Asterisknow TLS SIP trunk to Skype for business

hello!
I configured a sip tls trunk between AsteriskNow and Skype for business. When calling from Asterisk client (Zoiper) to client Skype for business, the sound goes in both directions. When calling from a Skype client on a client of Asterisk get the following error in the console of asterisk:
WARNING[2739][C-00000009]: chan_sip.c:10715 process_sdp: Failed to receive SDP offer/answer with required SRTP crypto attributes for audio
Asterisk 13.9.1
Help me please correct configure trunk.

What is your current configuration and the output of an attempt with “sip set debug on”?

sip_general_additional.conf:
accept_outofcall_message=yes
auth_message_requests=no
outofcall_message_context=dpma_message_context
faxdetect=no
vmexten=*97
context=from-sip-external
callerid=Unknown
notifyringing=yes
notifyhold=yes
tos_sip=cs3
tos_audio=ef
tos_video=af41
alwaysauthreject=yes
useragent=FPBX-AsteriskNOW-12.0.76.3(13.9.1)
disallow=all
allow=ulaw
allow=alaw
allow=gsm
allow=g726
tcpenable=yes
transport=tcp,tls
tlsenable=yes
tlsbinaddr=0.0.0.0:5061
tlscertfile=/etc/pki/tls/Core-ASK-2-full.pem
tlscafile=/etc/pki/tls/G_RCA(1).pem
tlscipher=ALL
tlsclientmethod=tlsv1
encryption=yes
tlsdontverifyserver=yes
directmedia=no
callevents=yes
rtpend=20000
rtpstart=10000
bindport=5060
jbenable=no
srvlookup=no
registerattempts=0
defaultexpiry=120
minexpiry=60
allowguest=yes
maxexpiry=3600
registertimeout=20
rtpholdtimeout=300
g726nonstandard=no
videosupport=no
maxcallbitrate=384
canreinvite=no
rtptimeout=30
rtpkeepalive=0
checkmwi=10
notifyringing=yes
notifyhold=yes
nat=no
ALLOW_SIP_ANON=no
localnet=10.20.0.0/255.255.0.0
localnet=10.200.0.0/255.255.0.0

sip_additional.conf:
peer:
[4000]
deny=0.0.0.0/0.0.0.0
secret=aa4000
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
trustrpid=yes
mediaencryption=dtls
sendrpid=pai
type=friend
nat=no
port=5061
qualify=yes
qualifyfreq=60
transport=tls
avpf=no
force_avp=no
icesupport=no
encryption=yes
callgroup=
pickupgroup=
dial=SIP/4000
permit=0.0.0.0/0.0.0.0
callerid=Alex Alekov <4000>
callcounter=yes
faxdetect=no
cc_monitor_policy=generic

trunk:
[S4B-2013-Med-tcp]
type=friend
transport=tls
qualify=yes
promiscredit=yes
port=5067
insecure=port,invite
host=core-s4b-Med-1.local.office
fromdomain=Core-ASK-2.local.office
context=from-internal
canreinvite=no
encryption=yes

debug log:

<— SIP read from TLS:10.20.5.55:59837 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.200.3.37:5061;branch=z9hG4bK575a8de1
Contact: sip:10.20.5.55:43995;transport=tls
To: sip:4000@10.20.5.55:59837;transport=TLS;rinstance=73f558e4029fd37a;tag=e9434b0d
From: “Unknown” sip:Unknown@10.200.3.37;tag=as1b53f379
Call-ID: 002e65ac7e6e61532ac984a26ded62ad@10.200.3.37:5061
CSeq: 102 OPTIONS
Accept: application/sdp, application/sdp
Accept-Language: en
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
Supported: replaces, norefersub, extended-refer, timer, outbound, path, X-cisco-serviceuri
User-Agent: Z 3.9.32144 r32121
Allow-Events: presence, kpml
Content-Length: 0

<------------->
— (14 headers 0 lines) —
Really destroying SIP dialog ‘002e65ac7e6e61532ac984a26ded62ad@10.200.3.37:5061’ Method: OPTIONS

<— SIP read from TLS:10.200.2.12:57125 —>
INVITE sip:+4000@Core-ASK-2.local.office;user=phone SIP/2.0
FROM: "Алеков Алексей"sip:+0091@external.ru;user=phone;epid=44D3385E56;tag=4a13403f12
TO: sip:+4000@Core-ASK-2.local.office;user=phone
CSEQ: 5550 INVITE
CALL-ID: 5d733531-3f2d-404d-9ad8-f7f2b6e48071
MAX-FORWARDS: 70
VIA: SIP/2.0/TLS 10.200.2.12:57125;branch=z9hG4bK815ec167
CONTACT: sip:Core-S4B-Med-1.local.office:5067;transport=Tls;ms-opaque=ec8209f61c6fd89f
CONTENT-LENGTH: 551
SUPPORTED: 100rel
USER-AGENT: RTCC/5.0.0.0 MediationServer
CONTENT-TYPE: application/sdp
ALLOW: ACK
Allow: CANCEL,BYE,INVITE,PRACK,UPDATE

