Please be advised, the GuideMe Wizard is no longer available on the Small Business Support Community. For search capability please use the community search field to find content related to Cisco Small Business documents, videos, and discussions.
Secure Communications between SPA phones and Asterisk 1.8: Using TLS and SRTP
Thanks to Gorka Gorrotxategi from Irontec (Spain), for his work on this setup
Herewe come with a short post about how to configure one of the new Asterisk 1.8 features: Secure Communications via TLS andSRTP, providing ciphering and security.
These tests have been performed with Cisco SPA5XX IP Phones, and requires a small patch on Asterisk code (we will see below the reasons for the patch). It also work with other terminals such as Snom and Blink softphone.
The configuration will be explained briefly, as it explained in other places of the web.
Compile libSRTP library for Asterisk to support SRTP
Following are the commands required to compile the library
Asterisk default code is not able to negotiate which method (AES_32 or AES_80) is going to be used for the ciphering. In fact, it always select the first one, and this is AES_32. Here the issue, Asterisk is able to handle both types, both offers only one of them, AES_80. The Asterisk patch force to signal the AES_32 method, to avoid audio issues due to different ciphering method used on each path. When this happens there is a non-ending warning message (30 per sec) on the CLI:
To configure SRTP add the ‘encryption’ directive in all peers (both realtime or sip.conf)
Configure SPA5XX. Note version should be 7.4.3 or later (note that configuration applies to ALL lines).
[SIP] SRTP Method: s-descriptor
[PHONE] Secure Call Serv: Yes
[USER] Secure Call Serv: Yes
Voila! SRTP is configured!
Note: There is no optional SRTP mode in Asterisk, i.e. if encryption is active on peer, it will not accept non-ciphered audio and viceversa. On the IP phones, however, it is possible to have unsecure calls if the other peer does not support SRTP, i.e. incoming calls may work, but not outgoing calls. This is an Asterisk limitation (Snom supports also the “optional”mode on SRTP sending two m=audio attributes, but Asterisk does not know how to handle those descriptors).
Testing the configuration
The easiest test is to capture network traffic and verify with WireShark or similar software to check if signaling or RTP is clear text/audio or ciphered.
In our tests, we found an intermittent Warning on Asterisk CLI, but it does not seems to affect operation
I am looking to learn about Cisco VOIP and working on a UC500 series device, but recently found out that Cisco replaced the UC500 series with the BE6000S. Not sure if there are newer devices, but is that the current device for small businesses? Does ...
I am trying to get routing setup between a cisco ISR 4321 and a SF 302 with SVI implemented. The SF 302 acts as a DHCP server and gives out IP address to clients on different vlans. From my clients i can Ping the SVI interface. From the switch i...
Hi, My RV 345 always slow response on web console. i need to wait 10 minutes to login page, more 10 minutes after login. The CPU always 100%. I upgraded to 1.0.03.16 firmware and still not good. When it is full loading, i need to wait a lon...
Hello, Recently I installed the FindIT Network Manager (Virtualbox VM installer), and I tried to store the credentials (username/password) for a discovered RV260W router, through "Administration > Device Credentials > Add New Credentials" ...
Hi all.I bought a Cisco rv345 but I can't get it working. When I plug the cable from ISP into my PC I have full speed. When I then connect the router to ISP the speed almost completely disappears. What am I doing wrong?