ; or it has prefix '*'. Currently only one prefix is supported. ;gw =ip[:port;prefix;password;dynamic] ; GK1 =203.60.151.5:1719;*;gk1 ; GK2 =203.60.151.9:1719;02 [PrefixAuth] ; This is for 'PrefixAuth'. ;(prefix|ALL)=(deny|allow) [!](ipv4:IP|alias:ALIASRE|all)]|... [MySQLAuth] ; This is for 'MySQLAuth'. ; Host =localhost ; Database =billing ; User =cwhuang ; Password =123456 ; Table =customer ; IDField =IPN ; PasswordField =Password ; ExtraCriterion =Kind < 2 [GkLDAP::LDAPAttributeNames] ; H323ID =mail ; IPAddress =voIPIpAddress ; TelephonNo =telephoneNumber ; H235PassWord =plaintextPassword [GkLDAP::Settings] ServerName =localhost ServerPort =389 SearchBaseDN =o=sabi,c=GB BindUserDN =cn=root,o=sabi,c=GB BindUserPW =aPassWord ; sizelimit =0 ; timelimit =0 ; ACCOUNTING [CallTable] GenerateNBCDR =0 GenerateUCCDR =0 DefaultCallDurationLimit =15000 AcctUpdateInterval =180 [Gatekeeper::Acct] ; Accounting mechanism. ; ; authrule =actions ; = RadAcct | FileAcct | ... ; = [;,,...] ; = optional | required | sufficient ; = start | stop | update | on | off ; ; Currently supported modules: ; ; RadAcct Provides accounting through RADIUS protocol. ; FileAcct Provides accounting to a plain text file using ; GK status line CDR format. ; ; A rule may results in one of the three codes: ok, fail, pass. ; ok The request is succesfully processed by this module ; fail The request processing fails and call should be rejected ; next The rule cannot determine the request ; ; There are also three ways to control a rule: ; ; optional If the rule cannot log the accounting request, it is passed ; to next rule. ; required The accounting requests should be logged by this module, ; or it would be rejected. The accounting request would ; then be passed to next rule. ; sufficient If the accounting request is successfully logged, ; no further processing is done, otherwise the call would ; be rejected. That is, the rule determines ; the fate of the request. No rule should be put after ; a sufficient rule, since it won't take effect. ; ; You can also configure a rule to log only some particular accounting ; events. For example, to configure RadAcct as a required rule to log call ; "start" and "stop" events only, write: "RadAcct=required;start,stop" ; ; Defined accounting event types: ; ; start call start ; stop call stop ; update call update ; on GK start ; off GK stop ; RadAcct =optional;start,stop,on,off ; FileAcct =sufficient;stop ;[RadAcct] ;[FileAcct] ; DetailFile =/var/log/gnugk.log ; Rotate =0 ; EXAMPLES ;# http://mail.gnome.org/archives/gnomemeeting-list/2002-November/msg00137.html ;# http://mail.gnome.org/archives/gnomemeeting-list/2002-November/msg00152.html ;[RoutedMode] ; GKRouted =1 ; AcceptUnregisteredCalls =1 ; SupportNATedEndpoints =1 ; H245PortRange =30000-30010 ; Q931PortRange =30011-30020 ; ;[Proxy] ; Enable =1 ; RTPPortRange =5000-5010 ; ;[RasSrv::ARQFeatures] ; CallUnregisteredEndpoints =1 ; ;[GkStatus::Auth] ; rule =allow ; default =allow ; ;[Gatekeeper::Auth] ; default =allow ; ;[RasSrv::RRQAuth] ; default =confirm ; ;[Gatekeeper::DestAnalysis] ; OverlapSendDestAnalysis =optional ; default =allow ;# From the GnomeMeeting FAQ ;[RoutedMode] ; GKRouted =1 ; AcceptUnregisteredCalls =0 ; SupportNATedEndpoints =1 ; H245PortRange =30000-30010 ; Q931PortRange =20000-20020 ;[RasSrv::ARQFeatures] ; CallUnregisteredEndpoints =1 ;[Proxy] ; Enable =1 ; T120PortRange =40000-40010 ; RTPPortRange =50000-59999 ;[GkStatus::Auth] ; rule =allow