I’m using 6.12.65-26 and enabled tls & srtp. In /etc/asterisk/sip_custom.conf I added:
tlsenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/pki/CA/asterisk.pem tlscafile=/etc/pki/CA/certs/ca.cert.pem tlscipher=AES256-SHA:AES128-SHA tlsclientmethod=tlsv
in the extension config I set
transport: tls only Enable encryption: Yes (SRTP only)
the testphone is a grandstream gxp2110 which connects externally. On the extension settings are:
Sip Transport: TLS/TCP SIP URI Scheme When Using TLS: SIPS SRTP Mode: enabled and forced.
Asterisk RTP ports are set to 10000-20000, external extension and fpbx are each behind a nat.
everything works fine, inbound and outbound calls unless I reboot the free-pbx Virtual machine. outbound calls from the extension are still working, inbound calls are failing. the log says:
[2015-03-21 09:24:06] ERROR tcptls.c: Unable to connect SIP socket to
[IP of external extension]:52224: No route to host
all external non tls & srtp encrypted phones are still working. if i reregister the extension on the phone site everything works fine again.
Registered SIP ‘9881’ at [IP of external extension]:52475
if I expose the external extension in a dmz after reboot I get
ERROR tcptls.c: Unable to connect SIP socket to [IP of external extension]:45427: Connection refused
I played around with options on the phone like cryptolifetime, symmetric rtp and Use Actual Ephemeral Port in Contact with TCP/TLS but no scuccess.
on the phone Check Domain Certificates, Validate Incoming Messages, Check SIP User ID for Incoming INVITE,Accept Incoming SIP from Proxy Only, Authenticate Incoming INVITE are all set to no.
any ideas, because I’m running out of…thanks!