Asterisk to Asterisk TLS Communication Issues

Asterisk Asterisk SIP
1

I am trying to enable TLS between 2 asterisk servers. Using Asterisk 16.19 with pjsip.

I have followed the guide Home - Asterisk Documentation
Since my client is also asterisk not Blink, I am going out of the guide’s coverance and things are not working for me.
I have created the necessary keys on Asterisk 1 and transferred the necessary keys to the Asterisk 2.

High level setup:

Asterisk 1

transport-udp: 5060
transport-tls: 5061

transport config:

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
ca_list_file=/etc/asterisk/keys/ca.crt
ca_list_path=/etc/asterisk/keys
verify_client=true
verify_server=true
method=sslv23

I have checked with netstat -tunlap, I can see port 5061 is binded correctly to asterisk and listening.

Asterisk 2

registration config

server_uri=sip:<username>@<Asterisk_1_IP>:5061
client_uri=sip:<username>@<Asterisk_1_IP>:5061

transport config:

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/ivr.crt
priv_key_file=/etc/asterisk/keys/ivr.key
method=sslv23
ca_list_file=/etc/asterisk/keys/ca.crt
ca_list_path=/etc/asterisk/keys

2nd asterisk (client to register to Asterisk 1), keeps pushing out logs saying it hasnt received any response to registration request.

However when I try to actually see whats going on on the network level using tcpdump, I am only seeing UDP packets sent out to 5061. How can I make sure pjsip uses TLS?

Asterisk 2 Console output:

WARNING[3294]: res_pjsip_outbound_registration.c:841 schedule_retry: No response received from ‘sip:@<Asterisk_1_IP>:5061’ on registration attempt to ‘sip:@<Asterisk_1_IP>:5061’, retrying in ‘5’
WARNING[3294]: res_pjsip_outbound_registration.c:841 schedule_retry: No response received from ‘sip:@<Asterisk_1_IP>:5061’ on registration attempt to ‘sip:@<Asterisk_1_IP>:5061’, retrying in ‘5’

If I remove the 5061 from Asterisk 2 endpoint config, I can see succesful registration to Asterisk 1 using UDP protocol.

Any guidance appreciated.

2

These are mutually exclusive.

This is a registration configuration, not an endpoint configuration, and at most one side should have this, although normally, in such circumstances, neither would.

Also, Asterisk 16 is no longer supported, although it will receive security fixes until this Autumn.

2 Likes
3

You also have to specify to use the TLS transport in URIs by adding:

\;transport=tls

To them.

2 Likes
4

@david551 sorry my bad yes thats under registration section. Also, I have commented out the ca_list_path under transport section.

I am planning to move to Asterisk 20, since 16 is also LTS I kept using it.

@jcolp Thanks I have added it to server_uri and client_uri

There were some network and firewall hickups.

Thank you so much for the help. I am able to register Asterisk to Asterisk using SIP TLS.

If anyone has a question or fails to make this work, please message me, happy to answer here.

5

LTS state only applies at the time of release. If it is end of life, it is still end of life.

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.