Asterisk Tls configuration problems please help!

unitronic1993 · October 22, 2019, 4:35pm

Hello community,

I have a Virtual machine running asterisk 13.28.1 in Ubuntu 18.04.3.

I have installed Blink in my virtaul machine and in my physical machine as softphones.

I have followed the tutorial in this link : https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

I have some problems after i’ve done the configurations above.

The first one is i can’t make calls between the softphones. In asterisk console a error message pops up which says : Auto fallthough, channel SIP/Mousouda-000000002’ status is CHANUNAVAILABLE

The second problem is that when i register the users to the softphones, in asterisk console says that are registered in a port other than the tls port (5061).

Below are my conf. files:

extensions.conf file :

[local]
exten=>6003,1,Dial(SIP/Mousouda,20)
exten=>6004,1,Dial(SIP/Patousa,20)

sip.conf file :

[general]
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1

[Mousouda]
type=peer
secret=1234
host=dynamic
context=local
dtmfmode=rfc2833
disallow=all
allow=g722
transport=tls
nat=force_rport,comedia
directmedia=no

[Patousa]
type=peer
secret=1234
host=dynamic
context=local
dtmfmode=rfc2833
disallow=all
allow=g722
transport=tls
nat=force_rport,comedia
directmedia=no

pjsip.conf file :

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1

[Patousa]
type=aor
max_contacts=1
remove_existing=yes

[Patousa]
type=auth
auth_type=userpass
username=Patousa
password=1234

[Patousa]
type=endpoint
aors=Patousa
auth=Patousa
context=local
disallow=all
allow=g722
dtmf_mode=rfc4733
media_encryption=sdes

[Mousouda]
type=aor
max_contacts=1
remove_existing=yes

[Mousouda]
type=auth
auth_type=userpass
username=Mousouda
password=1234

[Mousouda]
type=endpoint
aors=Mousouda
auth=Mousouda
context=local
disallow=all
allow=g722
dtmf_mode=rfc4733
media_encryption=sdes

If anyone can help, please i am in desparate situation.

david551 · October 22, 2019, 5:32pm

Nothing requires a TCP registrant to register on 5061, as long as it sends the registration to 5061.

I’m pretty sure that nat=force_rport has no effect over TCP based transports.

If you are getting channel unavailable the peer may not have registered However, there are other causes, and you should be looking further up the log for hte actual cause.

jcolp · October 22, 2019, 6:01pm

You need to show actual console output. You have both chan_sip and chan_pjsip configured which may be confusing things. It’s entirely possible that chan_pjsip is getting the registration, but you are trying to dial to chan_sip and thus it would fail. You really need to pick one or the other.

unitronic1993 · October 22, 2019, 7:05pm

Thank you for your answer jcolp.

I dont know what happened.

I just added encryption=yes to both users in sip.conf file, i tried and it worked.

Both session and media are encrypted.

unitronic1993 · October 23, 2019, 1:39pm

Hello jcolp.

Could you please help me with something else?

Because something weird is happening with asterisk.

I opened my VM today, and when i tried to load asterisk with sudo asterisk -cvvvvv, it says that " Error loading shared libraries : libasteriskssl.so.1 cannot open shared object file : No such file or directory "

I have installed libssl package before i install asterisk.

Thanks in advance.

jcolp · October 23, 2019, 1:41pm

You already posted another topic for that specific problem, and @penguinpbx responded to you asking for additional information.

unitronic1993 · October 23, 2019, 1:44pm

Oh i am really sorry.

I am little bit lost with all of these problems.

unitronic1993 · October 23, 2019, 1:52pm

Hi jculp,

I have to tell you iam sorry again for bothering you for an already existing query.

I have uploaded in the related post the output of the command penguin told me to execute.

In case you could help me .

Thanks again

unitronic1993 · November 13, 2019, 1:54pm

Hey david,

Thank you for your response.

I know its a bit late.

I ve managed finally to make calls, but still in the asterisk console shows other random port. Is there any way to fix this problem?

Thanks in advance.

unitronic1993 · November 14, 2019, 8:29pm

Hello jcolp,

Could you pls help me how to configure corrent the pjsip.conf or the sip.conf file, in order to use only one of them?

Thanks in advance.

jcolp · November 14, 2019, 8:34pm

If you don’t want to use chan_sip then don’t load the module by telling it to noload in modules.conf

unitronic1993 · November 14, 2019, 8:41pm

Which option is most correct? Sip or Pjsip? And if i disable sip, do i have to change the pjsip configurations?

Thanks in advace.

david551 · November 14, 2019, 11:18pm

chan_sip is deprecated. Neither of them knows anything about the other.

unitronic1993 · November 14, 2019, 11:31pm

Hello david,

Thank you for the reply.

I am so confused that i dont know which conf should i keep and which changes do i have to apply.
Could you please enlight me?

Thanks in advance.

unitronic1993 · November 14, 2019, 11:38pm

And how can i do this? Is like “noload=sip.conf”?

I become annoying, but forgive me i am trying to learn and iam so confused.

ambiorixg12 · November 15, 2019, 2:23am

noload => chan_sip.so

it is the module file you need to stop loading, not the configuration file. Please read urgently http://www.asteriskdocs.org/

unitronic1993 · November 15, 2019, 9:06am

Hello ambiorixg12,

Thank you so much for your reply.

This book is very helpfull.

Another more question.

If i want to use sip.conf, the pjsip.conf can be disabled with chan_pjsip.so?

Thanks in advance.

satish4asterisk · November 15, 2019, 2:28pm

Add following in your modules.conf,

noload => res_pjsip.so
noload => res_pjsip_pubsub.so
noload => res_pjsip_session.so
noload => chan_pjsip.so
noload => res_pjsip_exten_state.so
noload => res_pjsip_log_forwarder.so

Go through this for more details

unitronic1993 · November 15, 2019, 6:00pm

Hello satish4asterisk.

Thank you so much for your reply.

unitronic1993 · December 1, 2019, 12:12pm

Hello jcolp,

I configured to used only sip.conf.

Now i have a problem when iam trying to create a tls encrypted session.

I followed this tutorial https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

But when i register the users, they still use UDP and not TLS. I have also created the certifications for each users.

My sip.conf configuration file.

[general]
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1

[Mousouda]
type=peer
secret=1234
context=local
dtmfmode=rfc2833
host=dynamic
disallow=all
allow=g722
transport=tls
nat=force_rport,comedia
directmedia=no
encryption=yes

[Patousa]
type=peer
secret=1234
context=local
dtmfmode=rfc2833
host=dynamic
disallow=all
allow=g722
transport=tls
nat=force_rport,comedia
directmedia=no
encryption=yes

Please i need some help.

Thanks in advance.