SRTP problems

Distro 14 here.
We have lots of phones on site, and some remote phones off site.
The offsite phones connect using SIPS / SRTP for obvious reasons.

If I receive a call from an offsite phone (SRTP), it works perfectly - until the call is transferred. As soon as the SRTP leg is transferred, I get these two errors in the log and all audio stops. The call cannot be disconnected. If I hang up one leg, the other leg stays up until the channel is taken down manually.

res_srtp.c:452 ast_srtp_unprotect: SRTP unprotect failed with: authentication failure 10
res_srtp.c:452 ast_srtp_unprotect: SRTP unprotect failed with: authentication failure 110

Is the extension the call is being transferred to also using SRTP? If not that may be your problem. There is no reason not to use SIPS/SRTP for internal networks as well.

It is not SRTP.

If I have to go through my entire network and re-engineer everything to support SRTP on my voip vlans, that’s going to be trouble.

Again the initial call is from SRTP to my desk which is RTP, and that works. I’ve looked and could find no documentation on this, or limitations. I can’t find anything that says you “can’t” transfer a call from SRTP to RTP… Not sure if this is a bug or a feature.

Try a few test scenarios and see if it works. It sounds like it might be a big but I’m not sure either.

Actually, this is worse than I thought. I just checked and I have some hardware, like cordless phones, that don’t even support SRTP.

Good grief.

Did changing a phone to SIPS/SRTP that wasn’t solve the problem?

Asterisk is a back-to-back user agent. That means that each leg is individually negotiated between the endpoint and Asterisk. You can have the calling leg be SRTP and the callee leg be plain SIP/RTP, or, it could be analog or IAX or a DS0 or whatever. There is no requirement that you enforce SRTP end to end through Asterisk.

1 Like

I’ve been testing this for 3 days, I can transfer calls between SRTP extensions so far, but that’s not a workable solution.

I can’t change EVERYTHING to SRTP even if I wanted to. And I shouldn’t have to. I just want to secure the channels that are coming in from the outside.

The fact that whole call becomes a zombie is proof that this is a bug in asterisk.

That confirms what i thought.

Here is a bug that may be relevant. What version of Asterisk are you running?

You don’t need to have everything on SRTP. That is bad advice. This is a bug in Asterisk that was fixed months ago already. Sounds like you have a outdated Asterisk installed.

That’s good to know. I’m running system-updates now…
Will probably not be able to fully test this until tonight though.

currently asterisk 14.6.2.

I have fully updated Linux, then Asterisk, then all the FreePBX modules.
The problem remains.

Asterisk 14.6.2.

You will need to open a bug ticket with the Asterisk project as it’s out of our control that is all part of core of Asterisk.