Minerva Hosting - Soluciones de telefonía


Boletín de novedades

Apúntate si quieres ser el primero en enterarte de las novedades


VoIP World - GNU Gatekeeper News

AVISO: Contenidos ajenos a nuestra web obtenidos mediante métodos de sindicación (RSS) facilitados por la web a la que pertenecen.

[CaRP] php_network_getaddresses: getaddrinfo failed: Name or service not known (0)
GNU Gatekeeper Blog
News and thoughts on the GNU Gatekeeper, H.323, video conferencing and VoIP

Mobile H.323 endpoints revisited

If you are looking for a free H.323 endpoint to connect to the GNU Gatekeeper, mobile apps for smartphones and tablets seem to offer the widest variety of choice right now.

My personal favorite are the RealPresence apps from Polycom, available  for iOS and Android. They offer you to sign in with a Polycom account, but you can simply skip this and just register with any H.323 gatekeeper in the settings.


Collaborate Mobile is also a good choice and also available for iOS and Android from the respective app stores.



Yealink VC Mobile is relatively new, but seems to work find with GnuGk, too.



There used to be an Android version of BeedHD, but now its only available for iOS.


I have dropped Sony IPELA from the list, because their apps seem to hang up without any visible reason after a few seconds in the call.

Here is my older post about free mobile H.323 endpoints for reference.

GNU Gatekeeper 4.2

I'm happy to announce the release of GNU Gatekeeper 4.2.

Version 4.2 is mainly a bug fix release.

A bug in proxying H.239 connections through NAT has been fixes as well
as a number of possible crashes and a few other small bugs.

The main functional change is that GnuGk's old NAT traversal method is
now disabled by default. Everybody should use H.460.x. If you want keep
using the old NAT traversal method, you can re-enable it with



You can download the new version from

Please see the full change log below.


Changes from 4.1 to 4.2
BUGFIX(ProxyChannel.cxx) fix H.239 forwarding issue in call where  only one side uses H.460.19BUGFIX(configure.in) make sure LUA test fails for versions below 5.2BUGFIX(gkh235.cxx) small fix with password authBUGFIX(ProxyChannel.cxx) apply codec filtering also to  receiveAndTransmit capabilitiesBUGFIX(ProxyChannel.cxx) fix crash in RTP multiplexingBUGFIX(ProxyChannel.cxx) fix crash when using H.245 tunneling translationBUGFIX(gk.cxx) fix shutdown on NetBSD 7BUGFIX(ProxyChannel.cxx) fix compile on NetBSD 7new switch: [RoutedMode] FilterVideoFastUpdatePicture= to reduce the  number of update requests from endpointsdisable SSLv3 when using TLSBUGFIX(ProxyChannel.cxx) fix crash in call cleanupsupport ON and OFF event in LuaAcctBUGFIX(sqlacct.*) implement ON and OFF event as documentednew switches [RoutedMode] EnableGnuGkNATTraversal=1 and [Endpoint]  EnableGnuGkNATTraversal=1 to keep GnuGk's old NAT traversal method enabled

Please tell us what you think about the GNU Gatekeeper!

We are running a suvery to get feedback and ideas for the future development of the GNU Gatekeeper.

Please take a moment to answer a few short questions:


Thanks for your time!

GNU Gatekeeper 4.1

I'm happy to announce the availability of GNU Gatekeeper 4.1.

This is mainly a bug fix release. If you are using GnuGk as a server in
a traversal zone or if you do H.239 presentations with Avaya endpoints,
you are strongly encouraged to update. This version also fixes a memory
leak that mainly affects long running gatekeepers with a lot of RAS
traffic. Some of the bugs were long standing, so if you skipped some
previous releases, this is really a good time to update.

The main new feature in this release is expanded LUA support.
Besides LUA authentication and LUA routing, there is now a LuaAcct
module that allows you to run a script on every accounting event of your
choice. Please see the updated manual for details.

You can download the new version from

Please see the full change log below.

My support website https://www.willamowius.com also got a face lift.
Please check it out as well.


