I'm attaching my config (changed the substitutions to fake ones).<br/><br/>On 7/11/2025 10:23 PM, Jeremy Weibert via sr-users wrote:<br/>&gt; I'm new to Kamailio, and looking for some guidance.<br/>&gt;<br/>&gt; I have a very large global PBX network (NEC). I have mobile users, that for many years we have had connecting through VPN. This has worked fine for us until recently, various circumstances have made this unreliable. In searching for a better way to handle this, I came across Kamailio. I want the mobile users using TLS/SRTP, the NEC has various limitations on that, but more importantly, I'm not putting my PBXes on the internet. I've been at this for a few days now, learning and trying to see how I can do this with Kamailio, when I eventually came across this: https://www.fredposner.com/2309/kamailio-simple-tls-gateway/#:~:text=One%20feature%20that%20truly%20shines,aka%20to%20the%20PBX.<br/>&gt;<br/>&gt; Seems this is exactly what I need. The only difference really is that I have an additional firewall between the internet and the Kamailio server, with the external IP being NATed.<br/>&gt;<br/>&gt; In the famous last words of all users &quot;it didn't work&quot;. Specifically, registrations seem to work just fine (the NEC acts as the registrar). However, when making a call:<br/>&gt;<br/>&gt; - The original INVITE from the mobile user (port 5061, TLS) reaches Kamailio and is then proxied via UDP to the PBX.<br/>&gt; - The PBX behaves appears to behave as a B2BUA, creating a completely new INVITE with a different Call-ID and sending it back to Kamailio.<br/>&gt; - Kamailio, seeing this as a completely new INVITE coming in on UDP (not TLS), rejects it (403 Accepting TLS Only).<br/>&gt; - Likewise, if a call originates from the PBX side, same thing.<br/>&gt;<br/>&gt; I figure, if the INVITE is coming from the PBX, I can just skip the TLS check, as it's coming from a trusted IP. However, the INVITE looks like:<br/>&gt; INFO: {1 udp 1 INVITE 7776d675@PBXIP} &lt;script&gt;: {R-MAIN] Incoming request from PRIVATEIP using udp<br/>&gt;<br/>&gt; In other words, the INVITE is showing as coming from Kamailio.<br/>&gt;<br/>&gt; I can't use the alias tag that Kamailio sets initially as the PBX strips it with the new INVITE. I figure to just explicitly send it to registered client over TLS by just rewriting the destination URI, and then it goes into an infinite loop.<br/>&gt;<br/>&gt; I got a bit lost at this point and if someone could help point me in the right direction, I would be eternally grateful.<br/>&gt; __________________________________________________________<br/>&gt; Kamailio - Users Mailing List - Non Commercial Discussions -- sr-users@lists.kamailio.org<br/>&gt; To unsubscribe send an email to sr-users-leave@lists.kamailio.org<br/>&gt; Important: keep the mailing list in the recipients, do not reply only to the sender!