I am trying to configure the Cisco IP Phone 8811 3PCC. I have successfully got it working with TLS enabled. but no SRTP. I also have to disable the Verify Client Config in advanced. I have a feeling that FreePBX cannot verify the Certificate that is being sent by the Cisco Phone, but I don’t know how to add the Cisco manufacture certs into FreePBX trusted ca store. It did not work after I added the certs to the Debian host ca store. Does anyone know where I need to add the certs or if FreePBX already has them installed? I know that the Cisco Phone is able to verify the Certificate that is sent by FreePBX. The cert is the only thing I can think of, I don’t have much experience with VoIP.
I think the first step you should do is to generate your own certificate with let’s encrypt from the freePBX webapp setting and after that you will be able to configure FreePBX to use your certificate, it will be automaticly refreshed when it will near it’s expiration date. Not sure if it will be enough.
To do that I have given a subdomaine to my PBX server and use it to access the server.
If you have TLS already working then certificates are no longer your issue. SRTP (SDES) does not use certificates. DTLS is used for webrtc and is also not relevant here with your SIP phone.
How did you configure the extension in FreePBX? You have to tell FreePBX to use SRTP with an extension. In Extension - Advanced tab, either force SRTP or set opportunistic to yes:
If you force media encryption here then you will easily see whether it is working, because unecrypted calls will fail.
Information about the failure should be present in the FreePBX log. If not, enabling pjsip logging will show the SIP packets and they will tell the story.
Hi, ok
Okay, so I ended up getting SRTP to work the problem was that on the Cisco phone Encryption Method was set to “AES 256 GCM”, witch it looks like is not supported by FreePBX. When I switched it to “AES 128” it started working. Although I am still unable to turn on “Verity Client” In FreePBX under the Settings > Asterisk SIP Settings > SIP Settings [chan_pjsip] > TLS/SSL/SRTP Settings, but this is not an issue as I am not running this where encryption is that necessary.