How to verify if IAX2 Encryption is working


(Avayax) #1

I have an IAX2 trunk between two FreePBX boxes and I want to verify if encryption is working properly.

I got this in peer details:
forceencryption=yes
encryption=yes
auth=md5

Now, according to that guide, I should see the encryption actually working in IAX2 debug, something like this:
TE-Frame Retry[000] – OSeqno: 009 ISeqno: 009 Type: IAX Subclass: LAGRP
Timestamp: 20004ms SCall: 00001 DCall: 00004 [192.168.25.10:4569]
Feb 15 14:09:22 DEBUG[17937]: chan_iax2.c:3875 encrypt_frame: Encoding full frame 6/12 with length 12
Feb 15 14:09:22 DEBUG[17937]: chan_iax2.c:3883 encrypt_frame: Encoding full frame 6/12 with length 12 + 24 padding (15=28)

I don’t see the encrypt frame part in “IAX2 set debug on”. Or do I need to adjust the IAX verbose levels?


#2

Try a.packet capture. It’ll be immediately obvious if it’s encrypted.


#3

https://wiki.wireshark.org/IAX2 and listen to it


(Kossusukka) #4

Hello everyone!

I’m facing same “problem” or how this should be called. I’m using FreePBX 15 (15.0.16.73) with Asterisk 16.11.1.

I have bunch of FreePBX servers with IAX2 trunks between them. Those IAX2 channels are configured to use MD5 auth with encryption and forceencryption set to yes.

Calls etc works, but i have been asked to verify and proof that channel encryption works as expected. I took packet captures from PBX with and without encryption, but after analyzing pcaps with Wireshark i am unable to confirm if encryption works at all. IAX2 peers shows (E) flags which indicates that encryption is activated.

When analyzing pcaps with Wireshark the metadata/control data shows always in plaintext as it is supposed to (like new call from+to, hangups etc) but i have no clue to verify that payload(voice) is indeed encrypted.

Wireshark 3.2 can decode IAX2 streams with no problem, but are completely unable to extract audio from frames (at least with GSM or u/aLAW codecs). I tried “IAX2 Call Analyzer for Unsniff” from Unleash Networks and it couldn’t extract audio streams from unencrypted iax2 trunk pcap, nor from encrypted.

Does anyone have ideas how to continue? How can i proof that voice payload is indeed encrypted? Replaying voice from captured data would be excellent way to proof this for my boss.

Thanks in advance for any tips!


#5

ulaw data (for example) has most samples near 0, represented by 0x7f, 0xff, 0x7e, 0xfe. Encrypted data looks like random noise, with all byte values similar in frequency.

Take pcap captures of two calls with neither party talking. Both use ulaw, one encrypted and one not. The calls should be at least two minutes long (~ a million samples in each direction).

Open the pcaps in HxD (or a similar program that can display a histogram of byte values) and select Analysis -> Statistics. Even though the data is ‘polluted’ by pcap, MAC, IP, UDP, IAX2 and RTP overhead, the difference will be dramatic.


(Lorne Gaetz) closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.