ASTERISK and TWILIO

Hi,

I am sorry if it is not the good place for this question.
On asterisk I use 2 SIP phone numbers.
1 from OVH and 1 from TWILIO.

in sip.conf I have:

[general]
...
register=>OVHnumber:OVHpass@xxx.yy.sip.ovh
register=>TWILIOnum:TWILIOpass@zzz.sip.us1.twilio.com
...

[OVHnumber]
type=friend
host=xxx.yy.sip.ovh
context=incoming
username=OVHnumber
remotesecret=OVHpass

[provider1]
type=peer
username=OVHnumber
remotesecret=OVHpass
nat=force_rport,comedia
host=OVHnumber:OVHpass@xxx.yy.sip.ovh:5060
context=incoming2

[TWILIOnumber]
type=friend
host=zzz.sip.us1.twilio.com
context=incoming26
username=TWILIOnumber
remotesecret=TWILIOpass

[provider2]
type=peer
username=TWILIOnumber
remotesecret=TWILIOpass
nat=force_rport,comedia
host=TWILIOnumber:TWILIOpass@zzz.sip.us1.twilio.com
context=incoming2

Why I cant originate a call with TWILIOnumber?
On zoiper free, I use the number and the pass for both, and I have the statut REGISTERED. But with the OVH number I can call someone and with TWILIO I have the BEARERCAPABILITY NOAUTH error.
And when the call is made from ASTERISK the error is SIP-XXXX is busy.

Thanks for your precious help!

Please attempt to upgrade to chan_pjsip.

For us to debug this case, you need to provide logs (full log, verbose 3, and “sip set debug on” enabled), and tell us how Twilio identifies and authenticates you.

I’m not aware of chan_sip accepting user and password in the host setting, and you shouldn’t need them in two places.

Even with chan_sip, you don’t seem to need two sections for each.

If you have two sections, they should both have the same codecs and context.

You almost never want type=peer, especially for providers, as it compromises security.

It took me a long time to get Asterisk and Twilio talking, not because it’s hard, because I struggled with the documentation. Been using SIP for 14 years and barely understood this. I made this sample pjsip.conf so that hopefully Twilio would either post it or use it as a base for a help file on connecting Asterisk to Twilio. Maybe this will help you.

