Hi Daniel,

Thanks very much for that reply. We now detect whether the destination is using TLS successfully using $ru and pcre_match().

Now when we call Asterisk -> Kamailio+rtpengine -> TLS phone, the TLS phone rings but the call drops immediately when it answers. The issue is that Asterisk doesn't like the 200 OK from the phone, which contains SRTP information. The error logged by Asterisk is "Rejecting secure audio stream without encryption details". I've included the SDP below.

Our questions now are:

1) Our goal is to have Kamailio+rtpengine act as a TLS/SRTP <--> Plain SIP/RTP bridge. Is it possible to configure Kamailio so that Asterisk never sees the encryption information in the 200 OK?

2) Is there anything wrong with the SDP returned by the TLS phone? For example, you mentioned before SDES SRTP and I wonder if the type of SRTP is not acceptable for some reason.

SDP received by Asterisk:

v=0
o=- 1501126711 1501126711 IN IP4 10.100.3.246
s=Polycom IP Phone
c=IN IP4 10.100.3.246
t=0 0
a=sendrecv
m=audio 2224 RTP/SAVP 0 101
a=sendrecv
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:W3V1lIbwyW1DzSmx8/AFFttKNJaoAM6kux0AcLtp
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000

The part of the Kamailio configuration which handles rtpengine is:

                if ( nat_uac_test( "8" ) ) {
                        rtpengine_manage( "force replace-origin replace-session-connection rtcp-mux-accept rtcp-mux-offer ICE=force RTP/SAVPF" );
                } else {
                        rtpengine_manage( "force trust-address replace-origin replace-session-connection rtcp-mux-accept rtcp-mux-offer ICE=force RTP/SAVPF" );
                }

Thanks again.

On 26 July 2017 at 21:06, Daniel-Constantin Mierla <miconda@gmail.com> wrote:

Hello,

for phones that are using tls, you can do the following tests:

- for incoming traffic: proto==TLS
- for outgoing traffic: after lookup location, the R-URI ($ru) should have 'transport=tls'

For RTPEngine there are some flags to specify you want or not SDES SRTP, I used them few times in the past, but I don't recall them by heart -- the docs should have them.

Cheers,
Daniel

On 26.07.17 06:40, David Cunningham wrote:
Hello,

We're configuring Kamailio 4.2 with rtpengine to act as a midpoint between a telephone using TLS/SRTP and Asterisk. There are examples out there for TLS/SRTP with WebRTC, but we're using a plain hard phone, not WebRTC.

Would anyone be able to point us towards a Kamaiio configuration which:

a) Tests if the destination phone (stored using usrloc) uses TLS.

b) Sends RTP for calls to a TLS phone to rtpengine to be encrypted. We can assume all phones using TLS want to use SRTP.

Thanks very much in advance.

--

David Cunningham, Voisonics Limited
http://voisonics.com/
USA: +1 213 221 1092
Australia: +61 (0) 2 8063 9019
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training - www.asipto.com Kamailio World Conference - www.kamailioworld.com

David Cunningham, Voisonics Limited
http://voisonics.com/
USA: +1 213 221 1092
Australia: +61 (0) 2 8063 9019