[SOLVED] SRTP behind NAT

Asterisk Asterisk Support
1

Hello Everybody,

I am trying to setup SRTP on my Asterisk 13.1.0 based FreePBX 32bit but unfortunately all my attempts to get it working have failed.

More precisely, I believe, TLS and SRTP is working, when I use local IP addresses (using VPN). But as soon as I switch back to public IP, I am getting No Audio issue.

I tried to setup also a UDP based no SRTP extenstion, and I have no issues here.

I was following the Secure Calling Tutorial:
wiki.asterisk.org/wiki/display/ … g+Tutorial

rtp set debug on
Using Public IP (No Audio)

Got RTP packet from PU.BL.I.C:14004 (type 09, seq 005871, ts 056800, len 000160) Got RTP packet from PU.BL.I.C:14004 (type 09, seq 005872, ts 056960, len 000160) Got RTP packet from PU.BL.I.C:14004 (type 09, seq 005873, ts 057120, len 000160) Got RTP packet from PU.BL.I.C:14004 (type 09, seq 005874, ts 057280, len 000160) Got RTP packet from PU.BL.I.C:14004 (type 09, seq 005875, ts 057440, len 000160) Got RTP packet from PU.BL.I.C:14004 (type 09, seq 005876, ts 057600, len 000160)

via VPN (OK)

Got RTP packet from 192.168.200.111:14002 (type 09, seq 015855, ts 370080, len 000160) Sent RTP packet to 192.168.200.111:14002 (type 09, seq 010657, ts 370080, len 000170) Got RTP packet from 192.168.200.111:14002 (type 09, seq 015856, ts 370240, len 000160) Sent RTP packet to 192.168.200.111:14002 (type 09, seq 010658, ts 370240, len 000170) Got RTP packet from 192.168.200.111:14002 (type 09, seq 015857, ts 370400, len 000160) Sent RTP packet to 192.168.200.111:14002 (type 09, seq 010659, ts 370400, len 000170)

All I am doing is calling *43.

sip_general_additional.conf

accept_outofcall_message=yes auth_message_requests=no outofcall_message_context=dpma_message_context faxdetect=no vmexten=*97 context=from-sip-external callerid=Unknown notifyringing=yes notifyhold=yes tos_sip=cs3 tos_audio=ef tos_video=af41 alwaysauthreject=yes useragent=FPBX-12.0.25(13.1.0) disallow=all allow=ulaw allow=alaw allow=gsm allow=g726 allow=g729 allow=speex allow=speex16 allow=speex32 allow=opus allow=g722 allow=h264 allow=mpeg4 tlsenable=yes tlsbindaddr=0.0.0.0:25060 tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt tlscadir=/etc/asterisk/keys/ tlscipher=ALL tlsclientmethod=tlsv1 fromdomain=my.domain.com rtpend=20000 rtpstart=10000 callevents=yes bindport=25060 jbenable=no maxexpiry=3600 minexpiry=60 defaultexpiry=120 allowguest=yes registertimeout=20 registerattempts=0 notifyhold=yes g726nonstandard=no videosupport=yes srvlookup=no canreinvite=no rtptimeout=30 rtpholdtimeout=300 rtpkeepalive=0 checkmwi=10 notifyringing=yes maxcallbitrate=384 nat=yes externip=PU.BL.I.C localnet=192.168.200.0/24

sip_additional.conf

[6660] deny=0.0.0.0/0.0.0.0 secret=mypasswort dtmfmode=rfc2833 canreinvite=no context=from-internal host=dynamic trustrpid=yes sendrpid=pai type=friend nat=force_rport,comedia port=5060 qualify=yes qualifyfreq=60 transport=tls avpf=no force_avp=no icesupport=no encryption=yes callgroup= pickupgroup= dial=SIP/6660 mailbox=6660@device permit=0.0.0.0/0.0.0.0 callerid=TLS <6660> callcounter=yes faxdetect=no cc_monitor_policy=generic

Any help is greatly appreciated.

Thank you.

2

Hi again,

I believe I have figured out, what is not working, but I need a little help to understand whether this is:

  • my configuration issue
  • asterisk/freepbx issue
  • softphone issue

As you might have seen, I have changed in the configuration the port TLS is listening on to [color=#FF0000]25060[/color] and I can confirm that by

I have nothing listening on port [color=#FF0000]5061[/color]. But I can see

[Solution]
To get it working, I had to forward in addition to port 25060 -> 25060 also 5061 -> 25060.