Blockquote
; This is the pjsip.conf I use for Asterisk V 20.4.0 to send and receive calls from Asterisk.
;
; There is an assumption that you have some understanding of configuring Asterisk
;
; I use all hand written pjsip.conf and dialplan.conf so this will probably have a small number of interested users.
;
; It probably should but does not implement TLS, a problem for another day.
;
; You will have to corect all the name, password and network entries. Check all commented lines and update
;
; It may be missing some important features as my understanding of this is rudimentary, but at least it works.
;
; Some piece of it may stop working on Jan 24 2024 when Twilio switches to the 168.86.128.0/18 IP ranges as I’m still struggling with how this all works together.
;
; It’s possible there are still issues, but it seems to be working here. I think the dialplan samples at the bottom are correct, but it’s been 12 years since I
; started my dialplan and I may have forgotten som things. It does show the correct syntax for dialing out.
;
[simpletrans]
type=transport
protocol=udp
bind=0.0.0.0:5060
allow_reload=no
tos=cs3
cos=3
local_net=192.168.2.0/24 ;; Your local network IP range
local_net=192.168.3.0/24 ;; if you have additional local nets , add one line per.
external_media_address=lookupname.no-ip.biz ;; if you use dynamic DNS otherwise I guess it needs your IP address if you use NAT
external_signaling_address=lookupname.no-ip.biz ;; if you use dynamic DNS. Again my only be required for networks using NAT
;
;===============Inbound calls
;
[Twilio]
type=endpoint
transport=simpletrans
context=Twilio ;; use the context name of your choice.
disallow=all
allow=ulaw
outbound_auth=Twilio-auth
aors=Twilio
;
[Twilio-auth]
type=auth
auth_type=userpass
password=PASSWORD ;; Enter your Twilio name and password
username=TwilioNAME
;
[Twilio]
type=aor
;
max_contacts=1
;
[Twilio]
type=identify
endpoint=Twilio
match=54.244.51.0
match=54.244.51.1
match=54.244.51.2
match=54.244.51.3
match=54.172.60.0
match=54.172.60.1
match=54.172.60.2
match=54.172.60.3
match=168.86.128.0/18 ;; The new IP range. Don’t forget you need ports 10,000-60,000 with the new IPs
;
;===============Outbound calls
;
[TwilioOut]
type=endpoint
transport=simpletrans
allow=!all,ulaw
aors=TwilioOut
outbound_auth=TwilioOut
;
[TwilioOut]
type=outbound_auth
auth_type=userpass
password=PASSWORD ;; Enter your Twilio name and password
username=TwilioNAME
;
[TwilioOut]
type=aor
contact=sip:myname.pstn.twilio.com ;; Make sure this matches your account.
;
;=====================INTERNAL PHONES=========================
;
;;; The template for each internal phone, saves typing.
OfficeEndpoint
type=endpoint
context=internaPhones ;; use the context name of your choice.
disallow=all
allow=ulaw
;
OfficeAuth
type=auth
auth_type=userpass
;
OfficeAors
type=aor
max_contacts=1
;
;;; end template
;
;;Section for extension 101
101
auth=101Auth
aors=101
;
101Auth
username=User101Name ;; Enter your phones name and password
password=User101Pass
;
;;;;;;;;;;;;;;; add another section like this for every office phone
102
;
102
auth=102Auth
aors=102
;
102Auth
username=User102Name ;; Enter your phones name and password
password=User102Pass
;
102
;
;
;;--------------------------------------------------------------------------
;; This is a simple dialplan to use this pjsip config
;
;
;; this is the simplest code to dial a number in Asterisk.
;; The context in this sample for internal phones is internalPhones
;;
[internaPhones] ;; use the context name of your choice, this matches the context in the pjsip sample above.
exten => s,1,dial(PJSIP/+${EXTEN}@TwilioOut)
;
;
;; This will accept incoming calls from Twilio and send calls to diffferent numbers to different places
;; Each number has 3 sections to cove all possible ways the number might show up.
;; Only one of them is likely needed.
;
[Twilio] ;; use the context name of your choice, this matches the context in the pjsip sample above.
exten => 13101234567,1,goto(NumberOne,s,1)
exten => +13101234567,1,goto(NumberOne,s,1)
exten => _+13101234567,1,goto(NumberTwo,s,1)
;
exten => 13109876543,1,goto(NumberTwo,s,1)
exten => +13109876543,1,goto(NumberOne,s,1)
exten => _+131008765431,goto(NumberTwo,s,1)
;
exten => s,1,goto(default,s,1)
;
;
This will
[NumberOne]
extension s,1,dial(PJSIP/101,25) ; dial line 1 for 25 seconds, then off to voicemail
same => n,voicemail(101@default)
;
[NumberTwo]
extension s,1,dial(PJSIP/102,25) ; dial line 2 for 25 seconds, then off to voicemail
same => n,voicemail(102@default)
;
[default]
extension s,1,dial(PJSIP/101&PJSIP/102,25) ; dial both lines for 25 seconds, then off to voicemail
same => n,voicemail(102@default)

This makes no sense, as it assumes that Twilo register with you, which is highly unlikely. I suspect you don’t need to specify an aor at all for an inbound only endpoint, but see the next paragraph.

Also there should be no valid reason for having both inbound and outbound sections with chan_pjsip. Their use with chan_sip is a work round for for only being able to specify one address for the provider. chan_pjsip allows you to specify multiple source addresses, in type=identify and the destination address in type=aor.

The authentication information in your inbound section is never going to be used.

I don’t use Twillio
But thank you on behalf of those that do.
& for being a good guy in allowing others to benefit and learn from your trials.

