Hello all
I’m new in asterisk. I try to build VoIP small network with asterisk and have a plan to using TLS+SRTP for securing my communications. I have already follow instruction from this site but unfortunatelly it’s didn’t work
iprouteth0.blogspot.com/2013/04/ … -with.html
wiki.asterisk.org/wiki/display/ … g+Tutorial
I’m using openWRT as a mini server and asterisk 1.8. Maybe there is someone in this forum can guide me to securing my communications.
Best regards
Riyadi
You want the Biz and Jobs forum.
If you want peer support, you need to provide enough logging, and details of the configuration that there is a clue as to what is wrong.
Thanks for reply my post.
I’m using all configuration from this blog : iprouteth0.blogspot.com/2013/04/ … -with.html
I’m using asteriks 11 at my openWRT router and android phone as a client with csipsimple as softphone. When I see asterisk’s log at /var/log/asterisk/messages I found this :
[Oct 1 12:56:08] WARNING[1360] loader.c: Error loading module ‘res_musiconhold.so’: File not found
[Oct 1 12:56:08] WARNING[1360] loader.c: Module ‘res_musiconhold.so’ could not be loaded.
[Oct 1 12:56:08] NOTICE[1360] chan_sip.c: The ‘username’ field for sip peers has been deprecated in favor of the term ‘defaultuser’
[Oct 1 12:56:08] WARNING[1360] chan_sip.c: ‘tls’ is not a valid transport type when tlsenable=no. If no other is specified, the defaults from general will be used.
[Oct 1 12:56:08] WARNING[1360] chan_sip.c: !!! PLEASE NOTE: Setting ‘nat’ for a peer/user that differs from the global setting can make
[Oct 1 12:56:08] WARNING[1360] chan_sip.c: !!! the name of that peer/user discoverable by an attacker. Replies for non-existent peers/users
[Oct 1 12:56:08] WARNING[1360] chan_sip.c: !!! will be sent to a different port than replies for an existing peer/user. If at all possible,
[Oct 1 12:56:08] WARNING[1360] chan_sip.c: !!! use the global ‘nat’ setting and do not set ‘nat’ per peer/user.
[Oct 1 12:56:08] WARNING[1360] chan_sip.c: !!! (config category=‘504’ global force_rport=‘No’ peer/user force_rport=‘Yes’)
[Oct 1 12:56:17] WARNING[1360] pbx.c: Context ‘outbound-srtp’ tries to include nonexistent context ‘seven-digit’
Maybe you have suggestions for my problem…
best regards
Riyadi
What’s not obvious about:
I wonder if you have two [general] sections.
Thank you for reply my post
I don’t see if I have 2 [general] section, this my sip.conf
[general]
tlsenable=yes
tlsbindaddr=192.168.0.30
tlscertfile=/etc/asterisk/keys/asterisk.crt
tlsprivatekey=/etc/asterisk/keys/asterisk.key
tlscafile=/etc/asterisk/keys/ca.crt
tlscadir=/etc/asterisk/keys/
tlscipher=ALL
tlsclientmethod=tlsv1
[504]
username=504
secret=yourpasswordhere
type=friend
nat=force_rport,comedia
callerid="Mesmerize<504>"
host=dynamic
context=outbound-srtp
outgoinglimit=3
incominglimit=3
canreinvite=yes
transport=tls
encryption=yes
disallow=all
allow=ulaw
allow=alaw
allow=g722
allow=gsm
dtmfmode=inband
mailbox=504@default
I use this configuration too from this thread : viewtopic.php?f=1&t=94797&p=210638&hilit=tls+asterisk&sid=d967ad1ecde3e39a7cbb86dac902306f#p210638
[global]
enable=yes
tlsenable=yes
tlsdontverifyserver=yes
tlsbindaddr=192.168.1.1
tlscertfile=/etc/cert/asterisk.pem
tlscafile=/etc/cert/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1
[100]
type=friend
secret=100
host=dynamic
defaultip=192.168.254.29
dtmfmode=rfc2833
context=pbx_config
encryption=no
disallow=all
transport=tls
[200]
type=friend
secret=200
host=dynamic
defaultip=192.168.254.132
dtmfmode=rfc2833
context=pbx_config
encryption=no
transport=tls
disallow=all
context=pbx_config
extensions.conf
[general]
static=yes
tlsenable=yes
writeprotect=no
cleanglobalvars=no
[pbx_config]
exten => 100,1,Set(CHANNEL(secure_bridge_signaling)=1)
exten => 100,2,Set(_SIPSRTP=1)
exten => 100,3,Set(_SIPSRTP_CRYPTO=enable)
exten => 100,n,Dial(SIP/100,20)
exten => 100,n,Hangup()
exten => 200,1,Set(CHANNEL(secure_bridge_signaling)=1)
exten => 200,2,Set(_SIPSRTP=1)
exten => 200,3,Set(_SIPSRTP_CRYPTO=enable)
exten => 200,n,Dial(SIP/200,20)
exten => 200,n,Hangup()
I would have expected a diagnostic if the TLS support hadn’t loaded so I’m at a loss to think of why tlsenable is set to false with that configuration.
Unfortunately I have my own TLS problems as the latest Iceweasel (Firefox) thinks the login page for this site has inadequate encryption and refuses to talk to it, so I can’t respond from home, where I have time to think a bit more about this.
I’m sorry for my english first
I’m using openWRT router as asterisk server. is there module or packet that I didn’t installed on my router and it makes my asterisk didn’t run properly ?
Common problems with TLS are not having the openssl files (in the right places)at run or build time, or not selecting them with menuselect, However, I would have thought you would have had more specific errors reported.
I have no experience of the OpenWRT environment.
Hai david, seems like I have make progress on my problems. I hope you see this post
TLC using TCP right ?
this is my asterisk log
Oh, I have a question. is outboud proxy required for using TLS ?
Thank you for read my post
Best Regards
Riyadi
I don’t believe you can have TLS and TCP bound to the same port number.
TLS does not require an outbound proxy and may well not work with one.
Oh, I think we should open a same port at TCP. I’m sorry, I’ll fixed it…
But except one problem above about same port at TCP, is my configuration right ? or there is some mistake ? I’m really happy if you can guide me. I’m new for using asterisk
Best Regards
Riyadi