Hi!
I’m trying establish a TLS secured SIP-connection to Asterisk. But no matter what I try, it doesn’t work.
The “network” looks like this:
- a LAN switch which connects all of the following hardware components
- computer with Kubuntu 7.10 on which is installed
– Twinkle as soft-phone (normally user 10)
– VirtualBox with a command-line Kubuntu 7.10 and Asterisk inside the virtual machine - an other computer with Twinkle (Kubuntu 7.10) or Phoner (WinXP), which is connected if necessary
- snom 300 hard-phone (normally user 11)
This setup must work without internet connection when installation and configuration is done.
I found many things about Asterisk + TLS but nothing worked and/or it seems like it is outdated.
At the moment, it seems for me like that a self-compiled Asterisk 1.6.0 beta 5 is the best approach because in the changelog is said that that version can TLS. Unencrypted connections are working very well over Asterisk, even with this beta. But Phoner can’t even register with TLS at Asterisk. TLS/SRTP directly between 2 WinXP computers (without Asterisk, SIP provider, etc.) with Phoner is working fine. On the virtual machine where Asterisk is running, netstat says that port 5061 isn’t open, no matter what I’m doing.
asterisk -vvvvvr doesn’t say anything about TLS. I couldn’t find anything that seems like an error message.
In make menuconfig I made it to change “res_crypto” from [XXX] to [*] by installing more packages concerning SSL/-dev.
In sip.conf I changed:
Added:
[10]
type=friend
username=10
secret=****
host=dynamic
disallow=all
allow=gsm
allow=ulaw
transport=tls
port=5061
context=default
and the same again for user 11.
I uncommented/set:
tlsenable=yes
tlsbindaddr=0.0.0.0
tlsdontverifyserver=yes
In extensions.conf I added
exten => 10,1,Dial(SIP/${EXTEN},60)
exten => 10,2,Congestion
exten => 10,102,Busy
and the same again for user 11 (exten => 11,…).
I even tryed to generate keys with astgenkey but I don’t know if they’re necessary and where to move them. There are many comments in sip.conf concerning TLS which I don’t understand (like strange suggested paths, but I think I don’t need them because of tlsdontverifyserver).
Could somebody help me please? Thanks in advance.