Different protocols on endpoints of a call


#1

Hello.

Our architecture - We are enabling clients to make calls from browsers using WebRTC and the journey of the call is as follows

Browser [to] Asterisk (PJSIP) [to] Bandwidth(.com) [to] PSTN

Can we have Browser [to] Asterisk endpoint enable TLS and Asterisk [to] Bandwidth(.com) endpoint use UDP? Bandwidth(.com) doesn’t support encryption, so we would like to ensure that atleast the Browser [to] Asterisk leg of the call is encrypted.

Thanks in advance.


#2

Yes
Asterisk works here as a gateway


#3

Hi Satish, Thanks for the reply. When we try this, we observe that the whole call shifts to UDP and we are able to play the audio from tcpdump / wireshark.

Can we enforce TLS /encryption on atleast the first leg of the call? IS there a way to do SRTP to RTP bridging?


#4

This is all dependent on configuration. Each leg is completely independent, so if you configure TLS and SRTP for one side then that side will use it. If the other side isn’t configured for it then only that side won’t be. Within Asterisk itself it’s always unencrypted as it passes through the core.


#5

Thanks for the instant reply, jcolp - we have an endpoint for taking sipml5 calls from browser and another endpoint for bandwidth (using tcp). But when we take the tcpdump and see it in wireshark, we are able to play the audio of the call and see UDP packets. Below is our pjsip.conf

;--
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Non mapped elements start
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

[sipML5]
dtmf_mode = auto ; did not fully map - set to none

[zoiper]
dtmf_mode = auto ; did not fully map - set to none

[general]
udpenable = yes

[siptrunk]
qualify = yes

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Non mapped elements end
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
--;


[global]
type = global
debug = no
;nat = force_rport,comedia

[transport-tls-nat]
type=transport
protocol=tls
bind=0.0.0.0
local_net=xx.xx.xx.xx
external_media_address=xx.xx.xx.xx
external_signaling_address=xx.xx.xx.xx
cert_file=/etc/asterisk/keys/asterisk.pem
priv_key_file=/etc/asterisk/keys/asterisk.key
method = tlsv1

[transport-udp-nat]
type = transport
protocol = udp
bind = 0.0.0.0
local_net=xx.xx.xx.xx
external_media_address=xx.xx.xx.xx
external_signaling_address=xx.xx.xx.xx

[bandwidth-trunk](!)
type = endpoint
context = bandwidth-incoming
dtmf_mode = rfc4733
rtp_symmetric=yes
transport=transport-udp-nat
disallow = all
allow = ulaw

[twilio-trunk](!)
type = endpoint
context = twilio-incoming
dtmf_mode = rfc4733
transport=transport-tls-nat
media_encryption=sdes
disallow = all
allow = ulaw

[bandwidth]
type = aor
contact = sip:xx.xx.xx.xx

[bandwidth](bandwidth-trunk)
aors = bandwidth

[bandwidth]
type=identify
endpoint=bandwidth
match=xx.xx.xx.xx

[twilio0]
type = aor
contact = xx.xx.xx.xx

[twilio0](twilio-trunk)
aors = twilio0

[twilio0]
type=identify
endpoint=twilio0
match=xx.xx.xx.xx
match=xx.xx.xx.xx
match=xx.xx.xx.xx
match=xx.xx.xx.xx

[sipML5]
type = aor
max_contacts = 10

[sipML5]
type = auth
username = sipML5
password = test123

[sipML5]
type = endpoint
context = outgoing
dtmf_mode = none
rtp_symmetric=yes
;transport=transport-tls-nat
disallow = all
allow = ulaw
ice_support = yes
direct_media = no
use_avpf = yes
auth = sipML5
outbound_auth = sipML5
media_encryption=dtls
media_use_received_transport=yes
dtls_verify = fingerprint
dtls_cert_file = /etc/asterisk/keys/asterisk.pem
dtls_ca_file = /etc/asterisk/keys/ca.crt
dtls_setup = actpass
dtls_cipher=ALL
dtls_private_key=/etc/asterisk/keys/asterisk.key
rtcp_mux=yes
aors = sipML5
media_encryption_optimistic=yes

[zoiper]
type = aor
max_contacts = 1

[zoiper]
type = auth
username = zoiper
password = test123

[zoiper]
type = endpoint
context = outgoing
dtmf_mode = none
rtp_symmetric=yes
disallow = all
allow = ulaw
transport=transport-tls-nat
ice_support = yes
direct_media = no
use_avpf = yes
auth = zoiper
outbound_auth = zoiper
media_encryption = dtls
media_use_received_transport=yes
dtls_verify = fingerprint
dtls_cert_file = /etc/asterisk/keys/asterisk.pem
dtls_ca_file = /etc/asterisk/keys/ca.crt
dtls_setup = actpass
dtls_private_key=/etc/asterisk/keys/asterisk.key
rtcp_mux=yes
aors = zoiper


#6

The bandwidth side would be unencrypted. The WebRTC side is encrypted.


#7

Yes, that’s right - if encrypted on sipml5 / webrtc side, we should not able to play the audio or see udp packets without encryption in tcp dump. Is that right?


#8

You can’t decrypt the WebRTC side. The side to Bandwidth is unencrypted, and can be seen in tcpdump. As I stated previously - each side is independent, one can be encrypted and the other not.


#9

Ok - so we are able to hear the audio because bandwidth side is unencrypted and it has audio from both the sides. Thanks for that jcolp, you were immensely helpful! Appreciate it.