It works, which given I was under a deadline to get it done before Twilio made changes where SIP would stop working. If you’d like to edit my sample to correct it, I’d be grateful and will make those changes in my PBX and let you know how it goes. I struggled for so long trying to figure out how to make PJSIP work including offer to pay and was so happy when it worked that I just stopped. Trying to find useful instructions or samples on how to setup PJSIP was an exercise in frustration and while my sample might not be perfect, at least it’s a working sample.

Delete type=aor section for Twilio.

Rename type=aor section for TwilioOut to Twilio.

Delete remaining TwilioOut sections.

Replace TwilioOut, by Twilio, in extensions.conf.

Does this really work for outbound calls, as you seem to have an incorrect type, type=outbound_auth. Maybe the code catches that error? This gets deleted in my above suggested changes.

I will try those changes. It has been working perfectly both in and out for a few months. As I recall, it would not work without the outbound_auth as it would not seem to use auth for the outbound calls.

Out of curiosity, do any of the errors in that configuration cause any security risk or are they just noise?

The problem is in the type. There is only one authentication section type, but it can be referenced from both outbound_auth= and auth=.

I can’t think of any security impact.

Thanks a lot!!
I am not familiar with PJSIP so I am trying to learn how it works, and then I will try your method! Thanks a lot!

Thanks! i am trying to registered the working SIP to PJSIP and try with the TWILIO TRUNK

@iraemus Thanks so much for putting that together. I’m rebuilding a old Asterisk instance and needed to start over with the SIP config. I used your template as a starting point along with @david551’s tips and inbound calls “just worked” when I deployed it. This is a very useful thread.

I am so happy to be able to give back to the community. I’ve been running Asterisk for about 15 years and the community support I received when I started made it possible for me to get started.

Extending this further, I recently learned that Twilio does not verify SSL remote certs over SIP trunks: SIP Security Best Practices | Twilio. This means they accept self-signed certs, and you don’t need to buy a cert to encrypt your SIP traffic. As such, there really isn’t any reason not to encrypt your traffic with Twilio. So let’s do it!

Asterisk/PJSIP’s SSL listener is a basic TCP TLS implementation. (Not UDP DTLS.) So if you’re familiar with TLS for web servers all the same rules apply. There are two main gotchas I found:

1. The CA cert is required, so the basic openssl one-liner to create a self-signed key/cert pair doesn’t work. However, Asterisk comes with a script to generate a self-signed SSL cert with a CA cert in the repo contrib/ directory, so we can use that.
2. Media encryption defaults to off and must be manually enabled, as Twilio requires media encryption when enabling encryption. If you miss this the error is res_pjsip_session.c:937 handle_incoming_sdp: Twilio: Couldn't negotiate stream 0:audio-0:audio:sendrecv (nothing)

The steps from here assume you already have the previously posted config working.

First, run the contrib script to make a self-signed cert and store it in a path accessible to Asterisk. Note that by default this script drops CA and config files into the working directory, so I recommend running it in a work directory and copying the CA cert, server cert, and server key into the final location. Script source: asterisk/contrib/scripts/ast_tls_cert at master · asterisk/asterisk · GitHub

Then set up the SSL transport in pjsip.conf. This is net-new:

[ssltrans]
type=transport
protocol=tls
bind=0.0.0.0:5061
allow_reload=no
tos=cs3
cos=3
local_net=[Local network CIDR]
external_media_address=[Asterisk Public IP]
external_signaling_address=[Asterisk Public IP]
ca_list_file=[CA cert file path]
cert_file=[Server cert file path]
priv_key_file=[Server key file path]
method=tlsv1
; Disable verify_client as we're not doing mutual TLS
verify_client=no
; Asterisk doesn't like Twilio's wildcard certs.
verify_server=no

If you reload your config at this point TCP/5061 should be open and using the self-signed cert. This can be checked with openssl:

echo | openssl s_client -connect 127.0.0.1:5061

Then update the twilio endpoint to use the ssltrans transport and encrypt media. This is a diff:

