STRP with Yealink T4X phones

Has anyone setup SRTP with the Yealink T4x series phones and FreePBX 13?

SIP (PJSIP) over TLS is working perfectly, but I cannot seem to do anything with the RTP.

I have not tried this with Yealink, but I have done this with Grandstream. In order to get this working with any NON Sangoma phone, you need to edit the base file and change the settings manually, freepbx will NOT sent the right info to the config file for srtp or sip-tls. you should check your port settings(freepbx is probably setting the non tls port) in the base file as well as anything specific to yealink to enable srtp.

finally, you should make sure you have the following set right on the advanced tab of the extension:
transport - try specifying tls
media encryption - srtp
Allow Non-Encrypted Media (Opportunistic SRTP) - try yes

I do not use the Endpoint Manager, and I will just set thing manually in the phone during testing. Only updating the config files once I have it all working.

I already had TLS transport working fine. I changed the media encryption to srtp and then changed the phone to require SRTP and calls worked.

Is there something in the Asterisk logs that I can see to prove the RTP was encrypted?

hi, sorry, your first post did not have all of this info. so it sounds like you have srtp going, you just want confirmation? I don’t know about yealink, but on grandstream, there is a lock symbol on the screen when the call starts if you are using srtp…maybe yealink has something like that?

My first post does clearly state I had TLS working for SIP.

Thanks to your post, I now have SRTP enabled correctly, and supposedly forced instead of opportunistic. I want to verify it.

I will test more, but the Yealink phones give you a lock when dialing if there is TLS on the SIP and the lock stays even during a call when SRTP was not enabled.

I will have to test if I have TLS off but SRTP on if it shows the lock.

But really I do not care what the phone shows. I assumed that Asterisk would know if it was using SRTP and I would be able to see it. But watching the console, I was not able to notice a difference.

Thanks for sharing, tonyg.

Hi Sorvani

I am not able to setup TLS + SRTP + Yealink over NAT. Its working perfect in the local LAN.

My setup
Freepbx 14 with Asterisk 13.18.4
I am using PJSIP TLS with a self signed certificate. The dynamic hostname is used for NATing.

General SIP Settings:

Default TLS Port Assignment: PJSIP
External Address:
Local Networks:
RTP Start: 10000 End: 20000
RTP Checksums: No
Strict SRTP: Yes

Chan PJSIP Settings

Certificated Manager:
SSL Method: tlsv1
verify client: No
verify server: No
udp: Yes
tls: Yes
udp port to listen on : 5060
tls port to listen on: 5061

PJSIP Extension TLS Settings

Transport :
Media encryption: SRTP via ln-SDP (recommended)
Allow Non-Encrypted Media (Opportunistic SRTP): Yes

The following ports are forwarded in my router to the FreePBX server
TLS: 5061
UDP: 10000-20000

Any help would be appreciated. Many thanks!