Changes from 4.0 to 4.1

BUGFIX(ProxyChannel.cxx) fix crash processing SetupBUGFIX(RasSrv.cxx) update IP/port of traversal neighbor on every SCI,  not only on IP changesnew status port command: PrintNeighborsBUGFIX(ProxyChannel.cxx) fix H.239 inside multiplePayloadStream from  Avaya XT5000 with H.460.19new accounting module: LuaAcctLUA: new library "gnugk" to allow access to GnuGk functionalityBUGFIX(configure) set all detected options in gnugkbuildopts.h on UnixBUGFIX(ProxyChannel.cxx) removing H.235 capabilities might have skipped itemsBUGFIX(lua.cxx) initialize all LUA variables for LUA routingstatus port configuration (MaxStatusClients, StatusEventBacklog, StatusEventBacklogRegex) now changable at runtimeBUGFIX(GkStatus.cxx) fix StatusEventBacklogRegex for patterns that start at the beginning of the event lineBUGFIX(ProxyChannel.cxx) use RealPresence Group 0-Byte keep-alive for IgnoreSignaledH239PrivateIPs (needs LARGE_FDSET to work)new switches to set database connect and read timeout (only used by  MySQL for now)new switch to set worker thread idle timeout: [Gatekeeper::Main] WorkerThreadIdleTimeout=BUGFIX(gk.cxx) better test for gatekeeper shutdownBUGFIX(Routing.cxx) fix fromIP for ARQ and LRQ RouteRequestsBUGFIX(gkauth.cxx) only call Q.931 checks when activatedBUGFIX(Routing.cxx) fix RouteRequest from unregistered caller who  doesn't provide any aliasnew switch: [RoutedMode] DisableSettingUDPSourceIP=1

Getting H.323 through Firewalls and NAT by using the free GNU Gatekeeper

The H.323 protocol places IP numbers inside the signaling messages and establishes multiple TCP and UDP connections for a single call. You can't even be sure beforehand of the direction in which some of these connections are established. This makes it harder to get
H.323 through a NAT than other protocols.

To get through firewalls and NATs, the GNU Gatekeeper supports a lot of different traversal methods and protocols. The combination of H.460.18 and H.460.19 (usually called "H.460 NAT traversal" for short) is by far the most common NAT traversal protocol and is supported by virtually all H.323 endpoints today.

The best approach is to place a GNU Gatekeeper on a public IP address in front of your firewall and enable H.460.18 NAT traversal. You don't have to open any inbound port - just allow outgoing connections in your firewall, which is usually the default anyway.

If not all of your endpoints support H.460.18 or if you have a lot of internal calls, you can place a 2nd GnuGk inside your firewall and let it tunnel calls out for all internal endpoints combined. This called a "traversal zone". See Chapter 10 in the GNU Gatekeeper manual how to configure the outside GnuGk as traversal server and the GnuGk inside the firewall as traversal client.

A simple, one gatekeeper configuration for NAT traversal looks like this:




Register all your endpoints with the gatekeeper, whether they are inside or outside the firewall, and you should be able to make calls in and out.

GNU Gatekeeper 4.0 available

I am pleased to announce the release of GNU Gatekeeper 4.0.

It is now available from http://www.gnugk.org/h323download.html.

This release includes source code suitable for Linux, Windows, MacOS X,
FreeBSD, NetBSD, OpenBSD and Solaris and executables for Linux.

GnuGk 4.0 includes many new features as well as some important bug
fixes, but remains fully compatible with your previous configuration

Whats new ?
rewrite of the H.235 password authentication - much better interoperability and much more secure (it is high time to get ride of MD5 based authentication!)IP authentication for all RAS and Q.931 messagesimportant IPv6 updates and fixessupport for TCS0 call transfers ("reroute") that can be initiated from applicationsbetter NAT traversal support for unregistered endpointsbetter blocking of spam calls using SQLAuthper endpoint codec filteringDisplayIE rewritingmore secure handling of status port passwords (only hash stored)important fix for ODBC database driverCalledPartyNumber IE rewriting for better Polycom interoperabilitybug fixes
Some of the new 4.0 features are discussed in more detail this post:

