OpenSIPS Asterisk PJSIP Realtime Media Encryption


#1

Hello,

I have an OpenSIPS proxy fronting an Asterisk Server using PJSIP Realtime. I have OpenSIPS configured in ps_endpoints table and communication works great.

However, when I receive an incoming call, Asterisk utilizes OpenSIPS endpoint entry to choose the codec, SDES vs DTLS etc instead of the extension I am dialing. Issue is that I want to have different extensions use different media encryption methodologies.

Is the a way to have asterisk ignore the settings and soley rely on the configuration of the endpoint? One way I was thinking of doing this is having multiple OpenSIPS entries, one for each capability and the endpoint to the appropriate OpenSIPS entry, i.e. outbound proxy etc but doesn’t seem correct to me.

I do notice that when dialing out, Asterisk uses the caller’s codec/media_encryption, not the Proxies. This is exactly what I need for incoming INVITE requests.

Thanks


#2

What is the actual configuration and how are you matching the OpenSIPS endpoint, and how do you expect to match the real endpoint?


#3

Hello,
BTW: Asterisk Version: 15.5.0

1.) How am I matching OpenSIPS Endpoint?
Matches source ip address of opensips against the ps_endpoing_id_ips address. INVITE comes in and Asterisk finds Opensips and debug output is this:

[2018-12-01 02:10:50] DEBUG[8207]: res_pjsip/pjsip_distributor.c:393 find_dialog: Could not find matching transaction for Request msg INVITE/cseq=21 (rdata0x7fb9e0009cc8)
[2018-12-01 02:10:50] DEBUG[8207]: res_pjsip/pjsip_distributor.c:471 ast_sip_get_distributor_serializer: Calculated serializer pjsip/distributor-00000086 to use for Request msg INVITE/cseq=21 (rdata0x7fb9e0009cc8)
[2018-12-01 02:10:50] DEBUG[8187]: netsock2.c:170 ast_sockaddr_split_hostport: Splitting ‘OPENSIPS_LOCAL_IP’ into…
[2018-12-01 02:10:50] DEBUG[8187]: netsock2.c:224 ast_sockaddr_split_hostport: …host ‘OPENSIPS_LOCAL_IP’ and port ‘’.
[2018-12-01 02:10:50] DEBUG[8187]: res_pjsip_endpoint_identifier_ip.c:203 ip_identify_match_check: Source address OPENSIPS_LOCAL_IP:OPENSIPS_LOCAL_PORT matches identify ‘opensips’
[2018-12-01 02:10:50] DEBUG[8187]: res_odbc.c:866 _ast_odbc_request_obj2: Reusing ODBC handle 0x256def8 from class ‘asterisk’
[2018-12-01 02:10:50] DEBUG[8187]: res_config_odbc.c:115 custom_prepare: Skip: 0; SQL: SELECT * FROM ps_endpoints WHERE id = ?
[2018-12-01 02:10:50] DEBUG[8187]: res_config_odbc.c:131 custom_prepare: Parameter 1 (‘id’) = ‘opensips’
[2018-12-01 02:10:50] DEBUG[8187]: res_odbc.c:710 ast_odbc_release_obj: Releasing ODBC handle 0x256def8 into pool
[2018-12-01 02:10:50] DEBUG[8187]: res_sorcery_realtime.c:132 sorcery_realtime_filter_objectset: Filtering out realtime field ‘disallow’ from retrieval
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [0] in [0, 4294967295] gives 0
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [1800] in [0, 4294967295] gives 1800
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [0] in [0, 4294967295] gives 0
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [0] in [0, 4294967295] gives 0
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [0] in [0, 4294967295] gives 0
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [1] in [0, 4294967295] gives 1
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [1] in [0, 4294967295] gives 1
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [0] in [0, 4294967295] gives 0
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [0] in [0, 4294967295] gives 0
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [0] in [0, 4294967295] gives 0
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [90] in [0, 4294967295] gives 90
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [0] in [0, 4294967295] gives 0
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [0] in [0, 4294967295] gives 0
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [5] in [0, 4294967295] gives 5
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [30] in [0, 4294967295] gives 30
[2018-12-01 02:10:50] DEBUG[8187]: config.c:3744 ast_parse_arg: extract uint from [35] in [0, 4294967295] gives 35
[2018-12-01 02:10:50] DEBUG[8187]: res_pjsip_endpoint_identifier_ip.c:236 common_identify: Identify ‘opensips’ SIP message matched to endpoint opensips

2.) How do I expect to match real endpoint?
I was thinking Asterisk would know that OpenSIPS is just a proxy and the “TO” field should specify the real endpoint along the capabilities to use, i.e. SDES vs DTLS?


