[SR-Users] Configuration to use rtpengine for SRTP

Thu Jul 27 06:01:44 CEST 2017

Hi Daniel,

Thanks very much for that reply. We now detect whether the destination is
using TLS successfully using $ru and pcre_match().

Now when we call Asterisk -> Kamailio+rtpengine -> TLS phone, the TLS phone
rings but the call drops immediately when it answers. The issue is that
Asterisk doesn't like the 200 OK from the phone, which contains SRTP
information. The error logged by Asterisk is "Rejecting secure audio stream
without encryption details". I've included the SDP below.

Our questions now are:
1) Our goal is to have Kamailio+rtpengine act as a TLS/SRTP <--> Plain
SIP/RTP bridge. Is it possible to configure Kamailio so that Asterisk never
sees the encryption information in the 200 OK?
2) Is there anything wrong with the SDP returned by the TLS phone? For
example, you mentioned before SDES SRTP and I wonder if the type of SRTP is
not acceptable for some reason.

SDP received by Asterisk:

v=0
o=- 1501126711 1501126711 IN IP4 10.100.3.246
s=Polycom IP Phone
c=IN IP4 10.100.3.246
t=0 0
a=sendrecv
m=audio 2224 RTP/SAVP 0 101
a=sendrecv
a=crypto:1 AES_CM_128_HMAC_SHA1_80
inline:W3V1lIbwyW1DzSmx8/AFFttKNJaoAM6kux0AcLtp
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000

The part of the Kamailio configuration which handles rtpengine is:

                if ( nat_uac_test( "8" ) ) {
                        rtpengine_manage( "force replace-origin
replace-session-connection rtcp-mux-accept rtcp-mux-offer ICE=force
RTP/SAVPF" );
                } else {
                        rtpengine_manage( "force trust-address
replace-origin replace-session-connection rtcp-mux-accept rtcp-mux-offer
ICE=force RTP/SAVPF" );
                }

Thanks again.

On 26 July 2017 at 21:06, Daniel-Constantin Mierla <miconda at gmail.com>
wrote:

> Hello,
>
> for phones that are using tls, you can do the following tests:
>
>   - for incoming traffic: proto==TLS
>   - for outgoing traffic: after lookup location, the R-URI ($ru) should
> have 'transport=tls'
>
> For RTPEngine there are some flags to specify you want or not SDES SRTP, I
> used them few times in the past, but I don't recall them by heart -- the
> docs should have them.
>
> Cheers,
> Daniel
>
> On 26.07.17 06:40, David Cunningham wrote:
>
> Hello,
>
> We're configuring Kamailio 4.2 with rtpengine to act as a midpoint between
> a telephone using TLS/SRTP and Asterisk. There are examples out there for
> TLS/SRTP with WebRTC, but we're using a plain hard phone, not WebRTC.
>
> Would anyone be able to point us towards a Kamaiio configuration which:
>
> a) Tests if the destination phone (stored using usrloc) uses TLS.
>
> b) Sends RTP for calls to a TLS phone to rtpengine to be encrypted. We can
> assume all phones using TLS want to use SRTP.
>
> Thanks very much in advance.
>
> --
> David Cunningham, Voisonics Limited
> http://voisonics.com/
> USA: +1 213 221 1092 <+1%20213-221-1092>
> Australia: +61 (0) 2 8063 9019 <+61%202%208063%209019>
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing Listsr-users at lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
> --
> Daniel-Constantin Mierlawww.twitter.com/miconda -- www.linkedin.com/in/miconda
> Kamailio Advanced Training - www.asipto.com
> Kamailio World Conference - www.kamailioworld.com
>
>

-- 
David Cunningham, Voisonics Limited
http://voisonics.com/
USA: +1 213 221 1092
Australia: +61 (0) 2 8063 9019
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20170727/cac8e908/attachment.html>