[Freeswitch-users] Establishing SRTP from SBC to endpoint

Peter eidevm5 at gmail.com
Thu Aug 15 09:57:25 MSD 2013


Let me correct my last email.

If I use rtp_secure_media instead of sip_secure_media, the outgoing call
uses RTP and not SRTP.

rtp_secure_media was supposed to have been introduced in 1.2.9, so I wonder
what the difference is?


On Thu, Aug 15, 2013 at 3:52 PM, Peter <eidevm5 at gmail.com> wrote:

> Finally got it going.  I don't know how many combinations I tried.
>
> All I needed was the sip_secure_media (or rtp_secure_media, which is the
> new name) set to true in the dialplan on the SBC.
>
>
> On Wed, Aug 14, 2013 at 11:42 AM, Peter <eidevm5 at gmail.com> wrote:
>
>> Hi Carlos.
>>
>> Didn't realise rtp_secure_media existed.  After searching I saw:
>>
>>
>> https://wiki.freeswitch.org/wiki/Release_Notes#rtp_secure_media_.28was_sip_secure_media.29
>>
>> which says it was introduced in 1.2.9
>>
>> However, it's a little ambiguous as to whether sip_secure_media was
>> deprecated.
>>
>> Anyway, I tried using rtp_secure_media instead, but I still can't get
>> SRTP working.
>>
>>
>> I did some testing with some other SIP clients.   In particular,
>> csipsimple.  On the client, if I set SRTP to be optional, the media stream
>> uses RTP.   However, if I set SRTP to be mandatory, when I try to call it,
>> Freeswitch receives:
>>
>>    SIP/2.0 488 Not Acceptable Here
>>
>> Which seems to indicate that something is not is not right with the SRTP
>> setup.
>>
>> There's a full debug from the FS1 (the freeswitch server where the
>> csipsimple client is registered to) at:
>>
>> http://pastebin.freeswitch.org/21295
>>
>> Note in the debug I have sdp_secure_savp_only set to true.   I've tried
>> disabling this setting, but get the same result.
>>
>> Thanks
>>
>> Peter
>>
>>
>>
>>
>>
>> On Tue, Aug 13, 2013 at 11:06 PM, Carlos Flor <jackal at cybershroud.net>wrote:
>>
>>> Try using rtp_secure_media=true instead of sip_secure_media.  If you are
>>> trying to set it on the b-leg, you probably want to use export instead of
>>> set, or use nolocal:rtp_secure_media.
>>>
>>> Hope that helps.
>>>
>>>
>>> On Mon, Aug 12, 2013 at 10:26 PM, Peter <eidevm5 at gmail.com> wrote:
>>>
>>>> In my environment, I have the following (simplified) setup:
>>>>
>>>> FS1  ----  FS SBC ---  FS2
>>>>
>>>> Phones registered to FS1 (100x) use TLS/SRTP and phones registered to
>>>> FS2 (200x) use SIP/RTP
>>>>
>>>> FS1 has inbound-bypass-media set to true to allow SRTP peer to peer and
>>>> direct to the SBC.
>>>>
>>>> If I make an inbound call (eg: 1000 to 2000), SRTP is correctly
>>>> established between the phone and SBC with RTP on the other side of the SBC
>>>> to the internal phone.
>>>>
>>>> However, when I try it the other way, I can't get SRTP established from
>>>> the SBC to the external phone.
>>>>
>>>> I've been using https://wiki.freeswitch.org/wiki/Secure_RTP as a guide.
>>>>
>>>> I've even tried explicitly setting sip_secure_media to true on the SBC
>>>> and FS1.
>>>>
>>>> The dialplan on the SBC has:
>>>>
>>>>   <extension name="outgoing">
>>>>         <condition field="destination_number"
>>>> expression="^(10[0-9][0-9])$">
>>>>             <action application="set" data="sip_secure_media=true"/>
>>>>             <action application="bridge" data="sofia/external/${
>>>> destination_number}@10.1.1.204"/>
>>>>         </condition>
>>>>   </extension>
>>>>
>>>>
>>>> And on FS1, the dialplan has:
>>>>
>>>>    <extension name="Local-Numbers">
>>>>       <condition field="destination_number"
>>>> expression="^(10[01][0-9])$">
>>>>         <action application="export" data="dialed_extension=$1"/>
>>>>         <action application="set" data="sip_secure_media=true"/>
>>>>         <action application="bridge" data="user/${dialed_extension}@
>>>> ${domain_name}"/>
>>>>       </condition>
>>>>     </extension>
>>>>
>>>>
>>>> Note that I've been testing this against two phones with SRTP enabled,
>>>> but only one that is using TLS.  I get the same result calling each phone.
>>>>
>>>> On a related point, what it the step required for a TLS connection from
>>>> the SBC to the phone?   I'm assume the phone just needs the CA cert from
>>>> the SBC.  Correct?
>>>>
>>>> Any information as to where I'm going wrong will be gratefully accepted.
>>>>
>>>> Thanks
>>>>
>>>> Peter
>>>>
>>>>
>>>>
>>>> _________________________________________________________________________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> 
>>>> 
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://wiki.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:
>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>> http://www.freeswitch.org
>>>>
>>>>
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> 
>>> 
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://wiki.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130815/c4682c99/attachment.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list