PJSIP trunk between servers

pjsip
Tags: #<Tag:0x00007fafc1175c78>

#1

Hi All,

I’m trying to set up a PJSIP trunk between two FreePBX servers, but I’m not having much luck.

Does anyone have a barebones config for a working trunk they could share?

Thanks,
Josh


Is IAX2 still best trunk type for Internal Calling between FreePBX Systems? Specifically related to Encryption
(Tom Ray) #2

You need to provide some more information. Is this going to be straight peering? Will one box register to another?


#3

Hi,

Yes, straight peering between two offices, both have static IPs, so I don’t think I need registration.
Basically just looking for a PJSIP version of the IAX instructions


(Avayax) #4

What have you done so far?
You can show a screenshot of your trunk config.
Are the two Freepbx servers connecting over the internet?


#5

Come now, it’s simple.

Trunk config on both PBXes:

Does not get much more “bare bones” than that.


Freepbx help about interconnect
Is IAX2 still best trunk type for Internal Calling between FreePBX Systems? Specifically related to Encryption
Is IAX2 still best trunk type for Internal Calling between FreePBX Systems? Specifically related to Encryption
(Lorne Gaetz) #6

@billsimon’s Bare Bones™ setup will work, just make sure to match the SIP Server Port to the actual PJSIP port at the far end, which may or may not be 5060.


(Jared Busch) #7

It should be. There is really no reason for people to deploy anything else.


(Lorne Gaetz) #8

I am one of those weirdos who thinks that no SIP services should be bound to 5XXX.


(Jared Busch) #9

That is different. I was implying the mess that exists because of the two channel drivers, and that chan_pjsip should always be on 5060.

Changing a port is security through obscurity, and that is not effective. Yeah, for now it will cut down on log chatter. But if it becomes standard that SIP is on some random port, then the scanners and bots will simply track more information than IP.


(Lorne Gaetz) #10

As a security measure it’s not perfectly effective, but it is absolutely effective at reducing random opportunistic hack attempts. The responsive firewall on my home system has detected 16 malicious IPs in the last 4 months as opposed to dozens (or much more) per hour one sees when using 5060.


#11

Thank you @billsimon for this post.

How do we leverage authentication and also make sure encryption (SIP TLS and Secure RTP) are enabled between these servers?


#12

From your other post, it sounded like you were connecting two PBXes within your own network, in which case I do not think it is of any value to set up additional auth beyond IP matching, nor encryption.


#13

Thanks @billsimon for this response. Due to regulations that our company must meet, we treat connectivity as though our internal network has a bad actor inside it’s walls all the time (essentially untrusted). This helps us ensure we are doing our best to secure all aspects.

In our current cyber-warfare state, it surprises me that more companies haven’t chosen to take this path. (not a debate for this forum)

Because of this mentality, we would need to make sure that we have authentication and encryption on these trunks, just as if they were exposed externally.


(Dave Burgess) #14

IP authentication is used to make sure that the only “actors” that can access the server (good or bad) through this connection are at the other machine’s IP address. Adding TLS and other protection layers are just more settings.

In my experience (such as that is) setting up the system so that works correctly then adding the additional bells and whistles (such as TLS) is a prudent way forward. Get the basic connectivity working, make sure all of the phones connect and that everything is working.

Once you have that state, back it up and add security. It will require updates to every device in the network that connects to that machine.

Our current cyber-warfare state notwithstanding, at the place where I do my day job, we don’t run encrypted on the LAN. We use other tools (intrusion detection, logging, live monitoring, etc.) to protect not only the phone systems, but the enterprise in general. Since setting up TLS for everything is the same as setting up TLS for nothing (in the case of the insider threat), monitoring other areas pays off more richly and provides us with a more satisfactory management envelope.


#15

Encryption

You can use the Certificate Manager to generate self-signed certs for each of your PBXes. In the Asterisk SIP Settings - pjsip tab, select the certs for use with TLS transport, and disable client and server certificate verification (because you are using self-signed). Then in your partner PBX trunks, pick TLS transport, and be sure to set the right port number (5061 by default). In the Advanced tab of your pjsip trunk, find the media encryption option and enable SRTP.

Authentication

Set to “both” in the General tab of your pjsip trunks. This is probably easiest if you make the trunk name the same on both systems, and use the same password. In the advanced tab I believe you will want to set the authentication matching to “Auth username” since calls will come across the trunk with various caller IDs (From header).


#16

Thanks @billsimon. We already have properly signed certs for all PBXs. We already have PJSIP implemented with TLS connectivity to devices and external trunks.

It sounds like @cynjut suggestion is a good one. Start with just the basics to establish server to server, then add encryption and authentication.

When we get to that step I can follow the additional steps you provided! Thank you again for those!

Thank you all for your help and guidance in this. We will give it a go.


#17

Thanks,

That was pretty much what I had, but I was still having issues.
Turns out even though I was using IP addresses in all my trunk configs, a bad DNS entry for one of the servers was causing the issues, removed it & all is working.


(system) closed #18

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.