Thanks to Gorka Gorrotxategi from Irontec (Spain), for his work on this setup
Herewe come with a short post about how to configure one of the new Asterisk 1.8 features: Secure Communications via TLS andSRTP, providing ciphering and security.
These tests have been performed with Cisco SPA5XX IP Phones, and requires a small patch on Asterisk code (we will see below the reasons for the patch). It also work with other terminals such as Snom and Blink softphone.
The configuration will be explained briefly, as it explained in other places of the web.
Compile libSRTP library for Asterisk to support SRTP
Following are the commands required to compile the library
Asterisk default code is not able to negotiate which method (AES_32 or AES_80) is going to be used for the ciphering. In fact, it always select the first one, and this is AES_32. Here the issue, Asterisk is able to handle both types, both offers only one of them, AES_80. The Asterisk patch force to signal the AES_32 method, to avoid audio issues due to different ciphering method used on each path. When this happens there is a non-ending warning message (30 per sec) on the CLI:
To configure SRTP add the ‘encryption’ directive in all peers (both realtime or sip.conf)
Configure SPA5XX. Note version should be 7.4.3 or later (note that configuration applies to ALL lines).
[SIP] SRTP Method: s-descriptor
[PHONE] Secure Call Serv: Yes
[USER] Secure Call Serv: Yes
Voila! SRTP is configured!
Note: There is no optional SRTP mode in Asterisk, i.e. if encryption is active on peer, it will not accept non-ciphered audio and viceversa. On the IP phones, however, it is possible to have unsecure calls if the other peer does not support SRTP, i.e. incoming calls may work, but not outgoing calls. This is an Asterisk limitation (Snom supports also the “optional”mode on SRTP sending two m=audio attributes, but Asterisk does not know how to handle those descriptors).
Testing the configuration
The easiest test is to capture network traffic and verify with WireShark or similar software to check if signaling or RTP is clear text/audio or ciphered.
In our tests, we found an intermittent Warning on Asterisk CLI, but it does not seems to affect operation
Why are clients disappearing and reappearing Randomly from the DHCP Bindings Table.?Tried to change the lease time from 24 to 6 hours. But no change the clients disappear, and after a while reappear again.Sometimes with name and sometimes without name.The...
SG350-28MP configured in either power limit class or portAttaching a device which requires 25W. At first boot, SG350 identifies the device as PoE Class 4 and sets the port statically to 25.5W . Device negotiates via 802.3 to 25.0W power consumption as PD....
According the documentation, SX550 support 2 interfaces agregation to compose a stacking LAG (increasing BW between the switches)... But the documentation mention that only interfaces XG1-XG2 and XG3-XG4 can be used for this purpose... that's n...
Hello, my ISP adds a padding bytes to a TCP packets encapsulated via PPPoE, for some unknown reason, SYN and PUSH packets are received fine by the RV345 router, but FIN packets are dropped, that leaves TCP connections that closed by remote host opened. Th...