Hello Everybody,

I am trying to setup SRTP on my Asterisk 13.1.0 based FreePBX 32bit but unfortunately all my attempts to get it working have failed.

More precisely, I believe, TLS and SRTP is working, when I use local IP addresses (using VPN). But as soon as I switch back to public IP, I am getting No Audio issue.

I tried to setup also a UDP based no SRTP extenstion, and I have no issues here.

I was following the Secure Calling Tutorial:
wiki.asterisk.org/wiki/display/ … g+Tutorial

rtp set debug on
Using Public IP (No Audio)

Got RTP packet from PU.BL.I.C:14004 (type 09, seq 005871, ts 056800, len 000160) Got RTP packet from PU.BL.I.C:14004 (type 09, seq 005872, ts 056960, len 000160) Got RTP packet from PU.BL.I.C:14004 (type 09, seq 005873, ts 057120, len 000160) Got RTP packet from PU.BL.I.C:14004 (type 09, seq 005874, ts 057280, len 000160) Got RTP packet from PU.BL.I.C:14004 (type 09, seq 005875, ts 057440, len 000160) Got RTP packet from PU.BL.I.C:14004 (type 09, seq 005876, ts 057600, len 000160)

via VPN (OK)

Got RTP packet from (type 09, seq 015855, ts 370080, len 000160) Sent RTP packet to (type 09, seq 010657, ts 370080, len 000170) Got RTP packet from (type 09, seq 015856, ts 370240, len 000160) Sent RTP packet to (type 09, seq 010658, ts 370240, len 000170) Got RTP packet from (type 09, seq 015857, ts 370400, len 000160) Sent RTP packet to (type 09, seq 010659, ts 370400, len 000170)

All I am doing is calling *43.


accept_outofcall_message=yes auth_message_requests=no outofcall_message_context=dpma_message_context faxdetect=no vmexten=*97 context=from-sip-external callerid=Unknown notifyringing=yes notifyhold=yes tos_sip=cs3 tos_audio=ef tos_video=af41 alwaysauthreject=yes useragent=FPBX-12.0.25(13.1.0) disallow=all allow=ulaw allow=alaw allow=gsm allow=g726 allow=g729 allow=speex allow=speex16 allow=speex32 allow=opus allow=g722 allow=h264 allow=mpeg4 tlsenable=yes tlsbindaddr= tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt tlscadir=/etc/asterisk/keys/ tlscipher=ALL tlsclientmethod=tlsv1 fromdomain=my.domain.com rtpend=20000 rtpstart=10000 callevents=yes bindport=25060 jbenable=no maxexpiry=3600 minexpiry=60 defaultexpiry=120 allowguest=yes registertimeout=20 registerattempts=0 notifyhold=yes g726nonstandard=no videosupport=yes srvlookup=no canreinvite=no rtptimeout=30 rtpholdtimeout=300 rtpkeepalive=0 checkmwi=10 notifyringing=yes maxcallbitrate=384 nat=yes externip=PU.BL.I.C localnet=


[6660] deny= secret=mypasswort dtmfmode=rfc2833 canreinvite=no context=from-internal host=dynamic trustrpid=yes sendrpid=pai type=friend nat=force_rport,comedia port=5060 qualify=yes qualifyfreq=60 transport=tls avpf=no force_avp=no icesupport=no encryption=yes callgroup= pickupgroup= dial=SIP/6660 mailbox=6660@device permit= callerid=TLS <6660> callcounter=yes faxdetect=no cc_monitor_policy=generic

Any help is greatly appreciated.

Thank you.

Hi again,

I believe I have figured out, what is not working, but I need a little help to understand whether this is:

  • my configuration issue
  • asterisk/freepbx issue
  • softphone issue

As you might have seen, I have changed in the configuration the port TLS is listening on to [color=#FF0000]25060[/color] and I can confirm that by

I have nothing listening on port [color=#FF0000]5061[/color]. But I can see

To get it working, I had to forward in addition to port 25060 -> 25060 also 5061 -> 25060.

