Friday, August 15, 2014

GNU Gatekeeper 3.7 released

Version 3.7 of the GNU Gatekeeper is out!

Please download it from

This is mainly a bugfix release that corrects a number of errors and
crashes (see below).

Please follow these compile instructions:


Change log:
  • allow Comment= in all sections
  • new status port command: "debug cfg all" to print the full configuration
  • stub code to fake support for Avaya 2.16.840.1.114187.1.3 authentication  (disabled by default)
  • BUGFIX(Neighbor.cxx) fix outbound rules for GWRewriteE164 with neighbors
  • BUGFIX(RasSrv.cxx) fix crash on shutdown
  • BUGFIX(gkauth.cxx) for passwort auth look at correct src or dest info
  • BUGFIX(Toolkit.cxx) more flexible column handling for [SQLConfig] PermanentEndpountsQuery, document priority and vendor info setting
  • BUGFIX(gksql_sqlite.cxx) return empty string for NULL columns, like the other DB drivers do
  • BUGFIX(RasTbl.cxx) fix formatting of PrintAllRegistrations and PrintAllRegistrationsVerbose
  • BUGFIX(GkStatus.cxx) better handling when status clients don't quit properly
  • BUGFIX(Toolkit.cxx) fix selection of reply address for IPv6

Wednesday, June 25, 2014

Monitoring the GNU Gatekeeper

When you run GnuGk in production, it is important to integrate it into your overall network monitoring to ensure its always running and to see the current throughput.

Your choices are basically
  • SNMP
  • custom plugins that connect to GnuGk's status port

For Nagois or Icinga its probably best to use GnuGk's SNMP support.

On the website there are also a few a few sample plugins for OpenSource Monitoring tools that don't support SNMP so well.

Wednesday, May 7, 2014

GNU Gatekeeper 3.6

Version 3.6 of the GNU gatekeeper has been released.

Please download the source code from

This version contains support for Polycom's domain##alias addressing, a
new policy to route by URI prefix, better config checking, fixes for
H.460.19 port detection and a number of other bugfixes and smaller

I'm trying to cut down on the time I have to spend on each release, so
I will only provide executable to support client for this version.

Please follow these instructions to compile GnuGk yourself:

Full change log:
  • support Polycom's domain##alias addressing in DNS policy
  • new command line switch: --strict (don't start with config errors)
  • new routing policy [Routing::URIService] to define service specific URI routing policy.
  • allow SendTo= without AlternateGKs= switch
  • new switch [EP::...] ForceGateway=1 to treat an endpoint as a gateway
  • new switch [EP::...] AddCallingPartyToSourceAddress=1
  • new switch [EP::...] DisableCallCreditCapabilities=1
  • verify the correct payloadType on H.460.19 keep-alive packets (disable with [Proxy] CheckH46019KeepAlivePT=0)
  • support libssh 0.6.x
  • BUGFIX(ProxyChannel.cxx) fix memory leak on TLS errors
  • BUGFIX(RasTbl.cxx) use 64bit numbers for AddNumbers= ranges
  • BUGFIX(RasSrv.cxx) fill destCallSignallAddress in answer ACF in direct mode
  • BUGFIX(RasSrv.cxx) fix callSignalPort in LCF when H.460.22 is enabled
  • BUGFIX(ProxyChannel.cxx) read ProxyHandlerHighPrio switch earlier
  • BUGFIX(ProxyChannel.cxx) wait 4 sec before using regular RTP packets for H.460.19 port detection
  • BUGFIX(gk.cxx) small fixes for MacOSX

Saturday, March 22, 2014

Free mobile H.323 endpoints

While it is hard to find good H.323 endpoints for PCs that are free, there are a number of free mobile apps available that work very well with GnuGk.

Polycom RealPresence Mobile (iOS and Android)

Skip the login for the RealPresence server and set a gatekeeper in the H.323 settings.

Sony IPELA Communications Mobile (iOS and Android)

Don't be scared away by the Japanese description in the Play Store, the app works in English.

Radvision BeeHD (iOS)

Does anybody know other mobile endpoints that I missed ?

Monday, February 3, 2014

Whats new in GnuGk 3.5 ? Part 3: Performance

To avoid the performance hit that happens on Linux when your GNU Gatekeeper gets swapped out on a busy server, GnuGk 3.5  has a new command line switch to lock GnuGk in memory (--mlock).

As a tool to allow you to better monitor your call volume, the call statistics on the status port will now show the peak number of calls in addition to the current load. This is an important piece of data to plan socket and thread allocation for your configuration.

GnuGk 3.5 will now also run on certain Linux server virtualization platforms that don't give GnuGk full control over thread prioritization, even when running under the root user. Now you can turn off setting the proxy handler thread to high priority and GnuGk will start as it should. Use the ProxyHandlerHighPrio switch if your GnuGk dies on startup with a PTLib assertion "pthread_setschedparam failed".


If you run a high load GnuGk installation or if you are concerned about performance, please contact me to have a chat.

Tuesday, January 28, 2014

H.323Plus 1.26 released

A new H323Plus is out: Version 1.26

  • it allows you to add TLS encryption to your endpoints (including H.460.22 capability negotiation)
  • it supports the upcoming H.235.6 with Diffie-Helman keys up to 8 KB length
  • there is support for media over TCP (H.460.26)
  • support for H.323v8 language features
If you have endpoints based on H323Plus (or OpenH323), I would encourage you to update to the latest library version and enable those new features!

H323Plus v1.26 of course also works great with GnuGk 3.5.

