14 Jan
2013
14 Jan
'13
11:23 a.m.
Hi All,
I would setup a configuration where Kamailio authenticate asterisk SIP trunk using TLS and
SRTP.
At moment I was able to configure everything, including RTTProxy since most of the
asterisks v1.8.19.1
are behind NAT. So far so good it works pretty good using standard authentication and the
call goes straight
between asterisks. But as soon as I move my configuration for both kamailio & asterisk
to TLS+SRTP I'm
not able to authenticate asterisk SIP trunks. Especially asterisk seems insisting to use
the port 5060 even if
I requested the TLS on 5061.
kamailio v3.3.3 tls.cfg is configured as:
[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /etc/pki/tls/private/server.key
certificate = /etc/pki/tls/certs/server.pem
ca_list = /etc/pki/tls/certs/ca-bundle.crt
#crl = //etc/kamailio/crl.pem
# This is the default client domain, settings
# in this domain will be used for all outgoing
# TLS connections that do not match any other
# client domain in this configuration file.
# We require that servers present valid certificate.
#
[client:default]
verify_certificate = no
require_certificate = no
So my asterisk conf is the following:
[general]
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/5002.pem
tlscafile=/etc/asterisk/ca-bundle.crt
tlscipher=ALL
tlsclientmethod=tlsv1
tlsdontverifyserver=yes
transport=tls,udp
....
.....
and the SIP trunk is configured as
[kamailio]
type=peer
insecure=invite,port
nat=yes
disallow=all
allow=ulaw
host=kamailio_ip
outboundproxy=tls://kamailio_ip
port=5061
defaultuser=5002
fromuser = 5002
fromdomain =mydomain
secret=5002
qualify=yes
dtmfmode=rfc2833
context=default
callbackextension=5002
directmedia=nonat
sendrpid=yes
transport=tls
encryption=yes
register => tls://5002:5002@kamailio_ip:5061/5002
I still get error like:
Jan 14 10:45:12] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not
a valid transport for 'dicenet'. we
only use 'TLS'! ending call.
[Jan 14 10:45:12] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error
for registration to
5002@kamailio_ip, trying REGISTER again (after 20 seconds)
[Jan 14 10:45:32] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not
a valid transport for 'dicenet'. we
only use 'TLS'! ending call.
[Jan 14 10:45:32] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error
for registration to
5002@kamailio_ip, trying REGISTER again (after 20 seconds)
[Jan 14 10:45:52] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not
a valid transport for 'dicenet'. we
only use 'TLS'! ending call.
[Jan 14 10:45:52] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error
for registration to
5002@kamailio_ip, trying REGISTER again (after 20 seconds)
[Jan 14 10:46:07] ERROR[7041]: tcptls.c:444 ast_tcptls_client_start: Unable to connect SIP
socket to kamailio_ip:5060:
Connection timed out
Does anyone can suggest me something to read, try, check?
Best regards.
Roberto Fichera.
14 Jan
14 Jan
4:05 p.m.
First, you should test TLS with RTP (first make sure that TLS works,
then enable SRTP).
Seconds, it seems like an Asterisk problem, thus may get better answers
on the Asterisk mailing lists.
regards
Klaus
On 14.01.2013 11:23, Roberto Fichera wrote:
Hi All,
I would setup a configuration where Kamailio authenticate asterisk SIP trunk using TLS
and SRTP.
At moment I was able to configure everything, including RTTProxy since most of the
asterisks v1.8.19.1
are behind NAT. So far so good it works pretty good using standard authentication and the
call goes straight
between asterisks. But as soon as I move my configuration for both kamailio &
asterisk to TLS+SRTP I'm
not able to authenticate asterisk SIP trunks. Especially asterisk seems insisting to use
the port 5060 even if
I requested the TLS on 5061.
kamailio v3.3.3 tls.cfg is configured as:
[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /etc/pki/tls/private/server.key
certificate = /etc/pki/tls/certs/server.pem
ca_list = /etc/pki/tls/certs/ca-bundle.crt
#crl = //etc/kamailio/crl.pem
# This is the default client domain, settings
# in this domain will be used for all outgoing
# TLS connections that do not match any other
# client domain in this configuration file.
# We require that servers present valid certificate.
#
[client:default]
verify_certificate = no
require_certificate = no
So my asterisk conf is the following:
[general]
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/5002.pem
tlscafile=/etc/asterisk/ca-bundle.crt
tlscipher=ALL
tlsclientmethod=tlsv1
tlsdontverifyserver=yes
transport=tls,udp
....
.....
and the SIP trunk is configured as
[kamailio]
type=peer
insecure=invite,port
nat=yes
disallow=all
allow=ulaw
host=kamailio_ip
outboundproxy=tls://kamailio_ip
port=5061
defaultuser=5002
fromuser = 5002
fromdomain =mydomain
secret=5002
qualify=yes
dtmfmode=rfc2833
context=default
callbackextension=5002
directmedia=nonat
sendrpid=yes
transport=tls
encryption=yes
register => tls://5002:5002@kamailio_ip:5061/5002
I still get error like:
Jan 14 10:45:12] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not
a valid transport for 'dicenet'. we
only use 'TLS'! ending call.
