How to PJSIP multiple transports with dirrerent configuration

Hello guys.

I’m a newbie to PBX and asterisk. I just wanted to figure out how to set different configurations with different transports on same account. Seems like PJSIP is the right choice for me. But I cannot find right solution from internet…
What I wanted to achieve is I need a TLS transport with encryption for my external IP address.
And in my local loopback IP address has no encryption. Because I’m using WebRTC gateway in my local connection and it’s gonna be redundant. My WebRTC gateway encrypt all traffics anyway. Waste resource. Can you help me how to I get this? Example configuration would be much appreciated. :slight_smile:

What have you tried for configuration? It should be as easy as creating a UDP transport and TLS transport, with the correct configuration for your specific environment.

I’m sorry I haven’t tried so much. PJSIP is more complicated than chan_sip for me :stuck_out_tongue: . I tested WSS protocol but my WSS SIP client library wasn’t good enough so I switched WebRTC gateway. This is my current pjsip.conf file looks like. In web browsers I use WebRTC gateway. In mobile devices I want to use some existing VoIP client applications. If I understood correctly I can put some configurations in [transport-...] brackets right?

; Transports
[transport-wss]
    type=transport
    protocol=wss
    bind=0.0.0.0

[transport-udp]
    type=transport
    protocol=udp
    bind=127.0.0.1

[transport-tls]
    type=transport
    protocol=tls
    bind=external_ip:9966

[simple-aor](!)
    type=aor
    max_contacts=1
    remove_existing=yes

[simple-auth](!)
    type=auth
    auth_type=userpass

[webrtc](!)
    type=endpoint
    webrtc=yes
    ; Setting webrtc=yes is a shortcut for setting the following options:
    ; use_avpf=yes
    ; media_encryption=dtls
    ; dtls_verify=fingerprint
    ; dtls_setup=actpass
    ; ice_support=yes
    ; media_use_received_transport=yes
    ; rtcp_mux=yes

    direct_media=no    ;of these options.
    rtp_symmetric=yes
    force_rport=yes
    rewrite_contact=yes
    max_audio_streams=5
    max_video_streams=5
    transport=transport-wss
    context=phones
    allow=!all,opus,vp8,ulaw

[100](simple-aor)
[100](simple-auth)
    username=100
    password=123

[100](webrtc)
    aors=100
    auth=100

It depends on how exactly things are connecting to Asterisk. The given configuration sets up a TLS transport, a UDP transport, and a Websocket transport. If you have something in front doing Websocket then you shouldn’t need the Websocket transport.

You have to be very specific in how things are communicating and what is taking care of things (for example is the WebRTC gateway doing DTLS-SRTP and ICE).

Yeah, I understood I don’t need WSS protocol anymore. It was just a test anyway. I’m just confused any pjsip.conf file I look at it multiple [extension]s for same account. I just wanted some clarity to ask someone who knows the things. :stuck_out_tongue:

[transport-tls]
    type=transport
    protocol=tls
    bind=external_ip:9966
    ; encryption configs here...

[exten](templates...)
    transport=transport-udp, transport-tls ; is that all i need right?

You can’t specify multiple transports per endpoint. The transport option configures what transport Asterisk will explicitly use for communicating with the endpoint. It does not act as a limit for what the endpoint can come in using. No option exists for that currently. In fact you probably don’t need the transport option at all, as Asterisk will automatically choose the transport based on where stuff is being sent.

1 Like

Hello again. I’ve been tried some configurations. This is my current pjsip.conf file.

;======================= Transports
[transport-udp]
    type=transport
    protocol=udp
    bind=127.0.0.1

[transport-tls]
    type=transport
    protocol=tls
    bind=external_ip
    cert_file=/etc/asterisk/certs/server.crt
    priv_key_file=/etc/asterisk/certs/server.key
    method=tlsv1

    ;direct_media=no    ;of these options.
    ;force_rport=yes

    ;webrtc=yes
    ;direct_media=no    ;of these options.
    ;media_encryption=sdes
    ;media_encryption=dtls
    ;dtls_verify=fingerprint
    ;dtls_setup=actpass
    ;media_use_received_transport=yes
    ;rtcp_mux=yes

;======================= Templates
[simple-aor](!)
    type=aor
    max_contacts=1
    remove_existing=yes

[simple-auth](!)
    type=auth
    auth_type=userpass

[endpoint](!)
    type=endpoint
    context=phones

    disallow=all
    ; -- Audio codecs --
    allow=opus
    allow=ilbc
    allow=gsm
    allow=ulaw
    allow=alaw
    ; -- Video codecs --
    allow=vp8
    allow=vp9
    allow=h264

[100](simple-aor)
[100](simple-auth)
    username=100
    password=123

[100](endpoint)
    aors=100
    auth=100

But now I don’t know how to encrypt MediaStream in TLS connection. When I try to use media_encryption option in my [transport-tls] section I cannot reload pjsip.conf anymore. It gives me error.

    -- Reloading module 'res_pjsip.so' (Basic SIP resource)
[Feb 13 20:42:31] ERROR[14729]: config_options.c:780 aco_process_var: Could not find option suitable for category 'transport-tls' named 'media_encryption' at line 27 of
[Feb 13 20:42:31] ERROR[14729]: res_sorcery_config.c:407 sorcery_config_internal_load: Could not create an object of type 'transport' with id 'transport-tls' from configuration file 'pjsip.conf'

I’m configurad sip and pjsip channels. sip.conf is UDP and unecrypted. pjsip.conf is TLS and encrypted. Then I create AOR record to connect sip accounts.

[simple-aor](!)
    type=aor
    max_contacts=1
    remove_existing=yes
    contact=sip:127.0.0.1:5060

Now I can call from TLS connections to UDP sip peers. But I cannot call from UDP connections to pjsip TLS peers. Is there a way to achieve that?