TLS SIP Trunk (2Talk)

Hi,
I’m running Hosted FreePBX 13 and trying to configure a TLS SIP Trunk so that the communications is encrypted all the way from my endpoints to my service provider. I am currently using 2Talk as my service provider. I have been in contact with 2Talk and they say they support connections over 5060 and 5061 (TLS). The problem is that I do not know how to configure FreePBX to connect using port 5061 for the trunk. (I have successful TLS connections to Sangoma phones.)

Also, I do have a successful connection over 5060 to 2Talk using these guidelines: https://www.2talk.com/siptrunking.html
But no example from them using TLS. (They just told me I could try tls.2talk.com but still isn’t working for me.)

The error I get in the logs when I attempt a call on the trunk over port 5061 is:
[2017-09-28 16:15:22] VERBOSE[2496] tcptls.c: SSL certificate ok
[2017-09-28 16:15:22] ERROR[2496] tcptls.c: Certificate did not verify: unable to get local issuer certificate

While happening to get the exact settings I would need for 2Talk service would be ideal, recommendations from others who have accomplishment a TLS connection with their service provider may help shine some light on what needs to be done.

Thanks in advance for the help!

Turn off both server and client certificate checks in sip settings for now to test. You may have to set up a client certificate on your PBX via your provider.

Thank you for the suggestions. Turning off the certificate check worked for being able to make outbound calls. Still trying to figure out why it’s not receiving inbound calls over tls.

Now it is giving me these messages in the log file:
[2017-09-29 09:12:32] VERBOSE[3588][C-00000f49] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/27.111.12.66-00000f5e”, "WARNING,“Rejecting unknown SIP connection from 27.111.12.66"”) in new stack
[2017-09-29 09:12:32] WARNING[3588][C-00000f49] Ext. s: “Rejecting unknown SIP connection from 27.111.12.66”

EDIT
These errors were occurring because of the Incoming setting insecure-invite instead of insecure-very I changed this setting and fixed the problem.
-------

Just for reference for others who might read this, https://wiki.asterisk.org/wiki/display/AST/SIP+TLS+Transport
was a helpful wiki that also offered the suggestion of setting tlsdontverifyserver=yes when Asterisk is acting as a client.

Managed to get it working both ways. I’ll post the trunk settings I used for TLS connection to 2Talk:

Outgoing
type=friend
qualify=yes
nat=never
context=from-trunk
insecure=invite
host=tls.2talk.com
dtmfmode=rfc2833
canreinvite=no
disallow=all
allow=gsm&alaw
transport=tls
encryption=yes

Incoming
type=friend
qualify=yes
nat=never
insecure=very
context=from-trunk-sip-2talk-outbound-tls
host=tls.2talk.com
dtmfmode=rfc2833
canreinvite=no
disallow=all
allow=gsm&alaw
transport=tls

As 2Talk requires you to provide them your PBX static IP, there is no registration required to connect to their service.

These are just the settings I used to get it to work, both sending and receiving calls. If anyone has suggestions on a better way to configure this, please post it.

Hope someone else might find this useful as the documentation for 2Talk in the US seems to be lacking!

Hello, I’m trying to setup a TLS trunk to my FreePBX from a new VOIP Service Providers. Where should I put the Certificates path?
My setup is endpoint no encryption and Chan_Sip 5060.
My SIP Provider sent me the Intermediate certificate and the root and we are using TLS=5061.
Can you guide me to the right path?
Where should I put the Certificates and in what file should I add the configuration path?
Thanks

Please start a new topic with your specific question and scenario. The threads you have replied to are old.

2 Likes