Cannot get srtp to work

tonyg · December 18, 2017, 9:31pm

hi, i am running freepbx with asterisk 13.18.3, pjsip, grandstream phones and libsrtp 1.6.0

i am trying to configure sip-tls and srtp. packet captures show i have sip-tls working but srtp is not encrypting. here is an example of an endpoint config:

[5323]
type=endpoint
aors=5323
auth=5323-auth
allow=ulaw,alaw,gsm,g726
context=from-internal
callerid=Tony Guadagno <5323>
dtmf_mode=rfc4733
mailboxes=5323@device
mwi_subscribe_replaces_unsolicited=yes
transport=172.30.2.1-tls
aggregate_mwi=yes
use_avpf=no
rtcp_mux=no
ice_support=no
media_use_received_transport=no
trust_id_inbound=yes
media_encryption=sdes
timers=yes
media_encryption_optimistic=yes
send_pai=yes
rtp_symmetric=yes
rewrite_contact=yes
force_rport=yes
media_address=
bind_rtp_to_media_address=yes
language=en

these are the errors is see when i try to establish a call.

[2017-12-18 16:04:56] VERBOSE[27825][C-000000e2] pbx.c: Executing [s@macro-dialout-trunk:24] Dial(“PJSIP/5323-00000156”, “PJSIP/1111111@Level3Pr imary,300,T”) in new stack
[2017-12-18 16:04:56] VERBOSE[27825][C-000000e2] app_dial.c: Called PJSIP/1111111@Level3Primary
[2017-12-18 16:04:58] VERBOSE[27825][C-000000e2] app_dial.c: PJSIP/Level3Primary-00000157 is making progress passing it to PJSIP/5323-00000156
[2017-12-18 16:04:58] WARNING[26043] sdp_srtp.c: Unsupported crypto suite: AES_CM_256_HMAC_SHA1_80
[2017-12-18 16:04:58] WARNING[26043] sdp_srtp.c: Unsupported crypto suite: AES_CM_256_HMAC_SHA1_32
[2017-12-18 16:04:59] VERBOSE[26506][C-000000dc] res_srtp.c: SRTCP unprotect failed because of unable to perform desired validation
[2017-12-18 16:05:03] VERBOSE[27825][C-000000e2] app_dial.c: PJSIP/Level3Primary-00000157 is ringing
[2017-12-18 16:05:04] VERBOSE[27825][C-000000e2] res_srtp.c: SRTCP unprotect failed because of unsupported parameter
[2017-12-18 16:05:04] VERBOSE[26506][C-000000dc] res_srtp.c: SRTCP unprotect failed because of unable to perform desired validation
[2017-12-18 16:05:06] VERBOSE[27825][C-000000e2] app_dial.c: PJSIP/Level3Primary-00000157 answered PJSIP/5323-00000156
[2017-12-18 16:05:06] VERBOSE[27902][C-000000e2] bridge_channel.c: Channel PJSIP/Level3Primary-00000157 joined ‘simple_bridge’ basic-bridge <51b 5dc07-b55b-436c-ad39-10d681161092>
[2017-12-18 16:05:06] VERBOSE[27825][C-000000e2] bridge_channel.c: Channel PJSIP/5323-00000156 joined ‘simple_bridge’ basic-bridge <51b5dc07-b55 b-436c-ad39-10d681161092>
[2017-12-18 16:05:09] VERBOSE[26506][C-000000dc] res_srtp.c: SRTCP unprotect failed because of unable to perform desired validation
[2017-12-18 16:05:11] VERBOSE[27825][C-000000e2] res_srtp.c: SRTCP unprotect failed because of unable to perform desired validation
[2017-12-18 16:05:12] VERBOSE[27902][C-000000e2] bridge_channel.c: Channel PJSIP/Level3Primary-00000157 left ‘simple_bridge’ basic-bridge <51b5d c07-b55b-436c-ad39-10d681161092>
[2017-12-18 16:05:12] VERBOSE[27825][C-000000e2] bridge_channel.c: Channel PJSIP/5323-00000156 left ‘simple_bridge’ basic-bridge <51b5dc07-b55b- 436c-ad39-10d681161092>
[2017-12-18 16:05:12] VERBOSE[27825][C-000000e2] app_macro.c: Spawn extension (macro-dialout-trunk, s, 24) exited non-zero on ‘PJSIP/5323-000001 56’ in macro ‘dialout-trunk’
[2017-12-18 16:05:12] VERBOSE[27825][C-000000e2] pbx.c: Spawn extension (from-internal, 1111111, 6) exited non-zero on ‘PJSIP/5323-00000156’
[2017-12-18 16:05:12] VERBOSE[27825][C-000000e2] pbx.c: Executing [h@from-internal:1] Macro(“PJSIP/5323-00000156”, “hangupcall”) in new stack

i see some unsupported crypto suite errors, is that my issue? is this asterisk not supporting those suites or grandstream?

thanks in advance!

jcolp · December 19, 2017, 10:22am

It would be Asterisk not supporting the suites, and not being able to decrypt. What is the SIP signaling? (pjsip set logger on)

tonyg · December 19, 2017, 3:19pm

jcolp, thanks for your time, here is the trace you requested. in this test, 5323 called 5339

https://pastebin.com/3kB0x7fc

jcolp · December 19, 2017, 3:27pm

The SDP negotiation appears to be fine, despite not supporting some of the crypto suites we still negotiated one and exchanged keys. I’m uncertain of what is going on in libsrtp to prevent it from working.

tonyg · December 19, 2017, 3:30pm

lol…libsrtp! ironic, i just convinced freepbx to upgrade to 1.6…ug so, you think this is a libsrtp issue? are you sure? how can we be sure?

jcolp · December 19, 2017, 3:32pm

I didn’t say it was a libsrtp issue, it could also be a problem with the Grandstream implementation causing incompatibility in some way. I’m not familiar with the libsrtp code so I can’t comment on it in great detail. It’s outputting a message so obviously it doesn’t like something.

tonyg · December 19, 2017, 3:44pm

ok, i will open a ticket with grandsteam…cross my fingers!

thanks again

cantITright · June 23, 2023, 2:52pm

Was this ever resolved?
I am implementing pjsip TLS 5061, SRTP using TLS1.2. I’m getting the same error "Unsupported crypto suite: AEAD_AES_256_GCM. Using GXP2170 Grandstream phone

Topic		Replies	Views
Is it really SRTP? Asterisk SIP	6	1345	May 12, 2022
How to configure Asterisk 12 (TLS ,SRTP,PJSIP) with softphone Asterisk SIP	2	178	April 5, 2023
Pjsip \| TLS/SRTP \| 488 Not Acceptable Here Asterisk SIP	7	450	February 10, 2024
Encrypred and unencrypted on different legs (solved) Asterisk SIP	3	323	December 24, 2022
Outbound call fails when SRTP enabled Asterisk SIP	11	815	July 7, 2021

Cannot get srtp to work

Related Topics