Thanks to Gorka Gorrotxategi from Irontec (Spain), for his work on this setup
Herewe come with a short post about how to configure one of the new Asterisk 1.8 features: Secure Communications via TLS andSRTP, providing ciphering and security.
These tests have been performed with Cisco SPA5XX IP Phones, and requires a small patch on Asterisk code (we will see below the reasons for the patch). It also work with other terminals such as Snom and Blink softphone.
The configuration will be explained briefly, as it explained in other places of the web.
Compile libSRTP library for Asterisk to support SRTP
Following are the commands required to compile the library
Asterisk default code is not able to negotiate which method (AES_32 or AES_80) is going to be used for the ciphering. In fact, it always select the first one, and this is AES_32. Here the issue, Asterisk is able to handle both types, both offers only one of them, AES_80. The Asterisk patch force to signal the AES_32 method, to avoid audio issues due to different ciphering method used on each path. When this happens there is a non-ending warning message (30 per sec) on the CLI:
To configure SRTP add the ‘encryption’ directive in all peers (both realtime or sip.conf)
Configure SPA5XX. Note version should be 7.4.3 or later (note that configuration applies to ALL lines).
[SIP] SRTP Method: s-descriptor
[PHONE] Secure Call Serv: Yes
[USER] Secure Call Serv: Yes
Voila! SRTP is configured!
Note: There is no optional SRTP mode in Asterisk, i.e. if encryption is active on peer, it will not accept non-ciphered audio and viceversa. On the IP phones, however, it is possible to have unsecure calls if the other peer does not support SRTP, i.e. incoming calls may work, but not outgoing calls. This is an Asterisk limitation (Snom supports also the “optional”mode on SRTP sending two m=audio attributes, but Asterisk does not know how to handle those descriptors).
Testing the configuration
The easiest test is to capture network traffic and verify with WireShark or similar software to check if signaling or RTP is clear text/audio or ciphered.
In our tests, we found an intermittent Warning on Asterisk CLI, but it does not seems to affect operation
I have a SPA122 supporting my home and business lines. Recently I have been experiencing problems with loss of connectivity during phone calls. This is unpredictable and I recently observed the lights on the SPA122 indicating a network disconn...
Hello, yould you help me please with the problem ? We operated the Unifi U6-LR AP on the Zyxel XGS1930-28HP without any problems. We replaced the switch with a Cisco SBS350-48-4X. The access points use native VLAN 1 for management and other communica...