[Freeswitch-users] Establishing SRTP from SBC to endpoint

Michael Jerris mike at jerris.com
Thu Aug 15 17:29:24 MSD 2013


I thought the change from sip_ to rtp_ for some variables was only in the 1.4 branch, not in 1.2.9.

On Aug 15, 2013, at 1:57 AM, Peter <eidevm5 at gmail.com> wrote:

> Let me correct my last email.
> 
> If I use rtp_secure_media instead of sip_secure_media, the outgoing call uses RTP and not SRTP.
> 
> rtp_secure_media was supposed to have been introduced in 1.2.9, so I wonder what the difference is?
> 
> 
> On Thu, Aug 15, 2013 at 3:52 PM, Peter <eidevm5 at gmail.com> wrote:
> Finally got it going.  I don't know how many combinations I tried.
> 
> All I needed was the sip_secure_media (or rtp_secure_media, which is the new name) set to true in the dialplan on the SBC.
> 
> 
> On Wed, Aug 14, 2013 at 11:42 AM, Peter <eidevm5 at gmail.com> wrote:
> Hi Carlos.
> 
> Didn't realise rtp_secure_media existed.  After searching I saw:
> 
> https://wiki.freeswitch.org/wiki/Release_Notes#rtp_secure_media_.28was_sip_secure_media.29
> 
> which says it was introduced in 1.2.9
> 
> However, it's a little ambiguous as to whether sip_secure_media was deprecated.
> 
> Anyway, I tried using rtp_secure_media instead, but I still can't get SRTP working.
> 
> 
> I did some testing with some other SIP clients.   In particular, csipsimple.  On the client, if I set SRTP to be optional, the media stream uses RTP.   However, if I set SRTP to be mandatory, when I try to call it, Freeswitch receives:
> 
>    SIP/2.0 488 Not Acceptable Here
> 
> Which seems to indicate that something is not is not right with the SRTP setup.
> 
> There's a full debug from the FS1 (the freeswitch server where the csipsimple client is registered to) at:
> 
> http://pastebin.freeswitch.org/21295
> 
> Note in the debug I have sdp_secure_savp_only set to true.   I've tried disabling this setting, but get the same result.
> 
> Thanks
> 
> Peter
> 
> 
>  
> 
> 
> On Tue, Aug 13, 2013 at 11:06 PM, Carlos Flor <jackal at cybershroud.net> wrote:
> Try using rtp_secure_media=true instead of sip_secure_media.  If you are trying to set it on the b-leg, you probably want to use export instead of set, or use nolocal:rtp_secure_media.
> 
> Hope that helps.
> 
> 
> On Mon, Aug 12, 2013 at 10:26 PM, Peter <eidevm5 at gmail.com> wrote:
> In my environment, I have the following (simplified) setup:
> 
> FS1  ----  FS SBC ---  FS2
> 
> Phones registered to FS1 (100x) use TLS/SRTP and phones registered to FS2 (200x) use SIP/RTP 
> 
> FS1 has inbound-bypass-media set to true to allow SRTP peer to peer and direct to the SBC.
> 
> If I make an inbound call (eg: 1000 to 2000), SRTP is correctly established between the phone and SBC with RTP on the other side of the SBC to the internal phone.
> 
> However, when I try it the other way, I can't get SRTP established from the SBC to the external phone.
> 
> I've been using https://wiki.freeswitch.org/wiki/Secure_RTP as a guide.
> 
> I've even tried explicitly setting sip_secure_media to true on the SBC and FS1.
> 
> The dialplan on the SBC has:
> 
>   <extension name="outgoing">
>         <condition field="destination_number" expression="^(10[0-9][0-9])$">
>             <action application="set" data="sip_secure_media=true"/>
>             <action application="bridge" data="sofia/external/${destination_number}@10.1.1.204"/>
>         </condition>
>   </extension>
> 
> 
> And on FS1, the dialplan has:
> 
>    <extension name="Local-Numbers">
>       <condition field="destination_number" expression="^(10[01][0-9])$">
>         <action application="export" data="dialed_extension=$1"/>
>         <action application="set" data="sip_secure_media=true"/>
>         <action application="bridge" data="user/${dialed_extension}@${domain_name}"/>
>       </condition>
>     </extension>
> 
> 
> Note that I've been testing this against two phones with SRTP enabled, but only one that is using TLS.  I get the same result calling each phone.
> 
> On a related point, what it the step required for a TLS connection from the SBC to the phone?   I'm assume the phone just needs the CA cert from the SBC.  Correct?
> 
> Any information as to where I'm going wrong will be gratefully accepted.
> 
> Thanks
> 
> Peter
>  
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
> 
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
> 
> 
> 
> 
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
> 
> 
> 
> 
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://wiki.freeswitch.org
> http://www.cluecon.com
> 
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20130815/91b72b44/attachment.html 


Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list