Asterisk Tls configuration problems please help!

Hello community,

I have a Virtual machine running asterisk 13.28.1 in Ubuntu 18.04.3.

I have installed Blink in my virtaul machine and in my physical machine as softphones.

I have followed the tutorial in this link : https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

I have some problems after i’ve done the configurations above.

The first one is i can’t make calls between the softphones. In asterisk console a error message pops up which says : Auto fallthough, channel SIP/Mousouda-000000002’ status is CHANUNAVAILABLE

The second problem is that when i register the users to the softphones, in asterisk console says that are registered in a port other than the tls port (5061).

Below are my conf. files:

extensions.conf file :

[local]
exten=>6003,1,Dial(SIP/Mousouda,20)
exten=>6004,1,Dial(SIP/Patousa,20)

sip.conf file :

[general]
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1

[Mousouda]
type=peer
secret=1234
host=dynamic
context=local
dtmfmode=rfc2833
disallow=all
allow=g722
transport=tls
nat=force_rport,comedia
directmedia=no

[Patousa]
type=peer
secret=1234
host=dynamic
context=local
dtmfmode=rfc2833
disallow=all
allow=g722
transport=tls
nat=force_rport,comedia
directmedia=no

pjsip.conf file :

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1

[Patousa]
type=aor
max_contacts=1
remove_existing=yes

[Patousa]
type=auth
auth_type=userpass
username=Patousa
password=1234

[Patousa]
type=endpoint
aors=Patousa
auth=Patousa
context=local
disallow=all
allow=g722
dtmf_mode=rfc4733
media_encryption=sdes

[Mousouda]
type=aor
max_contacts=1
remove_existing=yes

[Mousouda]
type=auth
auth_type=userpass
username=Mousouda
password=1234

[Mousouda]
type=endpoint
aors=Mousouda
auth=Mousouda
context=local
disallow=all
allow=g722
dtmf_mode=rfc4733
media_encryption=sdes

If anyone can help, please i am in desparate situation.

Nothing requires a TCP registrant to register on 5061, as long as it sends the registration to 5061.

I’m pretty sure that nat=force_rport has no effect over TCP based transports.

If you are getting channel unavailable the peer may not have registered However, there are other causes, and you should be looking further up the log for hte actual cause.

You need to show actual console output. You have both chan_sip and chan_pjsip configured which may be confusing things. It’s entirely possible that chan_pjsip is getting the registration, but you are trying to dial to chan_sip and thus it would fail. You really need to pick one or the other.

Thank you for your answer jcolp.

I dont know what happened.

I just added encryption=yes to both users in sip.conf file, i tried and it worked.

Both session and media are encrypted.

Hello jcolp.

Could you please help me with something else?

Because something weird is happening with asterisk.

I opened my VM today, and when i tried to load asterisk with sudo asterisk -cvvvvv, it says that " Error loading shared libraries : libasteriskssl.so.1 cannot open shared object file : No such file or directory "

I have installed libssl package before i install asterisk.

Thanks in advance.

You already posted another topic for that specific problem, and @penguinpbx responded to you asking for additional information.

Oh i am really sorry.

I am little bit lost with all of these problems.

Hi jculp,

I have to tell you iam sorry again for bothering you for an already existing query.

I have uploaded in the related post the output of the command penguin told me to execute.

In case you could help me .

Thanks again

Hey david,

Thank you for your response.

I know its a bit late.

I ve managed finally to make calls, but still in the asterisk console shows other random port. Is there any way to fix this problem?

Thanks in advance.

Hello jcolp,

Could you pls help me how to configure corrent the pjsip.conf or the sip.conf file, in order to use only one of them?

Thanks in advance.

If you don’t want to use chan_sip then don’t load the module by telling it to noload in modules.conf

Which option is most correct? Sip or Pjsip? And if i disable sip, do i have to change the pjsip configurations?

Thanks in advace.

chan_sip is deprecated. Neither of them knows anything about the other.

Hello david,

Thank you for the reply.

I am so confused that i dont know which conf should i keep and which changes do i have to apply.
Could you please enlight me?

Thanks in advance.

And how can i do this? Is like “noload=sip.conf”?

I become annoying, but forgive me i am trying to learn and iam so confused.