 [Twilio]
 type=endpoint
-transport=simpletrans
 context=Twilio ;Which dialplan to use for incoming calls
 disallow=all
 allow=ulaw
 outbound_auth=Twilio-auth
 aors=Twilio
; NOTE: direct_media is not in the original config guide, but I needed it to prevent NAT issues.
 direct_media=no
+media_encryption=sdes
+media_use_received_transport=yes
+transport=ssltrans

With this config setting Secure Trunking to Enabled in your Twilio Elastic SIP Trunking settings in Twilio’s portal should work. If Twilio is the only SIP connection incoming from the internet you should be able to close port 5060 TCP & UDP internet access.

I found the following very helpful when working through these settings: res_pjsip: SIP Resource using PJProject - Asterisk Documentation

And if you don’t use module autoloading make sure res_srtp.so and res_crypto.so are loaded.

Finally, a complete config:

[global]
type=global

[simpletrans]
type=transport
protocol=udp
bind=0.0.0.0:5060
allow_reload=no
tos=cs3
cos=3
local_net=[Local network CIDR]
external_media_address=[Asterisk Public IP]
external_signaling_address=[Asterisk Public IP]

[ssltrans]
type=transport
protocol=tls
bind=0.0.0.0:5061
allow_reload=no
tos=cs3
cos=3
local_net=[Local network CIDR]
external_media_address=[Asterisk Public IP]
external_signaling_address=[Asterisk Public IP]
ca_list_file=[CA cert file path]
cert_file=[Server cert file path]
priv_key_file=[Server key file path]
method=tlsv1
; Disable verify_client as we're not doing mutual TLS
verify_client=no
; Asterisk doesn't like Twilio's wildcard certs.
verify_server=no

[Twilio]
type=endpoint
context=Twilio ;Which dialplan to use for incoming calls                                                                                                                                                                                                                    
disallow=all
allow=ulaw
outbound_auth=Twilio-auth
aors=Twilio
direct_media=no
media_encryption=sdes
media_use_received_transport=yes
transport=ssltrans

;===============Inbound calls

[Twilio-auth]
type=auth
auth_type=userpass
username=[username]
password=[password]

[Twilio]
type=identify
endpoint=Twilio
; Twilio Signalling 54.172.60.0/30                                                                                                                                                                                                                                                
match=54.172.60.0
match=54.172.60.1
match=54.172.60.2
match=54.172.60.3
; Twilio Signalling 54.244.51.0/30                                                                                                                                                                                                                                                
match=54.244.51.0
match=54.244.51.1
match=54.244.51.2
match=54.244.51.3
; Twilio Signalling 54.171.127.192/30                                                                                                                                                                                                                                             
match=54.171.127.192
match=54.171.127.193
match=54.171.127.194
match=54.171.127.195
; Twilio Signalling 35.156.191.128/30                                                                                                                                                                                                                                             
match=35.156.191.128
match=35.156.191.129
match=35.156.191.130
match=35.156.191.131
; Twilio Signalling 54.65.63.192/30                                                                                                                                                                                                                                               
match=54.65.63.192
match=54.65.63.193
match=54.65.63.194
match=54.65.63.195
; Twilio Signalling 54.169.127.128/30                                                                                                                                                                                                                                             
match=54.169.127.128
match=54.169.127.129
match=54.169.127.130
match=54.169.127.131
; Twilio Signalling 54.252.254.64/30                                                                                                                                                                                                                                              
match=54.252.254.64
match=54.252.254.65
match=54.252.254.66
match=54.252.254.67
; Twilio Signalling 177.71.206.192/30                                                                                                                                                                                                                                             
match=177.71.206.192
match=177.71.206.193
match=177.71.206.194
match=177.71.206.195

;===============Outbound calls

[Twilio]
type=aor
contact=sip:[SIP trunk Termination SIP URI in Twilio]

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.