Hi all,
I would like to ask for pointing me to the right direction.
What I am trying to acomplish: Linphone to Linphone conversiation with SRTP encryption
What is my setup:
Ubuntu Server 12.04
Asterisk 1.18.32, compiled with all modules enabled and srtp is definitely there
[quote]./configure | grep -i srtp
checking for srtp_init in -lsrtp… yes
checking srtp/srtp.h usability… yes
checking srtp/srtp.h presence… yes
checking for srtp/srtp.h… yes
checking for the ability of -lsrtp to be linked in a shared object… yes
checking for srtp_shutdown in -lsrtp… yes
checking for srtp/srtp.h… (cached) yes[/quote]
Clients Linphone 3.8 (Linux/Windows)
I have gone through the instructions wiki.asterisk.org/wiki/display/ … g+Tutorial
Clients are connecting via TLS successfully. I use a self signed certificate.
server setup si according to remiphilippe.fr/asterisk-srtp-with-1-8/
but here comes my first question, where do the lines
exten => 9999,1,Set(_SIP_SRTP_SDES=1)
exten => 9999,2,Set(_SIPSRTP=1)
exten => 9999,3,Set(_SIPSRTP_CRYPTO=enable)
belong? I know, extensions.conf, but where exactly?
After setting up Linphone to SRTP and initiating a call, I can answer on the other end, there is sound and video, but I can only see “Secured with SRTP” on caller side, not on the callee. I can call the other way too, again with seeng “Secured with SRTP” only on caller side. This lead me to look at
on the server and there came an error
[quote][Mar 27 14:30:09] WARNING[25801]: res_srtp.c:407 ast_srtp_unprotect: SRTP unprotect failed with: authentication failure 10
[Mar 27 14:30:11] WARNING[25801]: res_srtp.c:407 ast_srtp_unprotect: SRTP unprotect failed with: authentication failure 10
== Problem setting up ssl connection: error:00000000:lib(0):func(0):reason(0)
[Mar 27 14:30:12] WARNING[25823]: tcptls.c:669 handle_tcptls_connection: FILE * open failed![/quote]
So I definitely have no SRTP encryption. What does this error mean?
Back to the “Secure Calling Tutorial”, I a “Client certificate” was issued as well. Possibly I get it wrong, but what is a client certificate good for? Is it needed for SRTP? And how to provide this client certificate to Linphone? Why do I need to provide ca.crt (the Certificate Authority)?
I did
cp user1.key user1.pem
cat user1.crt >> user1.pem
cat ca.crt >> user1.pem
and for other users the same way
and then I imported the pem into Linphone like
(Windows) copied to the end of rootca.pem in Linphone installation dir and
(Ubunt) cp user1.pem /etc/ssl/certs/
I they really work and connect via TLS.
But what’s the problem with SRTP?
By the way, I thought, that RTP is peer-to-peer protocol. Why does all the traffic between the two clients still flow through the server. I can see rtp packes traveling on asterisk server via
From another point of view, there is a server. Far away, there are several clients behind another nat, all on the same local network. When calling from client1 to client2 and if rtp is peer-to-peer, why does all the traffic still go out, to the server and back to the client?
I appologize if I misunderstood some of the concepts (SRTP,TLS,RTP,…), but again, I really appreciate for pointing me to the right direction Thank you all in advance!
sip.conf
[code][general]
context=internal
videosupport=yes
textsupport=yes
textsupport=yes
accept_outofcall_message=yes
outofcall_message_context=messages
allowguest=no
allowoverlap=no
bindport=5060
bindaddr=192.168.1.108
srvlookup=no
disallow=all
allow=gsm
allow=speex
allow=mpeg4
allow=h264
allow=h263
allow=h263p
alwaysauthreject=yes
canreinvite=no
nat=yes
directrtpsetup=yes
session-timers=refuse
externip=xxx.xxx.xxx.xxx
localnet=192.168.1.0/255.255.255.0
accept_outofcall_message=yes
outofcall_message_context=internal
auth_message_requests=yes
tlsenable=yes
tlsbindaddr=192.168.1.108
;tlscertfile=/etc/asterisk/certificates/asterisk.p1p0.eu.pem
tlscertfile=/etc/asterisk/keys/asterisk.pem
;tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsdontverifyserver=no
tlsclientmethod=tlsv1
encryption=yes
transport=tls
[7001]
type=friend
host=dynamic
md5secret=db69093ccea73123044d83410eec31f5
context=internal
[7002]
type=friend
host=dynamic
md5secret=156cd9603a912a279359498d99fbed3b
context=internal
[pikolino]
type=friend
host=dynamic
md5secret=731cd0fbcae5a440d3a2a02128a2836b
context=internal
callerid=PikoLino <7003>
[/code]
extensions.conf
[code][internal]
exten => 7001,1,Set(_SIP_SRTP_SDES=1)
exten => 7001,n,Set(_SIPSRTP=1)
exten => 7001,n,Set(_SIPSRTP_CRYPTO=enable)
exten => 7001,n,Dial(SIP/7001,60)
exten => 7001,n,Answer()
exten => 7001,n,Playback(vm-nobodyavail)
exten => 7001,n,VoiceMail(7001@main)
exten => 7001,n,Hangup()
exten => 7002,1,Set(_SIP_SRTP_SDES=1)
exten => 7002,n,Set(_SIPSRTP=1)
exten => 7002,n,Set(_SIPSRTP_CRYPTO=enable)
exten => 7002,n,Dial(SIP/7002,60)
exten => 7002,n,Answer()
exten => 7002,n,Playback(vm-nobodyavail)
exten => 7002,n,VoiceMail(7002@main)
exten => 7002,n,Hangup()
exten => 7003,1,Set(_SIP_SRTP_SDES=1)
exten => 7003,n,Set(_SIPSRTP=1)
exten => 7003,n,Set(_SIPSRTP_CRYPTO=enable)
exten => 7003,n,Dial(SIP/pikolino,60)
exten => 7003,n,Answer()
exten => 7003,n,Playback(vm-nobodyavail)
exten => 7003,n,VoiceMail(pikolino@main)
exten => 7003,n,Hangup()
exten => 8001,1,VoicemailMain(7001@main)
exten => 8001,2,Hangup()
exten => 8002,1,VoicemailMain(7002@main)
exten => 8002,2,Hangup()
exten => 8003,1,VoicemailMain(pikolino@main)
exten => 8003,2,Hangup()
exten => 600,1,Playback(demo-echotest) ; Let them know what’s going on
exten => 600,n,Echo ; Do the echo test
exten => 600,n,Playback(demo-echodone) ; Let them know it’s over
exten => 600,n,hangup[/code]
netstat -an
netstat -an | grep :506
tcp 0 0 192.168.1.108:5061 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.108:5061 192.168.1.1:32861 ESTABLISHED
tcp 0 0 192.168.1.108:5061 193.xx.xx.xx:51302 ESTABLISHED
udp 0 0 192.168.1.108:5060 0.0.0.0:*