[SR-Users] Kamailio, Asterisk with TLS+SRTP

Mon Jan 14 11:23:34 CET 2013

Hi All,

I would setup a configuration where Kamailio authenticate asterisk SIP trunk using TLS and SRTP.
At moment I was able to configure everything, including RTTProxy since most of the asterisks v1.8.19.1
are behind NAT. So far so good it works pretty good using standard authentication and the call goes straight
between asterisks. But as soon as I move my configuration for both kamailio & asterisk to TLS+SRTP I'm
not able to authenticate asterisk SIP trunks. Especially asterisk seems insisting to use the port 5060 even if
I requested the TLS on 5061.

kamailio v3.3.3 tls.cfg is configured as:

[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /etc/pki/tls/private/server.key
certificate = /etc/pki/tls/certs/server.pem
ca_list = /etc/pki/tls/certs/ca-bundle.crt
#crl = //etc/kamailio/crl.pem

# This is the default client domain, settings
# in this domain will be used for all outgoing
# TLS connections that do not match any other
# client domain in this configuration file.
# We require that servers present valid certificate.
#
[client:default]
verify_certificate = no
require_certificate = no

So my asterisk conf is the following:

[general]

tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/5002.pem
tlscafile=/etc/asterisk/ca-bundle.crt
tlscipher=ALL
tlsclientmethod=tlsv1
tlsdontverifyserver=yes
transport=tls,udp
....
.....

and the SIP trunk is configured as

[kamailio]
type=peer
insecure=invite,port
nat=yes
disallow=all
allow=ulaw
host=kamailio_ip
outboundproxy=tls://kamailio_ip
port=5061
defaultuser=5002
fromuser = 5002
fromdomain =mydomain
secret=5002
qualify=yes
dtmfmode=rfc2833
context=default
callbackextension=5002
directmedia=nonat
sendrpid=yes

transport=tls
encryption=yes

register => tls://5002:5002@kamailio_ip:5061/5002

I still get error like:

Jan 14 10:45:12] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we
only use 'TLS'! ending call.
[Jan 14 10:45:12] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to
5002 at kamailio_ip, trying REGISTER again (after 20 seconds)
[Jan 14 10:45:32] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we
only use 'TLS'! ending call.
[Jan 14 10:45:32] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to
5002 at kamailio_ip, trying REGISTER again (after 20 seconds)
[Jan 14 10:45:52] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we
only use 'TLS'! ending call.
[Jan 14 10:45:52] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to
5002 at kamailio_ip, trying REGISTER again (after 20 seconds)
[Jan 14 10:46:07] ERROR[7041]: tcptls.c:444 ast_tcptls_client_start: Unable to connect SIP socket to kamailio_ip:5060:
Connection timed out

Does anyone can suggest me something to read, try, check?

Best regards.
Roberto Fichera.