cosmicwombat at June 30th, 2011 23:27 — #1
Since I started doing VoIP related work full time I am finding I have less time and energy to grind forward on certain... shall I say nagging aspects of VoIP in general. In particular TLS and SRTP. Sure, I was able do to the tutorial and get Blink to work with Asterisk 1.8.X ( a tip is that if you are using the FreePBX Distro - you may need to grab Asterisk and untar it to run the script - https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial )
While I did the tutorial, I also started looking at X-Lite, Bria, etc... Snom, Polycom, and Aastra IP Phones and how one might extrapolate.
Naturally they are vary slightly in how they access and/or store keys for encryption.
Next problem is we often weave several Asterisk/FreePBX systems and so the real picture is several CentOS boxes and VoIP Devices. This reads as a key management issue followed by a vendor specific key storage and retrieval issue.
So, what is the point of all this diatribe you might ask ?
I need help.
Perhaps a few pointers in adopting MIKEY on CentOS > http://www.scribd.com/doc/52374665/90/Key-Management-for-SRTP-%E2%80%93-MIKEY
And/or if anyone has contacted Aastra and worked out the key access for the 67XX series of phones ?
For now I am just going to continue to mess with Blink keep after Aastra ( tempted to try Snom 1st) and muddle forward.
If we can put together some working procedures surrounding TLS / SRTP it would be a good thing.
cosmicwombat at July 2nd, 2011 21:00 — #2
I guess I have myself to blame as I have been more or less absent online for the last 6~9 months. Accordingly I should not expect.... anything.
No worries. I am a bit amazed that my original post has thus far not elicited one or two "Google is your friend" or "that has been covered here link" comments.
Actually, color me fascinated. Spock style. If no one has tackled TLS and SRTP beyond the Blink softphone then there be some uncharted territory ahead. Key management is the ocean, device specific requirements the islands and for treasure...solutions.
As for clues? Not so much.
mateus at July 10th, 2011 13:54 — #3
Thats what i am working now... Asterisk based PBX with TLS/SRTP but i am not @finish for now.
Still working and working really hard
jingjong at January 18th, 2012 17:08 — #4
Anyone had a successful SRTP implementation with Asterisk 1.8.x and FreePBX?
I have been googling the whole week now and still can't find a away to make SRTP work.
jhunholz at February 3rd, 2012 03:15 — #5
Seems there's a lot of us in the same boat: trying to get SRTP/TLS working with Asterisk 1.8/FreePBX, but not having any luck. If someone does figure it out, some tips would be much appreciated!
whitehat237 at February 16th, 2012 00:46 — #6
After messing with this for about a day I have TLS working but not SRTP.
This guide helped me get TLS working, for a softphone.
I added all of these lines:
tlsbindaddr=192.168.0.1 (put your actual ip address of your box here)
to /etc/asterisk/sip_custom.conf which was a blank file, and then restarted asterisk
asterisk -rx "core restart now"
What the guide doesn't tell you, is that you need to download the server certificate to the computer running the softphone and "install" it.
in windows 7, I just double clicked the file which ended with a .crt extension, and used the wizard to import the certificate. Accept all of the defaults, next, next, finish
I'm using the windows version of linphone as the softphone client. In the preferences menu in linphone, under Network protocol and ports, select "SIP (TLS)"
Then restart linphone.
After doing this linphone registers with asterisk properly, and I can make calls, etc.
This seemed like the hard part. Shouldn't SRTP just work once the certificate process is resolved?
In freepbx --> extensions --> encryption
I set Yes (SRTP only) and clicked submit.
After that the extension stops working, and the message received is:
Not allowed here
The asterisk debug output shows:
setup_srtp: No SRTP module loaded, can't setup SRTP session.
If I try and use the cli to load the res_rtp_asterisk module, it states that it's already loaded
asterisk*CLI> module load res_rtp
[2012-02-16 00:43:38] WARNING: loader.c:829 load_resource: Module 'res_rtp_asterisk.so' already exists.
Is this the necessary module that provides srtp support?
I also thought maybe I was missing the libsrtp library, but yum search srtp returns nothing.
How can srtp support be enabled in freepbx?
geek15 at April 23rd, 2012 19:54 — #7
I believe that the module 'res_rtp_asterisk.so' is the correct module. For some reason I can't seem to find a way to get it to load. I've added it to /etc/asterisk/modules.conf and the module still isn't loaded.
geek15 at April 23rd, 2012 20:01 — #8
Okay. I've accomplished getting the module to load. module load res_rtp_asterisk.so seems to work. However even after the module is loaded the same old error keep showing up [2012-04-23 19:53:35] ERROR[-1] chan_sip.c: No SRTP module loaded, can't setup SRTP session. I'm wondering if there is something missing here.
jackryan at May 4th, 2012 11:19 — #9
I seem to have the exact same problem, except my installation is * 1.8.11 in optware on a dd wrt ASUS N16 router. (package from here http://ipkg.nslu2-linux.org/feeds/optware/openwrt-brcm24/cross/stable/).
Like you I can make a regular (non SRTP) call, but when I try to enable SRTP I get the same message: "chan_sip.c: No SRTP module loaded, can't setup SRTP session". I tried loading the res_rtp_asterisk.so manually and, like you, I get the message that it is already loaded. I don't understand why it doesn't work.
I also get a strange error message when I run * about dropping down to UDP transport even though I have it set up and working with TLS despite the error message.
All this is very strange and sounds like a bug (or 2) to me. I don't know what else I can do since the SRTP module is supposed to be already included in res_rtp_asterisk.so which is loaded by default.
Any ideas would be much appreciated.
jackryan at May 4th, 2012 14:49 — #10
Still have the exact same problem.
Is SRTP not included by default?
simcity at May 31st, 2012 17:37 — #11
Just wondering if anyone has had any luck getting TLS and SRTP working reliably? I've been googling around and found what look to be like some useful resources:
1) on the Asterisk Project Wiki there is a neat Secure Calling Tutorial. Reading this it would appear that your SRTP errors may relate to the fact that "libsrtp has to be installed on the machine before Asterisk is compiled". See the note on SRTP (Part 2) about half-way down the page.
2) on Cisco Support Community there is an article which explains how to get TLS and SRTP working with Cisco SPA5XX series phones. Looks like there is a small Asterisk patch involved in this particular scenario because these SPA5XX phones send out a crypto attribute with 2 lines (one for AES_32 and another for AES_80) which apparently Asterisk cannot negotiate as it is expecting one or the other attributes, but not both...
Following along the Cisco endpoint peculiarities, in my case for the Cisco 89xx/99xx series, I think getting the TLS / SRTP settings and certificate files correctly configured with these bad boys will be no small feat, especially given Cisco's infamous lack of non-CallManager specific documentation....hmmm.
It would be quite cool to get this working though.
marcus2k3 at July 19th, 2013 09:11 — #12
Any one got this working I have wasted a few days trying to get mine going. Goinf to try using repro
system at June 4th, 2014 15:17 — #13
This topic is now closed. New replies are no longer allowed.