Thanks to Gorka Gorrotxategi from Irontec (Spain), for his work on this setup
Herewe come with a short post about how to configure one of the new Asterisk 1.8 features: Secure Communications via TLS andSRTP, providing ciphering and security.
These tests have been performed with Cisco SPA5XX IP Phones, and requires a small patch on Asterisk code (we will see below the reasons for the patch). It also work with other terminals such as Snom and Blink softphone.
The configuration will be explained briefly, as it explained in other places of the web.
Compile libSRTP library for Asterisk to support SRTP
Following are the commands required to compile the library
Asterisk default code is not able to negotiate which method (AES_32 or AES_80) is going to be used for the ciphering. In fact, it always select the first one, and this is AES_32. Here the issue, Asterisk is able to handle both types, both offers only one of them, AES_80. The Asterisk patch force to signal the AES_32 method, to avoid audio issues due to different ciphering method used on each path. When this happens there is a non-ending warning message (30 per sec) on the CLI:
To configure SRTP add the ‘encryption’ directive in all peers (both realtime or sip.conf)
Configure SPA5XX. Note version should be 7.4.3 or later (note that configuration applies to ALL lines).
[SIP] SRTP Method: s-descriptor
[PHONE] Secure Call Serv: Yes
[USER] Secure Call Serv: Yes
Voila! SRTP is configured!
Note: There is no optional SRTP mode in Asterisk, i.e. if encryption is active on peer, it will not accept non-ciphered audio and viceversa. On the IP phones, however, it is possible to have unsecure calls if the other peer does not support SRTP, i.e. incoming calls may work, but not outgoing calls. This is an Asterisk limitation (Snom supports also the “optional”mode on SRTP sending two m=audio attributes, but Asterisk does not know how to handle those descriptors).
Testing the configuration
The easiest test is to capture network traffic and verify with WireShark or similar software to check if signaling or RTP is clear text/audio or ciphered.
In our tests, we found an intermittent Warning on Asterisk CLI, but it does not seems to affect operation
So I have several RV260 that work perfectly with OpenVPN but id like to get client to site IPSec setup as an alternative. However nothing ive done seems to work with the Windows built in client. IKEv1 profiles result in logs stating that no IKE has been c...
I'm trying to use a SPA 502g (yes I know its an old phone but it works fine and was cheap) with my pbx. How ever my pbx needs version 7.6.1 and when I try to do the update it fails and I believe it's because it thinks the phone is not idle and not being u...
Hello, all.Need some professional help as I can't resolve the problem myself. I'm not a professional admin or network engineer, just supporting a small office network.Purchased a Cisco RV160-K9 V03 about 3 weeks back, have upgraded to FW 1.0.01....
im getting "bad upgrade file" when trying to upgrade to any other firmware versioncurrentFirmware Version : v4.0.4.02-tm https://www.cisco.com/c/en/us/support/routers/rv042-dual-wan-vpn-router/model.html#~tab-downloads
Hi, I'm a first year networking student, and I'm currently studying VLANs. My school got new cisco routers, rv160, which the students and teachers have little technical knowledge about. We have a project in progress, which is to create a working...