[Freeswitch-users] Establishing SRTP from SBC to endpoint
Peter
eidevm5 at gmail.com
Thu Aug 15 09:52:59 MSD 2013
Finally got it going. I don't know how many combinations I tried.
All I needed was the sip_secure_media (or rtp_secure_media, which is the
new name) set to true in the dialplan on the SBC.
On Wed, Aug 14, 2013 at 11:42 AM, Peter <eidevm5 at gmail.com> wrote:
> Hi Carlos.
>
> Didn't realise rtp_secure_media existed. After searching I saw:
>
>
> https://wiki.freeswitch.org/wiki/Release_Notes#rtp_secure_media_.28was_sip_secure_media.29
>
> which says it was introduced in 1.2.9
>
> However, it's a little ambiguous as to whether sip_secure_media was
> deprecated.
>
> Anyway, I tried using rtp_secure_media instead, but I still can't get SRTP
> working.
>
>
> I did some testing with some other SIP clients. In particular,
> csipsimple. On the client, if I set SRTP to be optional, the media stream
> uses RTP. However, if I set SRTP to be mandatory, when I try to call it,
> Freeswitch receives:
>
> SIP/2.0 488 Not Acceptable Here
>
> Which seems to indicate that something is not is not right with the SRTP
> setup.
>
> There's a full debug from the FS1 (the freeswitch server where the
> csipsimple client is registered to) at:
>
> http://pastebin.freeswitch.org/21295
>
> Note in the debug I have sdp_secure_savp_only set to true. I've tried
> disabling this setting, but get the same result.
>
> Thanks
>
> Peter
>
>
>
>
>
> On Tue, Aug 13, 2013 at 11:06 PM, Carlos Flor <jackal at cybershroud.net>wrote:
>
>> Try using rtp_secure_media=true instead of sip_secure_media. If you are
>> trying to set it on the b-leg, you probably want to use export instead of
>> set, or use nolocal:rtp_secure_media.
>>
>> Hope that helps.
>>
>>
>> On Mon, Aug 12, 2013 at 10:26 PM, Peter <eidevm5 at gmail.com> wrote:
>>
>>> In my environment, I have the following (simplified) setup:
>>>
>>> FS1 ---- FS SBC --- FS2
>>>
>>> Phones registered to FS1 (100x) use TLS/SRTP and phones registered to
>>> FS2 (200x) use SIP/RTP
>>>
>>> FS1 has inbound-bypass-media set to true to allow SRTP peer to peer and
>>> direct to the SBC.
>>>
>>> If I make an inbound call (eg: 1000 to 2000), SRTP is correctly
>>> established between the phone and SBC with RTP on the other side of the SBC
>>> to the internal phone.
>>>
>>> However, when I try it the other way, I can't get SRTP established from
>>> the SBC to the external phone.
>>>
>>> I've been using https://wiki.freeswitch.org/wiki/Secure_RTP as a guide.
>>>
>>> I've even tried explicitly setting sip_secure_media to true on the SBC
>>> and FS1.
>>>
>>> The dialplan on the SBC has:
>>>
>>> <extension name="outgoing">
>>> <condition field="destination_number"
>>> expression="^(10[0-9][0-9])$">
>>> <action application="set" data="sip_secure_media=true"/>
>>> <action application="bridge" data="sofia/external/${
>>> destination_number}@10.1.1.204"/>
>>> </condition>
>>> </extension>
>>>
>>>
>>> And on FS1, the dialplan has:
>>>
>>> <extension name="Local-Numbers">
>>> <condition field="destination_number" expression="^(10[01][0-9])$">
>>> <action application="export" data="dialed_extension=$1"/>
>>> <action application="set" data="sip_secure_media=true"/>
>>> <action application="bridge" data="user/${dialed_extension}@
>>> ${domain_name}"/>
>>> </condition>
>>> </extension>
>>>
>>>
>>> Note that I've been testing this against two phones with SRTP enabled,
>>> but only one that is using TLS. I get the same result calling each phone.
>>>
>>> On a related point, what it the step required for a TLS connection from
>>> the SBC to the phone? I'm assume the phone just needs the CA cert from
>>> the SBC. Correct?
>>>
>>> Any information as to where I'm going wrong will be gratefully accepted.
>>>
>>> Thanks
>>>
>>> Peter
>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>>
>>>
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>>
>>
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://wiki.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130815/b35e0956/attachment-0001.html
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list