v=0
o=- 21 1 IN IP4 10.200.2.12
s=session
c=IN IP4 10.200.2.12
b=CT:1000
t=0 0
m=audio 49938 RTP/AVP 97 101 13 0 8
c=IN IP4 10.200.2.12
a=tcap:1 RTP/SAVP
a=pcfg:1 t=1
a=rtcp:49939
a=label:Audio
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:0dXFQE3lncFfFalwgQWz4bZ9Jt7MXLhgVvJPCmdJ|2^31|1:1
a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:vApu7jgOH6LBMTbV0+2PTpkVU+L59YNuCvEfmnzk|2^31
a=sendrecv
a=rtpmap:97 RED/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=rtpmap:13 CN/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=ptime:20
<------------->
— (14 headers 22 lines) —
Sending to 10.200.2.12:57125 (no NAT)
Sending to 10.200.2.12:57125 (no NAT)
Using INVITE request as basis request - 5d733531-3f2d-404d-9ad8-f7f2b6e48071
Found peer ‘S4B-2013-Med-tcp’ for ‘+0091’ from 10.200.2.12:57125
== Using SIP RTP TOS bits 184
== Using SIP RTP CoS mark 5
Found RTP audio format 97
Found RTP audio format 101
Found RTP audio format 13
Found RTP audio format 0
Found RTP audio format 8
Found unknown media description format RED for ID 97
Found audio description format telephone-event for ID 101
Found audio description format CN for ID 13
Found audio description format PCMU for ID 0
Found audio description format PCMA for ID 8
[2016-06-29 17:49:19] WARNING[5567][C-0000000b]: chan_sip.c:10715 process_sdp: Failed to receive SDP offer/answer with required SRTP crypto attributes for audio

<— Reliably Transmitting (no NAT) to 10.200.2.12:57125 —>
SIP/2.0 488 Not acceptable here
Via: SIP/2.0/TLS 10.200.2.12:57125;branch=z9hG4bK815ec167;received=10.200.2.12
From: "Алеков Алексей"sip:+0091@external.ru;user=phone;epid=44D3385E56;tag=4a13403f12
To: sip:+4000@Core-ASK-2.local.office;user=phone;tag=as406a6129
Call-ID: 5d733531-3f2d-404d-9ad8-f7f2b6e48071
CSeq: 5550 INVITE
Server: FPBX-AsteriskNOW-12.0.76.3(13.9.1)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Length: 0

<------------>
Scheduling destruction of SIP dialog ‘5d733531-3f2d-404d-9ad8-f7f2b6e48071’ in 6400 ms (Method: INVITE)

<— SIP read from TLS:10.200.2.12:57125 —>
ACK sip:+4000@Core-ASK-2.local.office;user=phone SIP/2.0
FROM: "Алеков Алексей"sip:+0091@external.ru;user=phone;tag=4a13403f12;epid=44D3385E56
TO: sip:+4000@Core-ASK-2.local.office;user=phone;tag=as406a6129
CSEQ: 5550 ACK
CALL-ID: 5d733531-3f2d-404d-9ad8-f7f2b6e48071
MAX-FORWARDS: 70
VIA: SIP/2.0/TLS 10.200.2.12:57125;branch=z9hG4bK815ec167
CONTENT-LENGTH: 0

<------------->
— (8 headers 0 lines) —
Really destroying SIP dialog ‘5d733531-3f2d-404d-9ad8-f7f2b6e48071’ Method: INVITE
Reliably Transmitting (no NAT) to 10.200.2.12:5067:
OPTIONS sip:core-s4b-Med-1.local.office SIP/2.0
Via: SIP/2.0/TLS 10.200.3.37:5061;branch=z9hG4bK077a2ac5
Max-Forwards: 70
From: “Unknown” sip:Unknown@10.200.3.37;tag=as2a22071b
To: sip:core-s4b-Med-1.local.office
Contact: sip:Unknown@10.200.3.37:5061;transport=TLS
Call-ID: 5b3048897b2bcb7c31591a2d6348e401@10.200.3.37:5061
CSeq: 102 OPTIONS
User-Agent: FPBX-AsteriskNOW-12.0.76.3(13.9.1)
Date: Wed, 29 Jun 2016 14:49:22 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Length: 0

<— SIP read from TLS:10.200.2.12:5067 —>
SIP/2.0 200 OK
FROM: "Unknown"sip:Unknown@10.200.3.37;tag=as2a22071b
TO: sip:core-s4b-Med-1.local.office;tag=e0edced11f
CSEQ: 102 OPTIONS
CALL-ID: 5b3048897b2bcb7c31591a2d6348e401@10.200.3.37:5061
VIA: SIP/2.0/TLS 10.200.3.37:5061;branch=z9hG4bK077a2ac5
ACCEPT: application/sdp
CONTENT-LENGTH: 0
ACCEPT-ENCODING: gzip
ACCEPT-LANGUAGE: en
ALLOW: NOTIFY
ALLOW: BENOTIFY
SERVER: RTCC/5.0.0.0 MediationServer

They appear to be doing optional SRTP, which is not supported by chan_sip. When you place the outgoing call they are probably more lenient and respond accordingly.

thank you for your response. I’m a beginner in asterisk, not previously configured. I need to configure pjsip? or what?

PJSIP supports optional SRTP and may work. I have no experience connecting to Skype For Business so I can’t say whether it would or not really.