[SR-Users] Kamailio, Asterisk with TLS+SRTP

Klaus Darilion klaus.mailinglists at pernau.at
Mon Jan 14 16:05:44 CET 2013


First, you should test TLS with RTP (first make sure that TLS works, 
then enable SRTP).

Seconds, it seems like an Asterisk problem, thus may get better answers 
on the Asterisk mailing lists.

regards
Klaus

On 14.01.2013 11:23, Roberto Fichera wrote:
> Hi All,
>
> I would setup a configuration where Kamailio authenticate asterisk SIP trunk using TLS and SRTP.
> At moment I was able to configure everything, including RTTProxy since most of the asterisks v1.8.19.1
> are behind NAT. So far so good it works pretty good using standard authentication and the call goes straight
> between asterisks. But as soon as I move my configuration for both kamailio & asterisk to TLS+SRTP I'm
> not able to authenticate asterisk SIP trunks. Especially asterisk seems insisting to use the port 5060 even if
> I requested the TLS on 5061.
>
> kamailio v3.3.3 tls.cfg is configured as:
>
> [server:default]
> method = TLSv1
> verify_certificate = no
> require_certificate = no
> private_key = /etc/pki/tls/private/server.key
> certificate = /etc/pki/tls/certs/server.pem
> ca_list = /etc/pki/tls/certs/ca-bundle.crt
> #crl = //etc/kamailio/crl.pem
>
> # This is the default client domain, settings
> # in this domain will be used for all outgoing
> # TLS connections that do not match any other
> # client domain in this configuration file.
> # We require that servers present valid certificate.
> #
> [client:default]
> verify_certificate = no
> require_certificate = no
>
>
> So my asterisk conf is the following:
>
> [general]
>
> tlsenable=yes
> tlsbindaddr=0.0.0.0
> tlscertfile=/etc/asterisk/5002.pem
> tlscafile=/etc/asterisk/ca-bundle.crt
> tlscipher=ALL
> tlsclientmethod=tlsv1
> tlsdontverifyserver=yes
> transport=tls,udp
> ....
> .....
>
> and the SIP trunk is configured as
>
> [kamailio]
> type=peer
> insecure=invite,port
> nat=yes
> disallow=all
> allow=ulaw
> host=kamailio_ip
> outboundproxy=tls://kamailio_ip
> port=5061
> defaultuser=5002
> fromuser = 5002
> fromdomain =mydomain
> secret=5002
> qualify=yes
> dtmfmode=rfc2833
> context=default
> callbackextension=5002
> directmedia=nonat
> sendrpid=yes
>
> transport=tls
> encryption=yes
>
> register => tls://5002:5002@kamailio_ip:5061/5002
>
> I still get error like:
>
> Jan 14 10:45:12] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we
> only use 'TLS'! ending call.
> [Jan 14 10:45:12] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to
> 5002 at kamailio_ip, trying REGISTER again (after 20 seconds)
> [Jan 14 10:45:32] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we
> only use 'TLS'! ending call.
> [Jan 14 10:45:32] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to
> 5002 at kamailio_ip, trying REGISTER again (after 20 seconds)
> [Jan 14 10:45:52] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we
> only use 'TLS'! ending call.
> [Jan 14 10:45:52] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to
> 5002 at kamailio_ip, trying REGISTER again (after 20 seconds)
> [Jan 14 10:46:07] ERROR[7041]: tcptls.c:444 ast_tcptls_client_start: Unable to connect SIP socket to kamailio_ip:5060:
> Connection timed out
>
> Does anyone can suggest me something to read, try, check?
>
> Best regards.
> Roberto Fichera.
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>



More information about the sr-users mailing list