[Freeswitch-users] Establishing SRTP from SBC to endpoint

Carlos Flor jackal at cybershroud.net
Tue Aug 13 17:06:49 MSD 2013 

Try using rtp_secure_media=true instead of sip_secure_media.  If you are
trying to set it on the b-leg, you probably want to use export instead of
set, or use nolocal:rtp_secure_media.

Hope that helps.


On Mon, Aug 12, 2013 at 10:26 PM, Peter <eidevm5 at gmail.com> wrote:

> In my environment, I have the following (simplified) setup:
>
> FS1  ----  FS SBC ---  FS2
>
> Phones registered to FS1 (100x) use TLS/SRTP and phones registered to FS2
> (200x) use SIP/RTP
>
> FS1 has inbound-bypass-media set to true to allow SRTP peer to peer and
> direct to the SBC.
>
> If I make an inbound call (eg: 1000 to 2000), SRTP is correctly
> established between the phone and SBC with RTP on the other side of the SBC
> to the internal phone.
>
> However, when I try it the other way, I can't get SRTP established from
> the SBC to the external phone.
>
> I've been using https://wiki.freeswitch.org/wiki/Secure_RTP as a guide.
>
> I've even tried explicitly setting sip_secure_media to true on the SBC and
> FS1.
>
> The dialplan on the SBC has:
>
>   <extension name="outgoing">
>         <condition field="destination_number"
> expression="^(10[0-9][0-9])$">
>             <action application="set" data="sip_secure_media=true"/>
>             <action application="bridge" data="sofia/external/${
> destination_number}@10.1.1.204"/>
>         </condition>
>   </extension>
>
>
> And on FS1, the dialplan has:
>
>    <extension name="Local-Numbers">
>       <condition field="destination_number" expression="^(10[01][0-9])$">
>         <action application="export" data="dialed_extension=$1"/>
>         <action application="set" data="sip_secure_media=true"/>
>         <action application="bridge" data="user/${dialed_extension}@
> ${domain_name}"/>
>       </condition>
>     </extension>
>
>
> Note that I've been testing this against two phones with SRTP enabled, but
> only one that is using TLS.  I get the same result calling each phone.
>
> On a related point, what it the step required for a TLS connection from
> the SBC to the phone?   I'm assume the phone just needs the CA cert from
> the SBC.  Correct?
>
> Any information as to where I'm going wrong will be gratefully accepted.
>
> Thanks
>
> Peter
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130813/73e20213/attachment.html

Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list