As you can see in the log below, asterisk is still somehow trying to use the port 5061 despite of the fact that I have changed that.

D/libpjsip(24235): 00:48:10.179 pjsua_core.c .RX 607 bytes Request msg OPTIONS/cseq=102 (rdata0x613ea7a8) from TLS PU.BL.IC.IP:[color=#FF0000]25060[/color]:
D/libpjsip(24235): OPTIONS sip:6660@;transport=TLS;ob SIP/2.0
D/libpjsip(24235): Via: SIP/2.0/TLS PU.BL.IC.IP:[color=#FF0000]5061[/color];branch=z9hG4bK0323dc1b;rport
D/libpjsip(24235): Max-Forwards: 70
D/libpjsip(24235): From: “Unknown” sip:Unknown@my.domain.com;tag=as7fd75391
D/libpjsip(24235): To: sip:6660@;transport=TLS;ob
D/libpjsip(24235): Contact: sip:Unknown@PU.BL.IC.IP:[b][color=#FF0000]5061[/color][/b];transport=TLS
D/libpjsip(24235): Call-ID: 1a793e90483a0a6a1e508d1e2a9e7c77@my.domain.com
D/libpjsip(24235): CSeq: 102 OPTIONS
D/libpjsip(24235): User-Agent: FPBX-12.0.25(13.1.0)
D/libpjsip(24235): Date: Fri, 09 Jan 2015 23:43:30 GMT
D/libpjsip(24235): Supported: replaces, timer
D/libpjsip(24235): Content-Length: 0
D/libpjsip(24235): --end msg–
D/libpjsip(24235): 00:48:10.179 pjsip_mod_earl .mod_earlylock_on_rx_request
D/libpjsip(24235): 00:48:10.179 pjsua_core.c .TX 1067 bytes Response msg 200/OPTIONS/cseq=102 (tdta0x513f1ca0) to TLS PU.BL.IC.IP:[color=#FF0000]25060[/color]:
D/libpjsip(24235): SIP/2.0 200 OK
D/libpjsip(24235): Via: SIP/2.0/TLS PU.BL.IC.IP:[color=#FF0000]5061[/color];rport=[color=#FF0000]25060[/color];received=PU.BL.IC.IP;branch=z9hG4bK0323dc1b
D/libpjsip(24235): Call-ID: 1a793e90483a0a6a1e508d1e2a9e7c77@my.domain.com
D/libpjsip(24235): From: “Unknown” sip:Unknown@my.domain.com;tag=as7fd75391
D/libpjsip(24235): To: sip:6660@;ob;tag=z9hG4bK0323dc1b
D/libpjsip(24235): CSeq: 102 OPTIONS
D/libpjsip(24235): Accept: application/sdp, application/pidf+xml, application/xpidf+xml, application/simple-message-summary, message/sipfrag;version=2.0, application/im-iscomposing+xml, text/plain
D/libpjsip(24235): Supported: replaces, 100rel, timer, norefersub
D/libpjsip(24235): Allow-Events: presence, message-summary, refer
D/libpjsip(24235): User-Agent: CSipSimple_espresso10wifi-17/r2457
D/libpjsip(24235): Content-Type: application/sdp
D/libpjsip(24235): Content-Length: 289

Thank you.

I just stumbled across the following

lists.digium.com/pipermail/aster … 36722.html

Which is exactly talking about the same issue within Asterisk 11.

The issue with Asterisk 13 is a little bit bigger, as on top of the issue raised above, you can not even talk. All you can do is register and initiate a call.

externtlsport=25060 has resolved my issue. It’s a bid odd setting, confusing and inconsistent with other port settings, but nevermind, I am happy again :laughing:

Thanks for posting your solutions, it help other members, you can avoid many issues, reading the asterisk’s sample configuration files.

externtlsport = 12600 ; The externally mapped tls port, when Asterisk is behind a static NAT or PAT.
externtlsport port will default to the RFC designated port of 5061.