Thanks to Gorka Gorrotxategi from Irontec (Spain), for his work on this setup
Herewe come with a short post about how to configure one of the new Asterisk 1.8 features: Secure Communications via TLS andSRTP, providing ciphering and security.
These tests have been performed with Cisco SPA5XX IP Phones, and requires a small patch on Asterisk code (we will see below the reasons for the patch). It also work with other terminals such as Snom and Blink softphone.
The configuration will be explained briefly, as it explained in other places of the web.
Compile libSRTP library for Asterisk to support SRTP
Following are the commands required to compile the library
Asterisk default code is not able to negotiate which method (AES_32 or AES_80) is going to be used for the ciphering. In fact, it always select the first one, and this is AES_32. Here the issue, Asterisk is able to handle both types, both offers only one of them, AES_80. The Asterisk patch force to signal the AES_32 method, to avoid audio issues due to different ciphering method used on each path. When this happens there is a non-ending warning message (30 per sec) on the CLI:
To configure SRTP add the ‘encryption’ directive in all peers (both realtime or sip.conf)
Configure SPA5XX. Note version should be 7.4.3 or later (note that configuration applies to ALL lines).
[SIP] SRTP Method: s-descriptor
[PHONE] Secure Call Serv: Yes
[USER] Secure Call Serv: Yes
Voila! SRTP is configured!
Note: There is no optional SRTP mode in Asterisk, i.e. if encryption is active on peer, it will not accept non-ciphered audio and viceversa. On the IP phones, however, it is possible to have unsecure calls if the other peer does not support SRTP, i.e. incoming calls may work, but not outgoing calls. This is an Asterisk limitation (Snom supports also the “optional”mode on SRTP sending two m=audio attributes, but Asterisk does not know how to handle those descriptors).
Testing the configuration
The easiest test is to capture network traffic and verify with WireShark or similar software to check if signaling or RTP is clear text/audio or ciphered.
In our tests, we found an intermittent Warning on Asterisk CLI, but it does not seems to affect operation
Hi, I just bought the above switch to power my network and it works just fine till I want to power any POE device. I tried different devices and non will get power from the switch.The strange thing is, that I can't even open the POE configuration in ...
Greetings, I am having some issue for vloce config for my new SG220-26P-K9 For voice vlan, I had configured ports as access port under data vlan with Voice mode in auto. But the IP phone were not getting ip address from voice vlan instead w...
Hi Support Team, We have recently purchased SPA501G and have to enable LLDP-MED configs and enable Web Interface for config page.I am not able to find out the IVR code for LLDP-MED enabling.And also, I am looking for how to enable Web Interface link(...
Hi everyone,This is my first time configuring WAP581, I need your help!Both ports are connected to the POE switch, but only a 169.254.163.211 address is displayed through the packet capture, and FINDIT has not been able to find any device. The device has ...
Hello,while I am waiting for my first 4 switches I would like to start practicing, simulating my connections, various configurations, vlan, etc, I can do it, I downloaded "Cisco Packet Tracer" but I can't find my switches. There are other tools that refer...