Download H323Plus 1.26 from

Monday, January 20, 2014

Whats new in GnuGk 3.5 ? Part 2: Language based routing and support for H.323v8

GnuGk 3.5 includes support for routing of calls based on the language signaled by the caller and called party. For example you can route calls to to different agents based on the caller language.

If you use the 'sql' or 'forwarding' routing policy for example, you now have the an additional variable available %{language} that you can use to select the agent matching the incoming call the best.

To use this feature, you'll need endpoints that will signal the language. Language support was introduced in H.323v6. To make full use of this feature, you'll need endpoints supporting the upcoming H.323v8 which further improves on the language capabilities. GnuGk 3.5 supports H.323v8.

Starting with H.323v8, you also have the ability to let GnuGk 3.5 assign endpoints a language. That way you don't have to configure each endpoint individually. Use the [AssignedLanguage::SQL] section do do so.

To add language information to your LRQs to other gatekeepers, switch on the EnableLanguageRouting switch:


BTW: If you have your own endpoints based on H323Plus, you should enable the language feature now, its really simple.

Wednesday, January 8, 2014

Whats new in GnuGk 3.5 ? Part 1: New encryption features

Easier TLS configuration

H.323 encryption as implemented by virtually all commercial vendors is easily circumvented by Man-in-the-Middle attacks. So it is very important to secure at least your gatekeeper-to-gatekeeper signaling connections over the internet with TLS. See for background information. (Its a bit like installing a huge lock and then leaving the key under the doormat for everybody to use.)

GnuGk can close this security hole by encrypting the signaling connection using TLS and verifying  the certificates of clients and servers.

With GnuGk 3.5, you don't have explicitly configure TLS for each partner. On all RAS connections GnuGk will use H.460.22 to signal support for TLS encryption and will automatically use it as when the partner supports it.

Stronger RTP encryption with larger keys

When the media encryption spec (H.235.6) was published by the ITU in 2005, it contained an error that prevents all vendors from using Diffie-Hellman tokens larger than 2048 bits. This error is being corrected by the ITU now and the new spec is about to be published.

GnuGk 3.5 supports the upcoming specification and can be configured to use AES256 with tokens of up to 8192 bits when you configure it to add media encryption to your calls.

Support for legacy authentication with DES-ECB

GnuGk 3.5 adds support for username / password authentication using the DES standard. This kind of authentication is very weak and should only be used for interoperability with old equipment that doesn't support anything else (eg. some Avaya endpoints).

Thursday, January 2, 2014

GNU Gatekeeper Version 3.5 released

I'm happy to announce the release of GNU Gatekeeper version 3.5.
The new version brings a number of new features as well as a number of
important bug fixes and a few changes in configuration options.

As usual, you can download the source code and executable for Linux, Windows, FreeBSD, OpenBSD, NetBSD and Solaris from

New features:

  • implement H.460.22 to negotiate the use of TLS
  • language based routing (using the upcoming H.323v8)
  • new command line switch -mlock to prevent GnuGk from being swapped out
  • new section [ModeVendorSelection] to set proxy mode based on endpoint vendor
  • support for challenge/response authentication using DES-ECB, eg. from Avaya endpoints
  • new switch [RoutedMode] FilterEmptyFacility= (Avaya interop)
  • new switch [RoutedMode] ProxyHandlerHighPrio=0 to avoid setting the proxy handler to  high priority; needed to run GnuGk on certain virtualization platforms
  • print number of proxied calls and peak number of calls in statistics on status port
  • new switch [RoutedMode] H46023ForceNat
  • new switch [RewriteSourceAddress] TreatNumberURIDialedDigits
  • more detailed codec descriptions in %{codec} and Radius attribute
  • process multiple terminal-alias VSA from Radius
  • extend [GkStatus::Message] for URQ

 Configuration changes:

  • changed default call signaling port from 1721 to 1720
  • replace H235HalfCallMediaStrength= switch with H235HalfCallMaxTokenLength= switch
  • disable use of SHA1 for TLS by default, the new switch [TLS] CipherList= can be used to customize the cipher selection

Bug fixes:

  • BUGFIX(GkStatus.cxx) disable ssh compression to avoid libssh bug, fix memleak, implement cmdline command execution
  • BUGFIX(Neighbor.cxx) fix H.460 VendorInfo in LCF without TLS or NAT Support
  • BUGFIX(Routing.cxx) fix DNS policy to allow calls by IP:port to endpoint on same IP as gatekeeper
  • BUGFIX(ProxyChannel.cxx) fix RTCP forwarding with EnableRTCPStats=1
  • BUGFIX(ProxyChannel.cxx) fix race condition in call failover
  • BUGFIX(ProxyChannel.cxx) fix use of RTP multiplex port for non-multiplexing calls
  • BUGFIX(ProxyChannel.cxx) offer H.245 tunneling for H.460.18 calls when translation switch is on
  • BUGFIX(ProxyChannel.cxx) fix removal of h245Address in H.245 tunneling translation
  • BUGFIX(ProxyChannel.cxx) fix H.245 tunneling translation when H.245 connection is  actively established by the gatekeeper and there are pending H.245 messages
  • BUGFIX(ProxyChannel.cxx) don't send a ReleaseComplete for Status messages outside of calls
  • BUGFIX(ProxyChannel.cxx) use Facility with reason transportedInformation for  H.245 tunneling translation for H.225 version >= 4
  • BUGFIX(RasSrv.cxx) fix port detection for traversal clients
  • BUGFIX(RasTbl.h) fix translation of 2nd CallProceeding to unregistered endpoint
  • BUGFIX(yasocket.h) fix TLS with LARGE_FDSET