Hi All,
I would setup a configuration where Kamailio authenticate asterisk SIP trunk using TLS and SRTP. At moment I was able to configure everything, including RTTProxy since most of the asterisks v1.8.19.1 are behind NAT. So far so good it works pretty good using standard authentication and the call goes straight between asterisks. But as soon as I move my configuration for both kamailio & asterisk to TLS+SRTP I'm not able to authenticate asterisk SIP trunks. Especially asterisk seems insisting to use the port 5060 even if I requested the TLS on 5061.
kamailio v3.3.3 tls.cfg is configured as:
[server:default] method = TLSv1 verify_certificate = no require_certificate = no private_key = /etc/pki/tls/private/server.key certificate = /etc/pki/tls/certs/server.pem ca_list = /etc/pki/tls/certs/ca-bundle.crt #crl = //etc/kamailio/crl.pem
# This is the default client domain, settings # in this domain will be used for all outgoing # TLS connections that do not match any other # client domain in this configuration file. # We require that servers present valid certificate. # [client:default] verify_certificate = no require_certificate = no
So my asterisk conf is the following:
[general]
tlsenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/asterisk/5002.pem tlscafile=/etc/asterisk/ca-bundle.crt tlscipher=ALL tlsclientmethod=tlsv1 tlsdontverifyserver=yes transport=tls,udp .... .....
and the SIP trunk is configured as
[kamailio] type=peer insecure=invite,port nat=yes disallow=all allow=ulaw host=kamailio_ip outboundproxy=tls://kamailio_ip port=5061 defaultuser=5002 fromuser = 5002 fromdomain =mydomain secret=5002 qualify=yes dtmfmode=rfc2833 context=default callbackextension=5002 directmedia=nonat sendrpid=yes
transport=tls encryption=yes
register => tls://5002:5002@kamailio_ip:5061/5002
I still get error like:
Jan 14 10:45:12] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we only use 'TLS'! ending call. [Jan 14 10:45:12] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to 5002@kamailio_ip, trying REGISTER again (after 20 seconds) [Jan 14 10:45:32] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we only use 'TLS'! ending call. [Jan 14 10:45:32] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to 5002@kamailio_ip, trying REGISTER again (after 20 seconds) [Jan 14 10:45:52] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we only use 'TLS'! ending call. [Jan 14 10:45:52] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to 5002@kamailio_ip, trying REGISTER again (after 20 seconds) [Jan 14 10:46:07] ERROR[7041]: tcptls.c:444 ast_tcptls_client_start: Unable to connect SIP socket to kamailio_ip:5060: Connection timed out
Does anyone can suggest me something to read, try, check?
Best regards. Roberto Fichera.
First, you should test TLS with RTP (first make sure that TLS works, then enable SRTP).
Seconds, it seems like an Asterisk problem, thus may get better answers on the Asterisk mailing lists.
regards Klaus
On 14.01.2013 11:23, Roberto Fichera wrote:
Hi All,
I would setup a configuration where Kamailio authenticate asterisk SIP trunk using TLS and SRTP. At moment I was able to configure everything, including RTTProxy since most of the asterisks v1.8.19.1 are behind NAT. So far so good it works pretty good using standard authentication and the call goes straight between asterisks. But as soon as I move my configuration for both kamailio & asterisk to TLS+SRTP I'm not able to authenticate asterisk SIP trunks. Especially asterisk seems insisting to use the port 5060 even if I requested the TLS on 5061.
kamailio v3.3.3 tls.cfg is configured as:
[server:default] method = TLSv1 verify_certificate = no require_certificate = no private_key = /etc/pki/tls/private/server.key certificate = /etc/pki/tls/certs/server.pem ca_list = /etc/pki/tls/certs/ca-bundle.crt #crl = //etc/kamailio/crl.pem
# This is the default client domain, settings # in this domain will be used for all outgoing # TLS connections that do not match any other # client domain in this configuration file. # We require that servers present valid certificate. # [client:default] verify_certificate = no require_certificate = no
So my asterisk conf is the following:
[general]
tlsenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/asterisk/5002.pem tlscafile=/etc/asterisk/ca-bundle.crt tlscipher=ALL tlsclientmethod=tlsv1 tlsdontverifyserver=yes transport=tls,udp .... .....