Changes from 3.9 to 4.0
[...PasswordAuth] CheckID switch is now deprecated, use [H235] CheckSendersID insteadprovide vendor informations from ARQ or Setup as %{Vendor} in SQLAuth CallQueryprepend timestamp to events in status port backlogBUGFIX(Routing.cxx) remove newlines from vendor string before sending out  RouteRequest to virtual queueBUGFIX(gksql_odbc.cxx) fix DSN initialization when having multiple DSNs at the same timenew switch: [RoutedMode] UpdateCalledPartyToH225Destination=1 to always rewrite the CalledPartyNumberIE in Setup to the first E.164 of the H.225 destinationAddressBUGFIX(ProxyChannel.cxx) fix crash on shutdownnew settings for [RoutedMode] ScreenDisplayIE=: 'Calling', 'Called', 'CallingCalled' to set the DisplayIE to the (rewritten) caller IDnew switch: [RoutedMode] AppendToDisplayIE= to add a string to the DisplayIE when ScreenDisplayIE= is onchanged default: H.460.18 keep-alive in traversal zone between neighbors now defaults to 19 sec (was 29)new switch: [RoutedMode] H46018KeepAliveInterval=BUGFIX(ProxyChannel.cxx) better port detection for H.239 when IgnoreSignaledPrivateH239IPs=1BUGFIX(gkacct.cxx) %{caller-port} and %{called-port} now default to "0" instead of the empty string when not available (eg. in direct mode) to avoid SQL errors when they are stored in a numeric columnBUGFIX(RasSrv.cxx) fix additive registration with parent gatekeeperBUGFIX(ProxyChannel.cxx) fix IPv6 dual-stack proxy on Linux and Windowsdump file descriptor usage on USR2 signal (Linux only)new switch [RoutedMode] DisableFastStart=1support for H.235.1, incl. setting and checking tokens in all RAS and Q.931 messagesextend SimplePasswordAuth and FileIPAuth to all RAS and all Q.931 messagesstore only PBKDF2 hash for [GkStatus::Auth] password in config, not a recoverable passwordBUGFIX(ProxyChannel.cxx) fix crash when receiving message without UUIEnew switch [EP::] DisabledCodecs=much improved TCS0 3rd-party call transfer using 'Reroute' command on status portBUGFIX(Routing.cxx) add field for destination alias in ARQ if missing and a dynamic routing policy sets itBUGFIX(ProxyChannel.cxx) fix crash in H.235 Media for endpoints with more than 64 capability entries in TCSnew switch [Proxy] AllowSignaledIPs= to skip to skip auto-detect for network when IgnoreSignaledIPs=1

Wireshark 2 is out - including H.323 over IPv6 decoding

Wireshark 2 has been released. It includes decoding of H.323 over IPv6 wich didn't work properly in all previous version.

Wireshark 2 has a new UI that takes a moment to get used to, but also includes a version with the 'lecacy' UI if you need to get things donme in a hurry and can't fuss with the new UI right now.

New GNU Gatekeeper 4.0 Features

GnuGk 4.0 is in Beta now. Please give it a try!

H.235 password authenticationUntil now, GnuGk only supported MD5 password tokens well. The password
only secured RRQ and ARQ messages in the direction from the endpoint to
the gatekeeper and MD5 is considered a pretty weak algorithm. MD5
tokens are widely supported by vendors and are usually called "H.235",
but strictly speaking they aren't part of any ITU spec.

The new implementation in GnuGk closely follows the H.235.1
specification. It secures all RAS (RRQ, ARQ, BRQ, DRQ etc.) and all
Q.931 (Setup, Alerting etc.) messages. It also secures both directions,
so the gatekeeper can check every message if it is really from the
endpoint and also the endpoint can make sure its really talking to its

The interpretation of H.235.1 varies between vendors (or their
implementation is just buggy, your call). Thats why GnuGk defaults to
rather strict checks, but has configuration switches ([H235] config
section) to enable interoperability with vendor implementations.

During development I ran tests with AudioCodes, Polycom, Inovaphone and
H323Plus endpoints.

For example if you are using a AudioCodes gateway, you should set



You can even tighten security with CheckID=1 in [SimplePasswordAuth].

Per endpoint codec filteringSuppose you have this MCU, that works fine when endpoints use H.263,
but a lot of calls using H.264 fail. Now you can simply disable H.264
in your GnuGk config, even if that MCU doesn't give you that option:



Now that MCU can't negotiate H.264 any more and all calls will use
H.263. All other endpoint can still use all codecs.

