Any advice appreciated, as this is my first time dealing with SRTP (and rtpengine). Feeling very stuck. Thanks!

Yeah, me too. ;-)

Basically you need to call "rtpengine_manage" with the correct parameter, i.e. either RTP/AVP or RTP/SAVP, based on whether audio to the destination of the message is to be encrypted or not. This applies to basically any message with "application/sdp" content, i.e. both the INVITE *and* the 183 or 200 reply.

Thus if you relay from encrypted to plaintext, the INVITE's handler needs to call rtpengine_manage("… RTP/AVP") and the response handler needs to call rtpengine_manage("… RTP/SAVP").

In my code I discover these settings (for both call source and destination) during the INVITE, then I save them in a couple of XAVU variables. All the other handlers just select source / destination based on whether the message's source IP address is the same as the INVITE's.

IMHO it's way easier to program the whole thing in Python instead of Kamailio's language. This in turn would be much simpler if Kamailio used threads instead of separate processes and shared memory, but apparently you can't have everything. :-P

-- 
-- Matthias Urlichs