and the SIP trunk is configured as
[kamailio] type=peer insecure=invite,port nat=yes disallow=all allow=ulaw host=kamailio_ip outboundproxy=tls://kamailio_ip port=5061 defaultuser=5002 fromuser = 5002 fromdomain =mydomain secret=5002 qualify=yes dtmfmode=rfc2833 context=default callbackextension=5002 directmedia=nonat sendrpid=yes
transport=tls encryption=yes
register => tls://5002:5002@kamailio_ip:5061/5002
I still get error like:
Jan 14 10:45:12] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we only use 'TLS'! ending call. [Jan 14 10:45:12] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to 5002@kamailio_ip, trying REGISTER again (after 20 seconds) [Jan 14 10:45:32] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we only use 'TLS'! ending call. [Jan 14 10:45:32] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to 5002@kamailio_ip, trying REGISTER again (after 20 seconds) [Jan 14 10:45:52] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we only use 'TLS'! ending call. [Jan 14 10:45:52] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to 5002@kamailio_ip, trying REGISTER again (after 20 seconds) [Jan 14 10:46:07] ERROR[7041]: tcptls.c:444 ast_tcptls_client_start: Unable to connect SIP socket to kamailio_ip:5060: Connection timed out
Does anyone can suggest me something to read, try, check?
Best regards. Roberto Fichera.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On 01/14/2013 04:05 PM, Klaus Darilion wrote:
First, you should test TLS with RTP (first make sure that TLS works, then enable SRTP).
I was able to partially fix the TLS problem, now I can do at least
openssl s_client -connect kamailio_ip:5061 -tls1
and get the corresponding answer.
I had to add the listen=tcp: line and adjust the iptables accordingly
listen=udp:10.50.X.X:5060 advertise kamailio_ip:5060 listen=tcp:10.50.X.X:5060 advertise kamailio_ip:5060 listen=tls:10.50.X.X:5061 advertise kamailio_ip:5061
Seconds, it seems like an Asterisk problem, thus may get better answers on the Asterisk mailing lists.
I'll try to ask them
regards Klaus
On 14.01.2013 11:23, Roberto Fichera wrote:
Hi All,
I would setup a configuration where Kamailio authenticate asterisk SIP trunk using TLS and SRTP. At moment I was able to configure everything, including RTTProxy since most of the asterisks v1.8.19.1 are behind NAT. So far so good it works pretty good using standard authentication and the call goes straight between asterisks. But as soon as I move my configuration for both kamailio & asterisk to TLS+SRTP I'm not able to authenticate asterisk SIP trunks. Especially asterisk seems insisting to use the port 5060 even if I requested the TLS on 5061.
kamailio v3.3.3 tls.cfg is configured as:
[server:default] method = TLSv1 verify_certificate = no require_certificate = no private_key = /etc/pki/tls/private/server.key certificate = /etc/pki/tls/certs/server.pem ca_list = /etc/pki/tls/certs/ca-bundle.crt #crl = //etc/kamailio/crl.pem
# This is the default client domain, settings # in this domain will be used for all outgoing # TLS connections that do not match any other # client domain in this configuration file. # We require that servers present valid certificate. # [client:default] verify_certificate = no require_certificate = no
So my asterisk conf is the following:
[general]
tlsenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/asterisk/5002.pem tlscafile=/etc/asterisk/ca-bundle.crt tlscipher=ALL tlsclientmethod=tlsv1 tlsdontverifyserver=yes transport=tls,udp .... .....
and the SIP trunk is configured as
[kamailio] type=peer insecure=invite,port nat=yes disallow=all allow=ulaw host=kamailio_ip outboundproxy=tls://kamailio_ip port=5061 defaultuser=5002 fromuser = 5002 fromdomain =mydomain secret=5002 qualify=yes dtmfmode=rfc2833 context=default callbackextension=5002 directmedia=nonat sendrpid=yes
transport=tls encryption=yes
register => tls://5002:5002@kamailio_ip:5061/5002
I still get error like:
Jan 14 10:45:12] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we only use 'TLS'! ending call. [Jan 14 10:45:12] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to 5002@kamailio_ip, trying REGISTER again (after 20 seconds) [Jan 14 10:45:32] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we only use 'TLS'! ending call. [Jan 14 10:45:32] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to 5002@kamailio_ip, trying REGISTER again (after 20 seconds) [Jan 14 10:45:52] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we only use 'TLS'! ending call. [Jan 14 10:45:52] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to 5002@kamailio_ip, trying REGISTER again (after 20 seconds) [Jan 14 10:46:07] ERROR[7041]: tcptls.c:444 ast_tcptls_client_start: Unable to connect SIP socket to kamailio_ip:5060: Connection timed out
Does anyone can suggest me something to read, try, check?
Best regards. Roberto Fichera.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users