Hello, I’m new here (and to free PBX for that matter). I’ve just recently installed the latest version (version 16). I’ve been reading up and trying to figure out how to get my extension to register with TLS (I honestly have no concern over getting unencrypted UDP set up). So I folowed this article here:
https: //wiki. freepbx. org/display/PHON/TLS+and+SRTP
I then configured an extension to use Symmetric RTP and Encrypted media via SDP.
I tried to get a SNOM phone to register to the PBX, but it failed to register despite having the exact credentials. In the SNOM phone I have it set up to use TLS, and TCP where encryption is mandatory using AES80. Finally I attempted to register (Note I have already restarted the PBX/Asterisk), and it fails to register. I looked online trying to diagnose the problem, but as far as I can see it just plain and simple fails to register… I’m not sure if it isn’t encrypting the credentials when it sends them, or what exactly is going on. Since this is a new installation I haven’t changed many settings. I’ve read up on the following articles to try to understand the problem:
https: //wiki. freepbx. org/display/DIMG/Configure+TLS
https: //wiki. freepbx. org/display/DIMG/Configure+SRTP
https: //wiki. freepbx. org/display/DIMG/IMG+1010±+TLS±+Configuration
However after reading up on these articles I am lost as how they pertain to the PBX and or my phone.
To verify that it wasn’t a configuration problem with my phone I also installed a desktop phone (linphone), with a TLS configuration registering on port 5061. When I enter the secret (copied), it fails to register as well. I’ve check the logs on both phones, and don’t see anything out of the ordinary (as far as I am concerned). Honestly looking at the logs it looks like it just plain and simple again fails. I’m not sure if there is a setting that you could set to have it not authenticate, and still look “normal”.
Again I would like to mention I just installed this pbx after watching some online videos and reading some articles. That being said I am no professional at analyzing pbx and sip logs. Any help in the direction I should go would be appreciated.
Note since I am a new users I can’t actually post links hence why there are unnecessary spaces in the links I provided.
Do you mean “that works fine” or “I had not tried that”?
I’m not familiar with Linphone logging, but you could run Wireshark on the Linphone machine and look at the TLS handshaking. If it fails, which side aborts the connection? If the server, certs may not be set up properly. If the client, certs maybe can’t be verified, you might try disabling verification for test. Re: [Linphone-developers] how to set up tls for linphone.
If the TLS connection opens ok, the Asterisk log should show the failed registration (invalid user, wrong password, etc.)
Exactly, I haven’t tried setting up UDP because I only want encrypted connections.
The TLS handshake is successful and the asterisk log shows failed registration. As I mentioned, it appears to be a regular failure as far as the logs go, but the secret is identical. Hence why something is or isn’t encrypted where it is supposed to be. However I have no idea where to check the encryption everywhere.
Also note that the client and server verification work perfectly fine as per the logs.
Confirm that in Asterisk SIP Settings, chan_pjsip tab, for transport 0.0.0.0 (tls), Port to Listen On is set to 5061.
Confirm that in Applications → Extensions, the Type of the linphone extension is shown as pjsip. If not, edit the extension and on the Advanced tab, change to CHAN_PJSIP Driver.
If you still have trouble, at the Asterisk command prompt (not a shell prompt) type pjsip set logger on
restart linphone so it attempts to register, paste the Asterisk log for the attempt (which should include a SIP trace) at pastebin.freepbx.org and post the link here.
Sorry, I didn’t notice your SIP trace; you posted it during my previous post. However, it’s garbled. Please paste it as described above, or put it in quoted text. For example the line 5 in your log surely contains an extension number but it did not appear on the forum.
Here are my settings, hopefully there will be something very obvious that is wrong.
-----START Asterisk General SIP Settings--------
Allow Anonymous Inbound SIP Calls: No
Alow SIP Guests: No
Default TLS Port Assignment: PJSip
NAT Settings skip
RTP Port Ranges: Start: 10000 End: 20000
RTP Checksums: Yes
Strict RTP Yes
RTP Timeout: 30
RTP Hold Timeout 300
RTP Keep Alive 0
Everything else until Codecs Blank
Codecs ulaw, alaw, gsm, g726, g722, g729
Video Support: Disabled
------END Asterisk General SIP Settings ----------
--------START SIP Settings [chan_pjsip] -----------
Allow Transports Reload: No
Enable Debug: No
Keep Alive Interval 90
Caller ID into Contact Header No
Taskprocessor Overload Trigger pjsip_only
Show Advanced Settings: No
Endpoint Identified Order: Blank
Certificate Manager: mypbx.domain (certificate)
SSL Method: tlsv1_2
Verify Client Yes
Verify Server Yes
0.0.0.0 (tls): Port to Listen On: 5061 everything else Blank or No
-----------END SIP Settings [chan_pjsip]-----------
------------START Extension 3000 Settings-----------
Secret: 16 alpha numeric characters[a-z0-9]
Voicemail: Enabled voicemail should be irrelevent
DTMF Signaling: RFC 4733
Default User: Blank
Trust RPID: Yes
Send Connected Line: Yes
user = Phone No
Send RPID: Send P-Asserted-Identity header
Qualify Frequency: 60
Enable AVPF: No
Enable ICE Support: No
Enable rtcp Mux: No
Call Groups|Pickup Groups|Disallowed Codecs| Allowed Codecs: Blank
Mailbox [email protected]
Voicemail Extension: Blank
Account Code: Blank
Max Contacts: 3
Media Use Received Transport: Yes
RTP Symmetric: Yes
Rewrite Contact: Yes
Force rport: Yes
MWI Subscription Type: Auto
Aggregate MWI Yes
Enable WebRTC defaults No
Max audio streams 100
Max video streams 100
Media Encryption: SRTP via in-SDP (recommeneded)
Session Timers: Yes
Timer Expiration Period: 90
Direct Media: Yes
Allow Non-Encrypted Media (Opportunistic SRTP): No
Refer Blind Progress: Yes
Device State Busy at: 0
Match (Permit): Blank
Maximum Expiration: 7200
Minimum Expiration: 60
RTP Timeout: 0
Outbound Proxy|Messages Context|CID Num Alias|SIP Alias: Blank
Extension Options: appear to be irrelevant to this problem.
Recording Options: appear to be irrelevant to this problem.
Dictation Services: appear to be irrelevant to this problem.
Default Directory: Exclude
DTLS Enable DTLS: No
Everythign Else appear to be irrelevant to this problem.
------------END Extension 3000 Settings-----------