Or suppose you have a Radvision MCU that is rather strict about using
symmetric codecs. Many endpoints don't handle symmetric codec
requirements correctly, but it often helps to simply disable H.239 if
you aren't using it away:


If all your endpoints follow all the specs, you'll probably never need
this feature. Unfortunately not all do and thats when this feature
comes in handy.

IPv6 and IPv4-IPv6 conversionActually this is not a new feature in GnuGk 4.0, but 4.0 brings some
significant bug fixes and improvements.

We all know IPv6 will come some day, but hasn't so far, because some
equipment still works better with IPv4 or some network doesn't support
it, yet etc.

With GnuGk, you don't have to convert your network to IPv6, you can
simply add it as another option and GnuGk will convert between IPv4 and
IPv6 whenever necessary. So you can keep all your legacy endpoints that
only support IPv4 and still have them reach other endpoints that work
on IPv6.

I would suggest you give IPv6 a try in your network now, before things
get very urgent and must be done in a rush.

The config part in GnuGk is rather easy:


In all places where you can put an IPv4 address, you can also place an
IPv6 address.

BTW: If you want to see your IPv6 H.323 calls in Wireshark, you need a
new version. I worked with the Wireshark developers to get the
disection fixed. That patch will probably be in 2.0.0rc1.

GnuGk 4.0 Beta available

The beta version for the upcoming 4.0 version is now available:


Most important new features:
much improved H.235 password authenticationIPv6 updates and fixessupport for TCS0 3rd-party call transfer (reroute) for applicationsdisable codecs per endpointbug fixes
Especially if you use password authentication, it is important that you
try the new version, so we can fix any issues before the release!

The purpose of this beta release is to get feedback. If you find
anything that needs fixing, please let us know!

Full change log:

- BUGFIX(RasSrv.cxx) fix additive registration with parent gatekeeper
- BUGFIX(ProxyChannel.cxx) fix IPv6 dual-stack proxy on Linux and
- dump file descriptor usage on USR2 signal (Linux only)
- new switch [RoutedMode] DisableFastStart=1
- support for H.235.1, incl. setting and checking tokens in all RAS and
  Q.931 messages
- extend SimplePasswordAuth and FileIPAuth to all RAS and all Q.931
- store only PBKDF2 hash for [GkStatus::Auth] password in config, not a
  recoverable password
- BUGFIX(ProxyChannel.cxx) fix crash when receiving message without UUIE
- new switch [EP::] DisabledCodecs=
- much improved TCS0 call transfer using 'Reroute' command on status
- BUGFIX(Routing.cxx) add field for destination alias in ARQ if missing
  and a dynamic routing policy sets it
- BUGFIX(ProxyChannel.cxx) fix crash in H.235 Media for endpoints with
  more than 64 capability entries in TCS
- new switch [Proxy] AllowSignaledIPs= to skip to skip auto-detect for
  network when IgnoreSignaledIPs=1 (experimental)

GNU Gatekeeper 3.9 released

I am pleased to announce a new release of the GNU Gatekeeper,
version 3.9, now available from http://www.gnugk.org/h323download.html.

This release includes source code suitable for Linux, Windows, MacOS X,
FreeBSD, NetBSD, OpenBSD and Solaris and executables for Linux.

Whats new in GnuGk 3.9 ?

bug fixes, including a crash and hanging status port on Windows servers a new IP/port detection algorithm for endpoints behind NAT that works  well even with unregistered (!) endpointneighbor pings to speed up call routing if your neighbors are frequently downgeo-blocking: with the GeoIPAuth policy, you can allow or block calls based on the location of the IP status port event back log: When you connect to the status port to diagnose an issue, the relevant events are already gone. With this new feature you can tell GnuGk to save the last n events and show them later on. This way you can take a look at eg. the last 100 failed registrations etc.QoS DiffServ marking for RAS, H.225 and H.245 messages (based on patch provided by Vidyo) Now you can set the DiffServ class for signaling messages. Previously you could only mark RTP packets.support for H.235.TSSM: H.235 needs time synchronization between gatekeeper and endpoints and the proposed H.235.TSSM standard provides a means for endpoints to detect that they are not in sync with the gatekeeper and apply a time offset.

