By setting $du, I was able to force proxy1 to use TLS instead of UDP.

 

$du = "sip:ip:port;transport=tls";
t_relay();

Thanks Daniel for your input.

 

 

I am attaching all the information needed:

 

Here is invite sent by the customer -

10.11.200.21:58822 -(SIP over TLS)-> 10.0.16.52:5061

INVITE sip:spanish@translation.sms-test.cyracom.com SIP/2.0

Via: SIP/2.0/TLS 10.11.200.21:58822;rport;branch=z9hG4bKPj40846ca84d834aeb9d6ae838e7d01166;alias

Max-Forwards: 70

From: "cust1" <sip:cust1@devtranslation.sms-test.cyracom.com>;tag=46715a1fbe9c4d06a04ecf7e48997955

To: <sip:spanish@translation.sms-test.cyracom.com>

Contact: <sip:64715890@10.11.200.21:58825;transport=tls>

Call-ID: a6a27f5f13a147ff82f48fde3789838e

CSeq: 6098 INVITE

Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER

Supported: replaces, norefersub, gruu

User-Agent: Blink 3.0.0 (Windows)

Proxy-Authorization: Digest username="cust1", realm="devtranslation.sms-test.cyracom.com", nonce="WIfTSliH0h4rWzCg73Myws7fCOgYpwHyAg5IxIA=", uri="sip:spanish@translation.sms-test.cyracom.com", response="391c1e155da5949698501a379b9037a3"

Content-Type: application/sdp

Content-Length:   359

v=0

o=- 3694256158 3694256158 IN IP4 10.11.200.21

s=Blink 3.0.0 (Windows)

t=0 0

m=message 2855 TCP/TLS/MSRP *

c=IN IP4 10.11.200.21

a=path:msrps://192.168.1.110:2855/3dc0380f6ef30157c39c;tcp

a=accept-types:message/cpim text/* image/* application/im-iscomposing+xml

a=accept-wrapped-types:text/* image/* application/im-iscomposing+xml

a=setup:active

 

Here is the invite received by the agent. As we see transport=tls is set correctly. Question is why and who is inserting Via header to be UDP port 5060. 10.0.16.52 is proxy1’s IP address. Strange thing is proxy1 has TLS connection with proxy2 and still it is sending via UDP.

172.31.211.31:5061 -(SIP over TLS)-> 10.0.27.108:60894

INVITE sip:20745891@10.0.27.108:60896;transport=tls SIP/2.0

Via: SIP/2.0/TLS 63.149.103.72:5061;branch=z9hG4bKe337.4192b97c6a818407e5631f415c224e45.0

Via: SIP/2.0/UDP 10.0.16.52;rport=5060;branch=z9hG4bKe337.2c67958aee41eaa6f6d03652c89552c8.0;i=1

Via: SIP/2.0/TLS 10.11.200.21:59039;received=10.11.200.21;rport=59039;branch=z9hG4bKPj62fa0d97094946169f04a60aeb9aa215;alias

Max-Forwards: 68

From: "cust1" <sip:cust1@devtranslation.sms-test.cyracom.com>;tag=7bbc8a1c90e94d96b3360223ce815d50

To: <sip:spanish@translation.sms-test.cyracom.com>

Contact: <sip:64715890@10.11.200.21:59045;transport=tls>

Record-Route: <sip:63.149.103.72:5060;transport=tls;lr;nat=yes>

Record-Route: <sip:10.0.16.52:5061;transport=tls;lr;nat=yes>

Call-ID: f1f4cb291ee44c11b3eda6c6801c1d22

CSeq: 28943 INVITE

Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER

Supported: replaces, norefersub, gruu

User-Agent: Blink 3.0.0 (Windows)

Content-Type: application/sdp

Content-Length:   359

v=0

o=- 3694259050 3694259050 IN IP4 10.11.200.21

s=Blink 3.0.0 (Windows)

t=0 0

m=message 2855 TCP/TLS/MSRP *

c=IN IP4 10.11.200.21

a=path:msrps://192.168.1.110:2855/3fe6e776d38e70ffc529;tcp

a=accept-types:message/cpim text/* image/* application/im-iscomposing+xml

a=accept-wrapped-types:text/* image/* application/im-iscomposing+xml

a=setup:active

 

Attached is the nslookup output of the proxy2 domain.

 

 

 

Hi,

  I have two instances of Kamailio acting as edge proxies. One on the customer side and one on the agent side.

  Like: customer -> proxy1 -> proxy2 -> agent.

  Both customer and agent are registered to proxy1/proxy2 via TLS.

 

  However when proxy1 forwards to proxy2, it is using UDP. How can I force it to use TLS?

  Attached is the result of nslookup on the domain: translation.sms-test.cyracom.com.

 

-- 

Daniel-Constantin Mierla

www.twitter.com/miconda -- www.linkedin.com/in/miconda

Kamailio Advanced Training - Mar 6-8 (Europe) and Mar 20-22 (USA) - www.asipto.com

Kamailio World Conference - May 8-10, 2017 - www.kamailioworld.com