CONFIGURATION SETUP

OpenSIPS-DTLS ps_endpoints Setup
[opensips]
transport=transport-udp
aors=opensips
context=users
disallow=all
allow=opus;speex16;speex;gsm;ulaw;alaw;ilbc
direct_media=no
disable_direct_media_on_nat=yes
dtmf_mode=rfc4733
ice_support=yes
rewrite_contact=no
rtp_symetric=yes
callerid_privacy=allowed
use_avptf=yes
media_encryption=dtls
inband_progress=yes
from_domain=opensips.domain.com
dtls_verify=fingerprint
dtls_rekey=0
dtls_cert_file=cert.crt
dtls_private_key=private.key
dtls_ca_file=ca.crt
dtls_ca_path=ca_path
dtls_setup=actpass
media_encryption_optimistic=yes
rtcp_mux=yes

Extension 1000-SDES ps_endpoints Setup
[1000]
transport=transport-udp
aors=800
context=users
disallow=all
allow=opus;speex16;speex;gsm;ulaw;alaw;ilbc
direct_media=no
disable_direct_media_on_nat=yes
dtmf_mode=rfc4733
outbound_proxy=sip:opensips.domain.com:PORT;lr
rtp_symmetric=yes
callerid_privacy=allowed
media_encryption=sdes
inband_progress=yes
from_domain=opensips.domain.com
media_encryption_optimistic=no

Extension 1001-DTLS ps_endpoints Setup
[1001]
transport=transport-udp
aors=opensips
context=users
disallow=all
allow=opus;speex16;speex;gsm;ulaw;alaw;ilbc
direct_media=no
disable_direct_media_on_nat=yes
dtmf_mode=rfc4733
ice_support=yes
outbound_proxy=sip:opensips.domain.com:PORT;lr
rewrite_contact=no
rtp_symetric=yes
callerid_privacy=allowed
use_avptf=yes
media_encryption=dtls
inband_progress=yes
from_domain=opensips.domain.com
dtls_verify=fingerprint
dtls_rekey=0
dtls_cert_file=cert.crt
dtls_private_key=private.key
dtls_ca_file=ca.crt
dtls_ca_path=ca_path
dtls_setup=actpass
media_encryption_optimistic=yes
rtcp_mux=yes


OpenSIPS ps_aors Setup
[opensips]
contact=sip:opensips.domain.com:ASTERISK_INTERNAL_PORT
max_contacts=1

Extension 1000-SDES ps_aors Setup
[1000]
mailboxes=1000
max_contacts=10
remove_existing=yes
outbound_proxy=sip:opensips.domain.com:PORT

Extension 1001-DTLS ps_aors Setup
[1001]
mailboxes=1001
max_contacts=10
remove_existing=yes
outbound_proxy=sip:opensips.domain.com:PORT


OpenSIPS ps_endpoint_id_ips Setup
[opensips]
endpoint=opensips
match=OPENSIPS_LOCAL_IP


pjsip.conf
[transport-udp]
type=transport
protocol=udp
domain=asterisk.domain.com
local_net=LOCAL_NET/32
external_media_address=ASTERISK_EXTERNAL_IP
external_signaling_address=ASTERISK_INTERNAL_IP
bind=0.0.0.0:ASTERISK_INTERNAL_PORT
external_signaling_port=ASTERISK_INTERNAL_PORT


extensions.conf
[stations]
switch => Realtime/@extensions

[disconnected]
switch => Realtime/@extensions

[terminate]
switch => Realtime/@extensions

[users]
include => incoming

[default]
include => users

[pstn-inbound]
switch => Realtime/pstn-inbound@extensions

[incoming]
switch => Realtime/@extensions