Convert TLS/SRTP connection to trunk with chan_sip to chan_pjsip

Asterisk Asterisk SIP
1

I am trying to convert this chan_sip configuration to chan_pjsip.

It’s easy to find many examples for this kind of basic trunk connection without encryption. But I found it pretty hard to find examples online for connections with TLS/SRTP. I would kindly ask for help and guidance.

This working chan_sip configuration connects to our SIP-Provider, keeps the registration stable, encrypts SIP and RTP traffic and puts incoming calls into the [in] section of the Asterisk dialplan. I am a little bit lost because our SIP-provider does not provide documentation on how to do this with chan_pjsip and we finaly decided to move on to “the current driver”.

Thank you very much for any insights.

[general]
language=de
disallow=all
allow=ulaw
allow=alaw
tonezone=de
callcounter=yes


externip=192.168.0.3:5061
localnet=192.168.0.0/24


; crypto stuff
tlsenable=yes
tlsbindaddr=0.0.0.0:5061
srvlookup=yes
tlscapath=/etc/ssl/certs  ; default certs collection on Debian
tlsclientmethod=tlsv1

keepalive=20
registertimeout=20
registerattempts=0 


;Register with trunk
register => tls://000xxxxxx:ourpassword@secure.sipprovider.net


[sipprovider.net]
type=peer
username=000xxxxxx
fromdomain=secure.sipprovider.net
fromuser=000xxxxxx
secret=ourpassword

transport=tls
encryption=yes
host=secure.sipprovider.net
   
insecure=invite
context=in
nat=comedia
   
;Codecs
disallow=all
allow=ulaw
allow=alaw
2

I did some further research and found the sip to pjsip conversion script included with asterisk.
It can be found at contrib/scripts/sip_to_pjsip.py.

I converted my config from above. Does it look OK or are there any obvious problems?

;--
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Non mapped elements start
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

[general]
callcounter = yes

[sipprovider.net]
username = 000xxxxxx

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Non mapped elements end
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
--;


[transport-udp]
type = transport
protocol = udp
bind = 0.0.0.0
external_media_address = 192.168.0.3
external_signaling_address = 192.168.0.3
external_signaling_port = 5061
local_net = 192.168.0.0/24

[transport-tls]
type = transport
protocol = tls
bind = 0.0.0.0:5061
external_media_address = 192.168.0.3
external_signaling_address = 192.168.0.3
external_signaling_port = 5061
local_net = 192.168.0.0/24
ca_list_path = /etc/ssl/certs
method = tlsv1

[reg_secure.sipprovider.net]
type = registration
retry_interval = 20
max_retries = 0
expiration = 120
transport = transport-tls
outbound_auth = auth_reg_secure.sipprovider.net
client_uri = sip:000xxxxxx@secure.sipprovider.net
server_uri = sip:secure.sipprovider.net

[auth_reg_secure.sipprovider.net]
type = auth
password = ourpassword
username = 000xxxxxx

[sipprovider.net]
type = aor
contact = sip:000xxxxxx@secure.sipprovider.net

[sipprovider.net]
type = identify
endpoint = sipprovider.net
match = secure.sipprovider.net

[sipprovider.net]
type = auth
username = sipprovider.net
password = ourpassword

[sipprovider.net]
type = endpoint
context = in
disallow = all
allow = ulaw
allow = alaw
rtp_symmetric = yes
media_encryption = sdes
from_user = 000xxxxxx
from_domain = secure.sipprovider.net
tone_zone = de
language = de
auth = sipprovider.net
outbound_auth = sipprovider.net
aors = sipprovider.net
3

This config worked for us with an Asterisk behind NAT and a trunk SIP provider with public IP. /etc/ssl/certs is the default CA-cert collection on Debian/Ubuntu. Path may be different with other distributions.

We also activated Asterisks builtin STUN-client.
(/etc/asterisk/res_stun_monitor.conf)

This is our working chan_pjsip.conf:

;/etc/asterisk/pjsip.conf
[transport-tls]
type = transport
protocol = tls
bind = 192.168.0.3:5061
local_net = 192.168.0.0/24
ca_list_path = /etc/ssl/certs
method = tlsv1

[reg_provider.net]
type = registration
retry_interval = 20
max_retries = 0
expiration = 45
transport = transport-tls
outbound_auth = auth_reg_provider.net
client_uri = sip:PROVIDER_USERNAME@provider.net
server_uri = sip:provider.net

[auth_reg_provider.net]
type = auth
password = PROVIDER_PASSWORD
username = PROVIDER_USERNAME

[provider]
type = aor
contact = sip:PROVIDER_USERNAME@provider.net

[provider]
type = identify
endpoint = provider
match = [IP ADRESS OF providers SIP SERVERS]

[provider]
type = auth
username = PROVIDER_USERNAME
password = PROVIDER_PASSWORD

[provider]
type = endpoint
context = in
disallow = all
allow = ulaw
allow = alaw
rtp_symmetric = yes
rtp_keepalive = 10
media_encryption = sdes
tone_zone = de
language = de
outbound_auth = provider
aors = provider
4

The final version is missing external signalling and media addresses, so you are relying on the provider to work round those defects.

The earlier versions have external addresses which are on the local network, which is a contradiction.

5

Yes true. We removed them because it worked without them after a test. The internal adresses for the external signaling actually were recommendations from the provider for chan_sip. Maybe they were bogus, but they worked fine.

Now for chan_pjsip, we activated the STUN client in Asterisk, used the providers STUN server and everything is working fine. If NAT issues arise for others, I guess changes to the config would be needed.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.