How can I make sure that Asterisk media encryption

Hi All,

I have Asterisk 13.13 with pjsip box. I have enabled media_encryption=dtls on endpoint and when I took a capture and analyz on wireshark I can hear voice. Is thre any missing configuration?

Have you fully configured it for DTLS? It also requires certificates to be configured. What is the output of “pjsip set logger on” with a call attempt?

Hello pjsip set logger on output below and my config is media_encryption=sdes

<--- Received SIP request (895 bytes) from UDP:10.15.163.132:5065 --->
INVITE sip:5454@10.20.6.240:5063 SIP/2.0
Via: SIP/2.0/UDP 10.15.163.132:5065;branch=z9hG4bK259690080
From: "5130" <sip:5130@10.20.6.240:5063>;tag=1292295239
To: <sip:5454@10.20.6.240:5063>
Call-ID: 1182584900@10.15.163.132
CSeq: 1 INVITE
Contact: <sip:5130@10.15.163.132:5065>
Content-Type: application/sdp
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Yealink SIP-T28P 2.72.0.80
Supported: replaces
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 308

v=0
o=- 20019 20019 IN IP4 10.15.163.132
s=SDP data
c=IN IP4 10.15.163.132
t=0 0
m=audio 11796 RTP/AVP 9 18 0 8 101
a=rtpmap:9 G722/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=fmtp:101 0-15
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv

<--- Transmitting SIP response (472 bytes) to UDP:10.15.163.132:5065 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 10.15.163.132:5065;rport=5065;received=10.15.163.132;branch=z9hG4bK259690080
Call-ID: 1182584900@10.15.163.132
From: "5130" <sip:5130@10.20.6.240>;tag=1292295239
To: <sip:5454@10.20.6.240>;tag=z9hG4bK259690080
CSeq: 1 INVITE
WWW-Authenticate: Digest  realm="asterisk",nonce="1487081870/086cfce75a19d258e19c6d44ff503b8f",opaque="6abfb0b46514a88c",algorithm=md5,qop="auth"
Server: Asterisk PBX 13.13.0
Content-Length:  0


<--- Received SIP request (270 bytes) from UDP:10.15.163.132:5065 --->
ACK sip:5454@10.20.6.240:5063 SIP/2.0
Via: SIP/2.0/UDP 10.15.163.132:5065;branch=z9hG4bK259690080
From: "5130" <sip:5130@10.20.6.240>;tag=1292295239
To: <sip:5454@10.20.6.240>;tag=z9hG4bK259690080
Call-ID: 1182584900@10.15.163.132
CSeq: 1 ACK
Content-Length: 0


<--- Received SIP request (1167 bytes) from UDP:10.15.163.132:5065 --->
INVITE sip:5454@10.20.6.240:5063 SIP/2.0
Via: SIP/2.0/UDP 10.15.163.132:5065;branch=z9hG4bK820564301
From: "5130" <sip:5130@10.20.6.240:5063>;tag=1292295239
To: <sip:5454@10.20.6.240:5063>
Call-ID: 1182584900@10.15.163.132
CSeq: 2 INVITE
Contact: <sip:5130@10.15.163.132:5065>
Authorization: Digest username="5130", realm="asterisk", nonce="1487081870/086cfce75a19d258e19c6d44ff503b8f", uri="sip:5454@10.20.6.240:5063", response="9e9e531064f43c0fb0408585a65f277e", algorithm=MD5, cnonce="0a4f113b", opaque="6abfb0b46514a88c", qop=auth, nc=00000001
Content-Type: application/sdp
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Yealink SIP-T28P 2.72.0.80
Supported: replaces
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 308

v=0
o=- 20019 20019 IN IP4 10.15.163.132
s=SDP data
c=IN IP4 10.15.163.132
t=0 0
m=audio 11796 RTP/AVP 9 18 0 8 101
a=rtpmap:9 G722/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=fmtp:101 0-15
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv

<--- Transmitting SIP response (352 bytes) to UDP:10.15.163.132:5065 --->
SIP/2.0 488 Not Acceptable Here
Via: SIP/2.0/UDP 10.15.163.132:5065;rport=5065;received=10.15.163.132;branch=z9hG4bK820564301
Call-ID: 1182584900@10.15.163.132
From: "5130" <sip:5130@10.20.6.240>;tag=1292295239
To: <sip:5454@10.20.6.240>;tag=5a0f366b-c7ad-4b35-b910-3aa84f24f0f5
CSeq: 2 INVITE
Server: Asterisk PBX 13.13.0
Content-Length:  0


<--- Received SIP request (290 bytes) from UDP:10.15.163.132:5065 --->
ACK sip:5454@10.20.6.240:5063 SIP/2.0
Via: SIP/2.0/UDP 10.15.163.132:5065;branch=z9hG4bK820564301
From: "5130" <sip:5130@10.20.6.240>;tag=1292295239
To: <sip:5454@10.20.6.240>;tag=5a0f366b-c7ad-4b35-b910-3aa84f24f0f5
Call-ID: 1182584900@10.15.163.132
CSeq: 2 ACK
Content-Length: 0

There is no media encryption present there. If there was encryption you would see “RTP/SAVP” in the m= line of the SDP, and you would see a=crypto lines.