[Jan 14 10:45:12] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error
for registration to
5002@kamailio_ip, trying REGISTER again (after 20 seconds)
[Jan 14 10:45:32] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is
not a valid transport for 'dicenet'. we
only use 'TLS'! ending call.
[Jan 14 10:45:32] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error
for registration to
5002@kamailio_ip, trying REGISTER again (after 20 seconds)
[Jan 14 10:45:52] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is
not a valid transport for 'dicenet'. we
only use 'TLS'! ending call.
[Jan 14 10:45:52] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error
for registration to
5002@kamailio_ip, trying REGISTER again (after 20 seconds)
[Jan 14 10:46:07] ERROR[7041]: tcptls.c:444 ast_tcptls_client_start: Unable to connect
SIP socket to kamailio_ip:5060:
Connection timed out
Does anyone can suggest me something to read, try, check?
Best regards.
Roberto Fichera.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
7:21 p.m.
On 01/14/2013 04:05 PM, Klaus Darilion wrote:
First, you should test TLS with RTP (first make sure
that TLS works, then enable SRTP).
I was able to partially fix the TLS problem, now I can do at least
openssl s_client -connect kamailio_ip:5061 -tls1
and get the corresponding answer.
I had to add the listen=tcp: line and adjust the iptables accordingly
listen=udp:10.50.X.X:5060 advertise kamailio_ip:5060
listen=tcp:10.50.X.X:5060 advertise kamailio_ip:5060
listen=tls:10.50.X.X:5061 advertise kamailio_ip:5061
Seconds, it seems like an Asterisk problem, thus may
get better answers on the Asterisk mailing lists.
I'll try to ask them
regards
Klaus
On 14.01.2013 11:23, Roberto Fichera wrote:
Hi All,
I would setup a configuration where Kamailio authenticate asterisk SIP trunk using TLS
and SRTP.
At moment I was able to configure everything, including RTTProxy since most of the
asterisks v1.8.19.1
are behind NAT. So far so good it works pretty good using standard authentication and the
call goes straight
between asterisks. But as soon as I move my configuration for both kamailio &
asterisk to TLS+SRTP I'm
not able to authenticate asterisk SIP trunks. Especially asterisk seems insisting to use
the port 5060 even if
I requested the TLS on 5061.
kamailio v3.3.3 tls.cfg is configured as:
[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /etc/pki/tls/private/server.key
certificate = /etc/pki/tls/certs/server.pem
ca_list = /etc/pki/tls/certs/ca-bundle.crt
#crl = //etc/kamailio/crl.pem
# This is the default client domain, settings
# in this domain will be used for all outgoing
# TLS connections that do not match any other
# client domain in this configuration file.
# We require that servers present valid certificate.
#
[client:default]
verify_certificate = no
require_certificate = no
So my asterisk conf is the following:
[general]
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/5002.pem
tlscafile=/etc/asterisk/ca-bundle.crt
tlscipher=ALL
tlsclientmethod=tlsv1
tlsdontverifyserver=yes
transport=tls,udp
....
.....
and the SIP trunk is configured as
[kamailio]
type=peer
insecure=invite,port
nat=yes
disallow=all
allow=ulaw
host=kamailio_ip
outboundproxy=tls://kamailio_ip
port=5061
defaultuser=5002
fromuser = 5002
fromdomain =mydomain
secret=5002
qualify=yes
dtmfmode=rfc2833
context=default
callbackextension=5002
directmedia=nonat
sendrpid=yes
transport=tls
encryption=yes
register => tls://5002:5002@kamailio_ip:5061/5002
I still get error like:
Jan 14 10:45:12] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not
a valid transport for 'dicenet'. we
only use 'TLS'! ending call.
[Jan 14 10:45:12] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error
for registration to
5002@kamailio_ip, trying REGISTER again (after 20 seconds)
[Jan 14 10:45:32] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is
not a valid transport for 'dicenet'. we
only use 'TLS'! ending call.
[Jan 14 10:45:32] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error
for registration to
5002@kamailio_ip, trying REGISTER again (after 20 seconds)
[Jan 14 10:45:52] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is
not a valid transport for 'dicenet'. we
only use 'TLS'! ending call.
[Jan 14 10:45:52] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error
for registration to
5002@kamailio_ip, trying REGISTER again (after 20 seconds)
[Jan 14 10:46:07] ERROR[7041]: tcptls.c:444 ast_tcptls_client_start: Unable to connect
SIP socket to kamailio_ip:5060:
Connection timed out
Does anyone can suggest me something to read, try, check?
Best regards.
Roberto Fichera.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
4408
days inactive
4408
days old
2 comments
2 participants
participants (2)
-
Klaus Darilion -
Roberto Fichera