Cannot get srtp to work

hi, i am running freepbx with asterisk 13.18.3, pjsip, grandstream phones and libsrtp 1.6.0

i am trying to configure sip-tls and srtp. packet captures show i have sip-tls working but srtp is not encrypting. here is an example of an endpoint config:

[5323]
type=endpoint
aors=5323
auth=5323-auth
allow=ulaw,alaw,gsm,g726
context=from-internal
callerid=Tony Guadagno <5323>
dtmf_mode=rfc4733
mailboxes=5323@device
mwi_subscribe_replaces_unsolicited=yes
transport=172.30.2.1-tls
aggregate_mwi=yes
use_avpf=no
rtcp_mux=no
ice_support=no
media_use_received_transport=no
trust_id_inbound=yes
media_encryption=sdes
timers=yes
media_encryption_optimistic=yes
send_pai=yes
rtp_symmetric=yes
rewrite_contact=yes
force_rport=yes
media_address=
bind_rtp_to_media_address=yes
language=en

these are the errors is see when i try to establish a call.

[2017-12-18 16:04:56] VERBOSE[27825][C-000000e2] pbx.c: Executing [s@macro-dialout-trunk:24] Dial(“PJSIP/5323-00000156”, “PJSIP/1111111@Level3Pr imary,300,T”) in new stack
[2017-12-18 16:04:56] VERBOSE[27825][C-000000e2] app_dial.c: Called PJSIP/1111111@Level3Primary
[2017-12-18 16:04:58] VERBOSE[27825][C-000000e2] app_dial.c: PJSIP/Level3Primary-00000157 is making progress passing it to PJSIP/5323-00000156
[2017-12-18 16:04:58] WARNING[26043] sdp_srtp.c: Unsupported crypto suite: AES_CM_256_HMAC_SHA1_80
[2017-12-18 16:04:58] WARNING[26043] sdp_srtp.c: Unsupported crypto suite: AES_CM_256_HMAC_SHA1_32
[2017-12-18 16:04:59] VERBOSE[26506][C-000000dc] res_srtp.c: SRTCP unprotect failed because of unable to perform desired validation
[2017-12-18 16:05:03] VERBOSE[27825][C-000000e2] app_dial.c: PJSIP/Level3Primary-00000157 is ringing
[2017-12-18 16:05:04] VERBOSE[27825][C-000000e2] res_srtp.c: SRTCP unprotect failed because of unsupported parameter
[2017-12-18 16:05:04] VERBOSE[26506][C-000000dc] res_srtp.c: SRTCP unprotect failed because of unable to perform desired validation
[2017-12-18 16:05:06] VERBOSE[27825][C-000000e2] app_dial.c: PJSIP/Level3Primary-00000157 answered PJSIP/5323-00000156
[2017-12-18 16:05:06] VERBOSE[27902][C-000000e2] bridge_channel.c: Channel PJSIP/Level3Primary-00000157 joined ‘simple_bridge’ basic-bridge <51b 5dc07-b55b-436c-ad39-10d681161092>
[2017-12-18 16:05:06] VERBOSE[27825][C-000000e2] bridge_channel.c: Channel PJSIP/5323-00000156 joined ‘simple_bridge’ basic-bridge <51b5dc07-b55 b-436c-ad39-10d681161092>
[2017-12-18 16:05:09] VERBOSE[26506][C-000000dc] res_srtp.c: SRTCP unprotect failed because of unable to perform desired validation
[2017-12-18 16:05:11] VERBOSE[27825][C-000000e2] res_srtp.c: SRTCP unprotect failed because of unable to perform desired validation
[2017-12-18 16:05:12] VERBOSE[27902][C-000000e2] bridge_channel.c: Channel PJSIP/Level3Primary-00000157 left ‘simple_bridge’ basic-bridge <51b5d c07-b55b-436c-ad39-10d681161092>
[2017-12-18 16:05:12] VERBOSE[27825][C-000000e2] bridge_channel.c: Channel PJSIP/5323-00000156 left ‘simple_bridge’ basic-bridge <51b5dc07-b55b- 436c-ad39-10d681161092>
[2017-12-18 16:05:12] VERBOSE[27825][C-000000e2] app_macro.c: Spawn extension (macro-dialout-trunk, s, 24) exited non-zero on ‘PJSIP/5323-000001 56’ in macro ‘dialout-trunk’
[2017-12-18 16:05:12] VERBOSE[27825][C-000000e2] pbx.c: Spawn extension (from-internal, 1111111, 6) exited non-zero on ‘PJSIP/5323-00000156’
[2017-12-18 16:05:12] VERBOSE[27825][C-000000e2] pbx.c: Executing [h@from-internal:1] Macro(“PJSIP/5323-00000156”, “hangupcall”) in new stack

i see some unsupported crypto suite errors, is that my issue? is this asterisk not supporting those suites or grandstream?

thanks in advance!

It would be Asterisk not supporting the suites, and not being able to decrypt. What is the SIP signaling? (pjsip set logger on)

jcolp, thanks for your time, here is the trace you requested. in this test, 5323 called 5339

https://pastebin.com/3kB0x7fc

The SDP negotiation appears to be fine, despite not supporting some of the crypto suites we still negotiated one and exchanged keys. I’m uncertain of what is going on in libsrtp to prevent it from working.

lol…libsrtp! ironic, i just convinced freepbx to upgrade to 1.6…ug so, you think this is a libsrtp issue? are you sure? how can we be sure?

I didn’t say it was a libsrtp issue, it could also be a problem with the Grandstream implementation causing incompatibility in some way. I’m not familiar with the libsrtp code so I can’t comment on it in great detail. It’s outputting a message so obviously it doesn’t like something.

ok, i will open a ticket with grandsteam…cross my fingers!

thanks again

Was this ever resolved?
I am implementing pjsip TLS 5061, SRTP using TLS1.2. I’m getting the same error "Unsupported crypto suite: AEAD_AES_256_GCM. Using GXP2170 Grandstream phone