Please tell us what you think !

I have prepared a short survey to learn more about how you all use the GNU
Gatekeeper, which features you use, what might be missing etc.

Please take a moment to provide some feedback for the future direction
of the GnuGk project:



Replacing a Radvision ECS Gatekeeper with a GNU Gatekeeper

In many cases GnuGk can act as a drop-in replacement for the ECS Gatekeeper. I just noticed one strange thing: Radvision MCUs seem to register endpoint aliases instead of prefixes with the ECS and the ECS treats registrations from MCUs as prefixes. To fix that, you can simply assign prefixes to the MCU in your GNU Gatekeeper configuration and everything works like before.


GNU Gatekeeper 3.8 released

I am pleased to announce a new release of the GNU Gatekeeper, version 3.8, available from http://www.gnugk.org/h323download.html.

This release includes source code sutitable for (Linux, Windows, MacOS, FreeBsd, NetBSD, OpenBSD and Solaris) and executables for Linux.

In addition to the new GnuGk version, I'm also happy to announce the general availability of the new Web Interface.

In response to the current wave of H.323 spam / hacking GnuGk 3.8 has a number of improvements to security related features:

endpoint IDs are now completely random and not as easily guessable as they were beforeGnuGk is now using better random numbers in security relevant placesnew authentication modules using LUA scripts called LuaAuthnew switch [RasSrv::ARQFeatures] CheckSenderIP=1 to make sure ARQs  come from the same IP as the initial registrationFileIPAuth is now able to check ARQ messagesAliasAuth updated to work with H.460.18 endpointPrefixAuth was extended to support unregistered callsSQLAuth can now operate on SrcInfo fields using %{SrcInfo}improvements to the addpasswd utility.
Other new non-security related features include:

The CatchAll policy now rewrites the destination alias which makes it easier to send CatchAll calls to MCU rooms.You can now filter out whole capability classes, eg. all video or H.239 capabilities if some of your endpoints have trouble handling themA new switch [Gatekeeper::Main] MinH323Version= lets you set the H.323 version GnuGk identifies itself as using (up to the latest version 7). This is mainly to deal with endpoint that switch features when they believe they are talking to older endpoints (which one shouldn't be doing...)a number bugs and crashes fixed

GNU Gatekeeper 3.7 released

Version 3.7 of the GNU Gatekeeper is out!

Please download it from http://www.gnugk.org/h323download.html

This is mainly a bugfix release that corrects a number of errors and
crashes (see below).

Please follow these compile instructions:


Change log:
allow Comment= in all sectionsnew status port command: "debug cfg all" to print the full configurationstub code to fake support for Avaya 2.16.840.1.114187.1.3 authentication  (disabled by default)BUGFIX(Neighbor.cxx) fix outbound rules for GWRewriteE164 with neighborsBUGFIX(RasSrv.cxx) fix crash on shutdownBUGFIX(gkauth.cxx) for passwort auth look at correct src or dest infoBUGFIX(Toolkit.cxx) more flexible column handling for [SQLConfig] PermanentEndpountsQuery, document priority and vendor info settingBUGFIX(gksql_sqlite.cxx) return empty string for NULL columns, like the other DB drivers doBUGFIX(RasTbl.cxx) fix formatting of PrintAllRegistrations and PrintAllRegistrationsVerboseBUGFIX(GkStatus.cxx) better handling when status clients don't quit properlyBUGFIX(Toolkit.cxx) fix selection of reply address for IPv6

Monitoring the GNU Gatekeeper

When you run GnuGk in production, it is important to integrate it into your overall network monitoring to ensure its always running and to see the current throughput.

Your choices are basically
SNMPcustom plugins that connect to GnuGk's status port
For Nagois or Icinga its probably best to use GnuGk's SNMP support.

On the website there are also a few a few sample plugins for OpenSource Monitoring tools that don't support SNMP so well.


Gráfico pie página

Inicio | escríbenos | mapa | privacidad | webmasters | publicidad

© Recursos VoIP
Alojados en Minerva Hosting - Obsesionados con la calidad

Gráfico derecho pie página

Inglés English (automatic translation)