I have recently switched over and started using a different provider (Voyant -> Twilio) because they are discontinuing their SIP trunking services. I also wanted to implement secure trunking, which has worked, no problem. So it seems I can accomplish TLS/SRTP from server to provider. But I am having difficulty accomplishing the same from server to endpoints, which are all Yealink T48S phones. Currently they will register and work fine using UDP 5060. My test phone seems to register just fine via TLS, but SRTP won’t negotiate and connect. So even when I try *60 from the phone, I get “call failed, Not acceptable here”. I need to know what I am doing wrong, hopefully a second pair of eyes or two can identify what I’m missing.
Asterisk SIP Settings:
Valid and active LE Certificate selected
Verify Client / Server = No
UDP - 5060 - Enabled
TLS - 5061 - Enabled
(Asterisk has been fully stopped and restarted in CLI when those above settings were originally adjusted.)
I only have ulaw codec selected.
Underneath my test user I have the following set:
Transport: 0.0.0.0-tls
Media Encryption: SRTP via in-SDP
Allow Non-Encrypted Media: No
Settings on the Yealink Phone:
Sip Server: Pointing to my cloud FQDN
Sip Server Port: 5061
Sip Server Transport: TLS
Advanced -> RTP Encryption (SRTP): Compulsory
Security -> Trusted Certificates -> Only Accept Trusted Certificates: Disabled (For the sake of troubleshooting)
Turning off the media encryption for the user and in the Yealink phone, calls will work just fine. But they fail as soon as I enable. Anyone have any ideas?
Right?! Seemed Odd to me too! I received a generic email last week about services getting terminated on my account by 7/15/20. Since I only use SIP trunks with them, it raised some red flags because I hadn’t requested to cancel anything. I emailed their support for more information, and here was their response:
I wanted to let you know that Inteliquent and Voyant have integrated their operations to better serve customers and to bring more services to the customers of each business. We are merging into a single company, but we are not moving away from the markets and customers that Voyant serves today, with the goal to better serve the Voyant customers and markets. With this integration we are consolidating services, and due to the amount of supported SIP Trunking platforms that exist today, only 3 will be supported moving forward. Unfortunately, the Voyant SIP Trunking platform that you are on today is not one of the platforms that will be supported moving forward and will be eventually discontinued and closed.
So that is the reason our Management team decided to send out this notice, so you can migrate your services to another provider. If you wish to stay in Voyant’s network, we can offer to migrate you to our Vitelity platform (www.vitelity.com), which also offers SIP Trunking services. However, you will need to sign an agreement for spending at least $300 USD per month in usage (call traffic, DIDs, etc). If you are interested in that, please let me know so I can get a Sales Engineer to reach out. If you wish to move away from Voyant, you may want to consider QuestBlue, which is also a SIP Trunking and Hosted PBX provider. To begin the onboarding process with QuestBlue, please call (919) 443-1617 and select option 1 or email [email protected].
In any case, we will do our best to assist you during this migration process, so please let me know if we can help with that.
Well this raises a couple of questions. Since this is a Let’s Encrypt certificate that I have selected, do I need to load that into the Yealink phones’ trusted certificate manager? Besides that, I had disabled requiring a valid certificate anyway. I wouldn’t see any reason why it wouldn’t work perfectly, but just the SRTP doesn’t work for me. What do I need to change or try? If it ultimately comes down to needing that certificate loaded on the phones, is there anyway to do that via EPM? Even with base file edits, because I know I have to add manual entries to enable the settings for TLS/SRTP as it is.
The firmware version on these phones is 66.84.0.125.
I am currently trying to test this on a T42S as well, also running the same firmware version, 66.84.0.125.
Please confirm that Media Encryption for the extension is set to SRTP via in-SDP.
If that’s not your issue, at the Asterisk command prompt, type pjsip set logger on
make a failing call to *60, paste the log at https://pastebin.freepbx.org and post the link here.
Something I noticed recently when testing TLS/SRTP was that if the extension were created prior to the change to TLS I had to manually set the extension to use TLS transport in the extension setting in FreePBX. Having it set to auto didn’t seem to work.
It seems like it, but this was received directly from Voyant support, I submitted a ticket with them and that was one of their support agents responses. I did not respond to the initial email, I opened a new ticket directly to Voyant myself.
I do not have the extension set to auto, I do have it set to 0.0.0.0-tls. The TLS works fine though, so I know that part is good. It registers via TLS just fine, it seems to not want to encrypt the media (SRTP) when I enable that part though.
Taken at face value, the 488 means that the list of ciphers enabled in pjsip does not include the AES_CM_128_HMAC_SHA1_80 or AES_CM_128_HMAC_SHA1_32 offered by the phone.
Normally, FreePBX does not restrict the list. What does the Asterisk CLI show for pjsip show transport 0.0.0.0-tls
If the cipher field is blank, try sending an incoming call to the extension and see which ciphers are offered by pjsip.
Running the command you recommended does indeed show the cipher field blank.
So I created a secondary test user signing in to a Bria softphone. First I made this second user register like the rest, via UDP 5060 and had encryption turned off. Phone rings and call is established, but no audio. Here is that trace: https://pastebin.freepbx.org/view/ad7e0ec8
Then I switched that second test user to use TLS/SRTP. This time the call doesn’t connect and seems to give the same error. Here is that trace: https://pastebin.freepbx.org/view/37d90f9a
This trace is very strange. I would expect (if things were working properly) unencrypted media between 298 and Asterisk, and encrypted media between 299 and Asterisk. However, Asterisk offered unencrypted media to 299, and 299 accepted it! So, I suspect that the Media Encryption setting for 299 was not processed properly, which would also explain the 488 error given to 299 in the older post.
Sounds like a bug somewhere. You have Media Encryption for 299 set to SRTP via in-SDP, but pjsip thinks you selected DTLS. What does pjsip.endpoint.conf have?