[Freeswitch-users] Establishing SRTP from SBC to endpoint

Peter eidevm5 at gmail.com
Wed Aug 14 05:42:30 MSD 2013 

Hi Carlos.

Didn't realise rtp_secure_media existed.  After searching I saw:

https://wiki.freeswitch.org/wiki/Release_Notes#rtp_secure_media_.28was_sip_secure_media.29

which says it was introduced in 1.2.9

However, it's a little ambiguous as to whether sip_secure_media was
deprecated.

Anyway, I tried using rtp_secure_media instead, but I still can't get SRTP
working.


I did some testing with some other SIP clients.   In particular,
csipsimple.  On the client, if I set SRTP to be optional, the media stream
uses RTP.   However, if I set SRTP to be mandatory, when I try to call it,
Freeswitch receives:

   SIP/2.0 488 Not Acceptable Here

Which seems to indicate that something is not is not right with the SRTP
setup.

There's a full debug from the FS1 (the freeswitch server where the
csipsimple client is registered to) at:

http://pastebin.freeswitch.org/21295

Note in the debug I have sdp_secure_savp_only set to true.   I've tried
disabling this setting, but get the same result.

Thanks

Peter





On Tue, Aug 13, 2013 at 11:06 PM, Carlos Flor <jackal at cybershroud.net>wrote:

> Try using rtp_secure_media=true instead of sip_secure_media.  If you are
> trying to set it on the b-leg, you probably want to use export instead of
> set, or use nolocal:rtp_secure_media.
>
> Hope that helps.
>
>
> On Mon, Aug 12, 2013 at 10:26 PM, Peter <eidevm5 at gmail.com> wrote:
>
>> In my environment, I have the following (simplified) setup:
>>
>> FS1  ----  FS SBC ---  FS2
>>
>> Phones registered to FS1 (100x) use TLS/SRTP and phones registered to FS2
>> (200x) use SIP/RTP
>>
>> FS1 has inbound-bypass-media set to true to allow SRTP peer to peer and
>> direct to the SBC.
>>
>> If I make an inbound call (eg: 1000 to 2000), SRTP is correctly
>> established between the phone and SBC with RTP on the other side of the SBC
>> to the internal phone.
>>
>> However, when I try it the other way, I can't get SRTP established from
>> the SBC to the external phone.
>>
>> I've been using https://wiki.freeswitch.org/wiki/Secure_RTP as a guide.
>>
>> I've even tried explicitly setting sip_secure_media to true on the SBC
>> and FS1.
>>
>> The dialplan on the SBC has:
>>
>>   <extension name="outgoing">
>>         <condition field="destination_number"
>> expression="^(10[0-9][0-9])$">
>>             <action application="set" data="sip_secure_media=true"/>
>>             <action application="bridge" data="sofia/external/${
>> destination_number}@10.1.1.204"/>
>>         </condition>
>>   </extension>
>>
>>
>> And on FS1, the dialplan has:
>>
>>    <extension name="Local-Numbers">
>>       <condition field="destination_number" expression="^(10[01][0-9])$">
>>         <action application="export" data="dialed_extension=$1"/>
>>         <action application="set" data="sip_secure_media=true"/>
>>         <action application="bridge" data="user/${dialed_extension}@
>> ${domain_name}"/>
>>       </condition>
>>     </extension>
>>
>>
>> Note that I've been testing this against two phones with SRTP enabled,
>> but only one that is using TLS.  I get the same result calling each phone.
>>
>> On a related point, what it the step required for a TLS connection from
>> the SBC to the phone?   I'm assume the phone just needs the CA cert from
>> the SBC.  Correct?
>>
>> Any information as to where I'm going wrong will be gratefully accepted.
>>
>> Thanks
>>
>> Peter
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> 
>> 
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> 
> 
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130814/7c37fcf3/attachment.html

Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list