As you can see in the log below, asterisk is still somehow trying to use the port 5061 despite of the fact that I have changed that.

[LOG]
D/libpjsip(24235): 00:48:10.179 pjsua_core.c .RX 607 bytes Request msg OPTIONS/cseq=102 (rdata0x613ea7a8) from TLS PU.BL.IC.IP:[color=#FF0000]25060[/color]:
D/libpjsip(24235): OPTIONS sip:6660@192.168.20.122:37787;transport=TLS;ob SIP/2.0
D/libpjsip(24235): Via: SIP/2.0/TLS PU.BL.IC.IP:[color=#FF0000]5061[/color];branch=z9hG4bK0323dc1b;rport
D/libpjsip(24235): Max-Forwards: 70
D/libpjsip(24235): From: “Unknown” sip:Unknown@my.domain.com;tag=as7fd75391
D/libpjsip(24235): To: sip:6660@192.168.20.122:37787;transport=TLS;ob
D/libpjsip(24235): Contact: sip:Unknown@PU.BL.IC.IP:[b][color=#FF0000]5061[/color][/b];transport=TLS
D/libpjsip(24235): Call-ID: 1a793e90483a0a6a1e508d1e2a9e7c77@my.domain.com
D/libpjsip(24235): CSeq: 102 OPTIONS
D/libpjsip(24235): User-Agent: FPBX-12.0.25(13.1.0)
D/libpjsip(24235): Date: Fri, 09 Jan 2015 23:43:30 GMT
D/libpjsip(24235): Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
D/libpjsip(24235): Supported: replaces, timer
D/libpjsip(24235): Content-Length: 0
D/libpjsip(24235):
D/libpjsip(24235): --end msg–
D/libpjsip(24235): 00:48:10.179 pjsip_mod_earl .mod_earlylock_on_rx_request
D/libpjsip(24235): 00:48:10.179 pjsua_core.c .TX 1067 bytes Response msg 200/OPTIONS/cseq=102 (tdta0x513f1ca0) to TLS PU.BL.IC.IP:[color=#FF0000]25060[/color]:
D/libpjsip(24235): SIP/2.0 200 OK
D/libpjsip(24235): Via: SIP/2.0/TLS PU.BL.IC.IP:[color=#FF0000]5061[/color];rport=[color=#FF0000]25060[/color];received=PU.BL.IC.IP;branch=z9hG4bK0323dc1b
D/libpjsip(24235): Call-ID: 1a793e90483a0a6a1e508d1e2a9e7c77@my.domain.com
D/libpjsip(24235): From: “Unknown” sip:Unknown@my.domain.com;tag=as7fd75391
D/libpjsip(24235): To: sip:6660@192.168.20.122;ob;tag=z9hG4bK0323dc1b
D/libpjsip(24235): CSeq: 102 OPTIONS
D/libpjsip(24235): Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
D/libpjsip(24235): Accept: application/sdp, application/pidf+xml, application/xpidf+xml, application/simple-message-summary, message/sipfrag;version=2.0, application/im-iscomposing+xml, text/plain
D/libpjsip(24235): Supported: replaces, 100rel, timer, norefersub
D/libpjsip(24235): Allow-Events: presence, message-summary, refer
D/libpjsip(24235): User-Agent: CSipSimple_espresso10wifi-17/r2457
D/libpjsip(24235): Content-Type: application/sdp
D/libpjsip(24235): Content-Length: 289

Thank you.

3

I just stumbled across the following

lists.digium.com/pipermail/aster … 36722.html

Which is exactly talking about the same issue within Asterisk 11.

The issue with Asterisk 13 is a little bit bigger, as on top of the issue raised above, you can not even talk. All you can do is register and initiate a call.

4

externtlsport=25060 has resolved my issue. It’s a bid odd setting, confusing and inconsistent with other port settings, but nevermind, I am happy again :laughing:

5

Thanks for posting your solutions, it help other members, you can avoid many issues, reading the asterisk’s sample configuration files.

externtlsport = 12600 ; The externally mapped tls port, when Asterisk is behind a static NAT or PAT.
externtlsport port will default to the RFC designated port of 5061.