[Freeswitch-users] TLS + NAT
Vincent Xia
gmangudai at gmail.com
Tue Sep 17 14:31:31 MSD 2013
hi guys,
both TLS and NAT are working fine with my FS system, but put them together
raises problem, e.g. i can have encrypted voice calls(TLS+SRTP) within the
same LAN, and uncrypted voice calls over different LANs, but when trying
TLS+SRTP over different LANs, i cannot get my softphone(here im using
Linphone) register to FS, it reports timeout.
i have a dedicated profile for NAT as below, could anyone figure out what
the problem is?
<profile name="tnat">
<settings>
<param name="debug" value="0" />
<param name="sip-trace" value="no" />
<param name="rfc2833-pt" value="101" />
<param name="sip-port" value="5063" />
<param name="dialplan" value="XML" />
<param name="context" value="public" />
<param name="dtmf-duration" value="100" />
<param name="codec-prefs" value="$${outbound_codec_prefs}" />
<param name="use-rtp-timer" value="true" />
<param name="hold-music" value="$${hold_music}" />
<param name="rtp-timer-name" value="soft" />
<param name="manage-presence" value="false" />
<param name="aggressive-nat-detection" value="true" />
<param name="apply-nat-acl" value="rfc1918" />
<param name="inbound-codec-negotiation" value="generous" />
<param name="nonce-ttl" value="60" />
<param name="auth-calls" value="true" />
<param name="rtp-timeout-sec" value="1800" />
<param name="rtp-ip" value="$${local_ip_v4}" />
<param name="sip-ip" value="$${local_ip_v4}" />
<param name="ext-rtp-ip" value="111.111.111.111" />
<param name="ext-sip-ip" value="111.111.111.111" />
<param name="force-register-domain" value="111.111.111.111" />
<param name="stun-enabled" value="false" />
<param name="rtp-timeout-sec" value="300" />
<param name="rtp-hold-timeout-sec" value="1800" />
<!-- TLS: disabled by default, set to "true" to enable -->
<param name="tls" value="true"/>
<!-- Set to true to not bind on the normal sip-port but only on the TLS
port -->
<param name="tls-only" value="false"/>
<!-- additional bind parameters for TLS -->
<param name="tls-bind-params" value="transport=tls"/>
<!-- Port to listen on for TLS requests. I've specified to use this
port -->
<param name="tls-sip-port" value="5064"/>
<!-- Location of the agent.pem and cafile.pem ssl certificates (needed
for TLS server) -->
<!--<param name="tls-cert-dir" value=""/>-->
<!-- Optionally set the passphrase password used by openSSL to
encrypt/decrypt TLS private key files -->
<param name="tls-passphrase" value=""/>
<!-- Verify the date on TLS certificates -->
<param name="tls-verify-date" value="true"/>
<!-- TLS verify policy, when registering/inviting gateways with other
servers (outbound) or handling inbound registration/invite requests how
should we verify their certificate -->
<!-- set to 'in' to only verify incoming connections, 'out' to only
verify outgoing connections, 'all' to verify all connections, also
'in_subjects', 'out_subjects' and 'all_subjects' for subject validation.
Multiple policies can be split with a '|' pipe -->
<param name="tls-verify-policy" value="none"/>
<!-- Certificate max verify depth to use for validating peer TLS
certificates when the verify policy is not none -->
<param name="tls-verify-depth" value="2"/>
<!-- If the tls-verify-policy is set to subjects_all or subjects_in
this sets which subjects are allowed, multiple subjects can be split with a
'|' pipe -->
<param name="tls-verify-in-subjects" value=""/>
<!-- TLS version ("sslv23" (default), "tlsv1"). NOTE: Phones may not
work with TLSv1 -->
<param name="tls-version" value="$${sip_tls_version}"/>
<!-- Let calls hit the dialplan before selecting codec for the a-leg -->
<param name="inbound-late-negotiation" value="true"/>
<!-- Allow ZRTP clients to negotiate end-to-end security associations
(also enables late negotiation) -->
<param name="inbound-zrtp-passthru" value="true"/>
</settings>
</profile>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130917/b035a8d7/attachment.html
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list