<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I thought the change from sip_ to rtp_ for some variables was only in the 1.4 branch, not in 1.2.9.<div><br><div><div>On Aug 15, 2013, at 1:57 AM, Peter <<a href="mailto:eidevm5@gmail.com">eidevm5@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr"><div>Let me correct my last email.<br><br></div>If I use rtp_secure_media instead of sip_secure_media, the outgoing call uses RTP and not SRTP.<br><br>rtp_secure_media was supposed to have been introduced in 1.2.9, so I wonder what the difference is?<br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Aug 15, 2013 at 3:52 PM, Peter <span dir="ltr"><<a href="mailto:eidevm5@gmail.com" target="_blank">eidevm5@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>Finally got it going. I don't know how many combinations I tried.<br><br></div>All I needed was the sip_secure_media (or rtp_secure_media, which is the new name) set to true in the dialplan on the SBC.<br>
</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Aug 14, 2013 at 11:42 AM, Peter <span dir="ltr"><<a href="mailto:eidevm5@gmail.com" target="_blank">eidevm5@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div><div>Hi Carlos.<br><br></div>Didn't realise rtp_secure_media existed. After searching I saw:<br><br><a href="https://wiki.freeswitch.org/wiki/Release_Notes#rtp_secure_media_.28was_sip_secure_media.29" target="_blank">https://wiki.freeswitch.org/wiki/Release_Notes#rtp_secure_media_.28was_sip_secure_media.29</a><br>
<br></div><div>which says it was introduced in 1.2.9<br><br></div><div>However, it's a little ambiguous as to whether sip_secure_media was deprecated.<br><br></div><div>Anyway, I tried using rtp_secure_media instead, but I still can't get SRTP working.<br>
<br><br></div><div>I did some testing with some other SIP clients. In particular, csipsimple. On the client, if I set SRTP to be optional, the media stream uses RTP. However, if I set SRTP to be mandatory, when I try to call it, Freeswitch receives:<br>
<br> SIP/2.0 488 Not Acceptable Here<br><br></div><div>Which seems to indicate that something is not is not right with the SRTP setup.<br><br></div><div>There's a full debug from the FS1 (the freeswitch server where the csipsimple client is registered to) at:<br>
<br><a href="http://pastebin.freeswitch.org/21295" target="_blank">http://pastebin.freeswitch.org/21295</a><br><br></div><div>Note in the debug I have sdp_secure_savp_only set to true. I've tried disabling this setting, but get the same result.<br>
<br>Thanks<span><font color="#888888"><br><br>Peter<br><br></font></span></div><div><div><br> <br></div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Aug 13, 2013 at 11:06 PM, Carlos Flor <span dir="ltr"><<a href="mailto:jackal@cybershroud.net" target="_blank">jackal@cybershroud.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Try using rtp_secure_media=true instead of sip_secure_media. If you are trying to set it on the b-leg, you probably want to use export instead of set, or use nolocal:rtp_secure_media.<div>
<br></div><div>Hope that helps.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote"><div>On Mon, Aug 12, 2013 at 10:26 PM, Peter <span dir="ltr"><<a href="mailto:eidevm5@gmail.com" target="_blank">eidevm5@gmail.com</a>></span> wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>
<div dir="ltr"><div><div><div><div><div><div><div><div><div><div><div><div><div>In my environment, I have the following (simplified) setup:<br><br></div>FS1 ---- FS SBC --- FS2<br><br></div>Phones registered to FS1 (100x) use TLS/SRTP and phones registered to FS2 (200x) use SIP/RTP <br>
<br></div>FS1 has inbound-bypass-media set to true to allow SRTP peer to peer and direct to the SBC.<br><br></div>If I make an inbound call (eg: 1000 to 2000), SRTP is correctly established between the phone and SBC with RTP on the other side of the SBC to the internal phone.<br>
<br></div>However, when I try it the other way, I can't get SRTP established from the SBC to the external phone.<br><br></div>I've been using <a href="https://wiki.freeswitch.org/wiki/Secure_RTP" target="_blank">https://wiki.freeswitch.org/wiki/Secure_RTP</a> as a guide.<br>
<br></div>I've even tried explicitly setting sip_secure_media to true on the SBC and FS1.<br><br></div>The dialplan on the SBC has:<br><br> <extension name="outgoing"><br> <condition field="destination_number" expression="^(10[0-9][0-9])$"><br>
<action application="set" data="sip_secure_media=true"/><br> <action application="bridge" data="sofia/external/${<a href="mailto:destination_number%7D@10.1.1.204" target="_blank">destination_number}@10.1.1.204</a>"/><br>
</condition><br> </extension><br><br><br></div>And on FS1, the dialplan has:<br><br> <extension name="Local-Numbers"><br> <condition field="destination_number" expression="^(10[01][0-9])$"><br>
<action application="export" data="dialed_extension=$1"/><br> <action application="set" data="sip_secure_media=true"/><br> <action application="bridge" data="user/${dialed_extension}@${domain_name}"/><br>
</condition><br> </extension><br><br><br></div>Note that I've been testing this against two phones with SRTP enabled, but only one that is using TLS. I get the same result calling each phone.<br>
<br></div>On a related point, what it the step required for a TLS connection from the SBC to the phone? I'm assume the phone just needs the CA cert from the SBC. Correct?<br><br></div>Any information as to where I'm going wrong will be gratefully accepted.<br>
<br></div>Thanks<span><font color="#888888"><br><br>Peter<br> <br></font></span></div>
<br></div>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com/" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com/" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org/" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com/" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>
<br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com/" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com/" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org/" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com/" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org/" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
_________________________________________________________________________<br>Professional FreeSWITCH Consulting Services:<br><a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>http://www.freeswitchsolutions.com<br><br>FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>http://www.cudatel.com<br><br>Official FreeSWITCH Sites<br>http://www.freeswitch.org<br>http://wiki.freeswitch.org<br>http://www.cluecon.com<br><br>FreeSWITCH-users mailing list<br>FreeSWITCH-users@lists.freeswitch.org<br>http://lists.freeswitch.org/mailman/listinfo/freeswitch-users<br>UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users<br>http://www.freeswitch.org<br></blockquote></div><br></div></body></html>