[Freeswitch-users] Crypto Problems with NDLB-allow-crypto-in-avp

Nicola von Thadden nico at vthadden.de
Sat Jun 13 16:27:55 MSD 2015 

Hi,

I have a connection to a provider which sadly requires 
NDLB-allow-crypto-in-avp=true to funktion.
The setup is like this:

FS -- HG -- POTS
           |
          GS
FS is my freeswitch server (FreeSWITCH Version 1.4.19-10-1~64bit (-10-1 
64bit) on debian, from the repos).
HG is the SIP server from eventphone (some might know them from the CCC 
events in Germany).
They provide inbound DDI. I also have a phone GS (Grandstream GXP2160) 
registered to HG.

Freeswitch is set to bridge incoming calls to my number to 3200.
When calling from GS to FS, everything works. HG sends an RTP/SAVP in 
the INVITE and the call is working fine:

INVITE sip:gw+eventphone-5849 at hg:5080;transport=udp;gw=eventphone-5849 
SIP/2.0
Max-Forwards: 19
Via: SIP/2.0/UDP 92.222.104.42:5060;rport;branch=z9hG4bK2140280193
From: "nicoduck" <sip:3008 at fs>;tag=218198923
To: <sip:gw+eventphone-5849 at fs:5080;transport=udp;gw=eventphone-5849>
Call-ID: 1962077623 at 92.222.104.42
CSeq: 4570 INVITE
User-Agent: EVENTPHONE PBX TrollEdition v1337 - Problem?
Contact: <sip:3008 at hg:5060>
Allow: ACK, INVITE, BYE, CANCEL, MESSAGE, REGISTER, REFER, OPTIONS, INFO
Privacy: none
Content-Type: application/sdp
Content-Length: 317

v=0
o=yate 1434143858 1434143858 IN IP4 hg
s=SIP Call
c=IN IP4 hg
t=0 0
m=audio 18910 RTP/SAVP 8 0 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=crypto:1 AES_CM_128_HMAC_SHA1_32 
inline:917UNiViuv6i4TB08AS1XI6nzAH9OPKQupyne0kK
a=encryption:optional

And freeswitch starts the call with: (The 100 and 183 are stripped here, 
I don't think that there is something important in them)

SIP/2.0 200 OK
Via: SIP/2.0/UDP 92.222.104.42:5060;rport=5060;branch=z9hG4bK2140280193
From: "nicoduck" <sip:3008 at hg>;tag=218198923
To: 
<sip:gw+eventphone-5849 at fs:5080;transport=udp;gw=eventphone-5849>;tag=81UHaFemF50FN
Call-ID: 1962077623 at hg
CSeq: 4570 INVITE
Contact: <sip:gw+eventphone-5849 at fs:5080;transport=udp>
User-Agent: FreeSWITCH-mod_sofia/1.4.19-10-1~64bit
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, 
REGISTER, REFER, NOTIFY
Supported: timer, path, replaces
Allow-Events: talk, hold, conference, refer
Content-Type: application/sdp
Content-Disposition: session
Content-Length: 307
Remote-Party-ID: "5849" <sip:5849 at fs>;party=calling;privacy=off;screen=no

v=0
o=FreeSWITCH 1434111633 1434111634 IN IP4 fs
s=FreeSWITCH
c=IN IP4 fs
t=0 0
m=audio 32224 RTP/SAVP 8 101
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=crypto:1 AES_CM_128_HMAC_SHA1_32 
inline:YyL9+W/F2EHV9BD5afj3o6T61X7Z116BSIT+Zlzd

FS initiates the crypto and also provides a port for the audio. Audio is 
working in both directions.
The problem starts when I get an incoming POTS call trhough HG. I don't 
know why but their yate sends a=crypto in a RTP/AVP package. I tried to 
discuss that problem with the yate developers but they did not seem to 
be interested in that at all and also don't think that they do something 
wrong.
I added NDLB-allow-crypto-in-avp to my public profile to make freeswitch 
accept the call.
But freeswitch somewhow messes up the crypto when trying to establish a 
connection:

INVITE sip:gw+eventphone-5849 at fs:5080;transport=udp;gw=eventphone-5849 
SIP/2.0
Max-Forwards: 19
Via: SIP/2.0/UDP hg:5060;rport;branch=z9hG4bK715484803
From: "004917xxxx" <sip:004917xxxx at hg>;tag=776909967
To: <sip:gw+eventphone-5849 at fs:5080;transport=udp;gw=eventphone-5849>
Call-ID: 555992785 at hg
CSeq: 4550 INVITE
User-Agent: EVENTPHONE PBX TrollEdition v1337 - Problem?
Contact: <sip:004917xxxx at hg:5060>
Allow: ACK, INVITE, BYE, CANCEL, MESSAGE, REGISTER, REFER, OPTIONS, INFO
Content-Type: application/sdp
Content-Length: 316

v=0
o=yate 1434139910 1434139910 IN IP4 hg
s=SIP Call
c=IN IP4 hg
t=0 0
m=audio 17678 RTP/AVP 8 0 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=crypto:1 AES_CM_128_HMAC_SHA1_32 
inline:KyzcjFG0m80I8CjQzjQGQCTctNyJo7NZgAyBPoW8
a=encryption:optional

The Invite looks okay, besides the a=encryption in the RTP/AVP.

This is the answer from the freeswitch:

SIP/2.0 200 OK
Via: SIP/2.0/UDP hg:5060;rport=5060;branch=z9hG4bK715484803
From: "004917xxxx" <sip:004917xxxx at hg>;tag=776909967
To: 
<sip:gw+eventphone-5849 at fs:5080;transport=udp;gw=eventphone-5849>;tag=FgQ1HF20BNrQp
Call-ID: 555992785 at hg
CSeq: 4550 INVITE
Contact: <sip:gw+eventphone-5849 at fs:5080;transport=udp>
User-Agent: FreeSWITCH-mod_sofia/1.4.19-10-1~64bit
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, 
REGISTER, REFER, NOTIFY
Supported: timer, path, replaces
Allow-Events: talk, hold, conference, refer
Content-Type: application/sdp
Content-Disposition: session
Content-Length: 129
Remote-Party-ID: "5849" <sip:5849 at fs>;party=calling;privacy=off;screen=no

v=0
o=FreeSWITCH 1434120229 1434120230 IN IP4 fs
s=FreeSWITCH
c=IN IP4 fs
t=0 0
m=audio 0 RTP/AVP 19


Freeswitch has a problem establishing the autio connection. It does not 
send a proper SDP packet back to HG. It does not include a port to send 
audio to (this is the 0 after m=audio) and also no protocol. Wireshark 
translates the 19 after RTP/AVP to"Media Format: Comfort noise (old)".

The only way to make a proper call between those two is to forbid crypto 
for incoming POTS calls via HG, which is also not quite good.
I think is is a bug in freeswitch, paired with improper behaviour of HGs 
yate.
Normal deskphones seem to work properly when registered to HG and 
receiving an inbound POTS call, at least the grandstream and snom I have 
access to. Eventphone does not seem to get complaints from other people 
registering with them (although most of them use phones and not a PBX).

Does anyone know how to debug this further?


Thanks
Nico

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list