So I opened a ticket with Twilio, and they are alleging I need to whitelist the 172.25.13.87 address, which seems odd since that is not a routable address. I asked them to confirm.
I may need to switch my itsp, if anyone has had success with ANY itsp using tls I am shopping for a good one, hopefully with some usable guide to configure the trunk.
Thanks
Update: Twilio was not much help so far, just telling me to âwhitelist the ipâsâ, even though the ones they suggest are all open still, just as they were over udp, just to port 5061. and from what I can gather they are sending some traffic to 5060 according to the pjsip traces I see.
My endpoint is configured for tls, with media encryption, so I think this is the cause of the âno matching endpointâ. as the twilio endpoint is setup for port 5061.
The twilio endpoint:
Endpoint: twilio-na-us Not in use 0 of inf
OutAuth: twilio-na-us-oauth/asterisk-pbx
Aor: twilio-na-us 0
Contact: twilio-na-us/sip:voice-example.pstn.ash 89788cb830 Avail 22.585
Contact: twilio-na-us/sip:voice-example.pstn.uma d916ce4f4a Avail 84.462
Transport: 0.0.0.0-tls tls 3 96 0.0.0.0:5061
Identify: twilio-na-us-identify/twilio-na-us
Match: 54.172.60.0:5061/32
Match: 54.172.60.1:5061/32
Match: 54.172.60.2:5061/32
Match: 54.172.60.3:5061/32
Match: 54.244.51.1:5061/32
Match: 54.244.51.0:5061/32
Match: 54.244.51.2:5061/32
ParameterName : ParameterValue
=========================================================
100rel : yes
@pjsip_wizard : twilio-na-us
accept_multiple_sdp_answers : false
accountcode :
acl :
aggregate_mwi : true
allow : (ulaw)
allow_overlap : true
allow_subscribe : false
allow_transfer : true
allow_unauthenticated_options : false
aors : twilio-na-us
asymmetric_rtp_codec : false
auth :
bind_rtp_to_media_address : false
bundle : false
call_group :
callerid : <unknown>
callerid_privacy : allowed_not_screened
callerid_tag :
connected_line_method : invite
contact_acl :
context : from-pstn
cos_audio : 0
cos_video : 0
device_state_busy_at : 0
direct_media : false
direct_media_glare_mitigation : none
direct_media_method : invite
disable_direct_media_on_nat : false
dtls_auto_generate_cert : No
dtls_ca_file :
dtls_ca_path :
dtls_cert_file :
dtls_cipher :
dtls_fingerprint : SHA-256
dtls_private_key :
dtls_rekey : 0
dtls_setup : active
dtls_verify : No
dtmf_mode : rfc4733
fax_detect : false
fax_detect_timeout : 0
follow_early_media_fork : true
force_avp : false
force_rport : true
from_domain :
from_user :
g726_non_standard : false
geoloc_incoming_call_profile :
geoloc_outgoing_call_profile :
ice_support : false
identify_by : username,ip
ignore_183_without_sdp : false
inband_progress : false
incoming_mwi_mailbox :
language :
mailboxes :
max_audio_streams : 1
max_video_streams : 1
media_address :
media_encryption : sdes
media_encryption_optimistic : false
media_use_received_transport : false
message_context :
moh_passthrough : false
moh_suggest : default
mwi_from_user :
mwi_subscribe_replaces_unsolicited : no
named_call_group :
named_pickup_group :
notify_early_inuse_ringing : false
one_touch_recording : false
outbound_auth : twilio-na-us-oauth
outbound_proxy :
pickup_group :
preferred_codec_only : false
record_off_feature : automixmon
record_on_feature : automixmon
refer_blind_progress : true
rewrite_contact : true
rpid_immediate : false
rtcp_mux : false
rtp_engine : asterisk
rtp_ipv6 : false
rtp_keepalive : 0
rtp_symmetric : true
rtp_timeout : 0
rtp_timeout_hold : 0
sdp_owner : -
sdp_session : Asterisk
send_connected_line : yes
send_diversion : true
send_history_info : false
send_pai : false
send_rpid : false
set_var :
srtp_tag_32 : false
stir_shaken : off
stir_shaken_profile :
sub_min_expiry : 0
subscribe_context :
suppress_q850_reason_headers : false
t38_bind_udptl_to_media_address : false
t38_udptl : false
t38_udptl_ec : none
t38_udptl_ipv6 : false
t38_udptl_maxdatagram : 0
t38_udptl_nat : false
timers : yes
timers_min_se : 90
timers_sess_expires : 1800
tone_zone :
tos_audio : 0
tos_video : 0
transport : 0.0.0.0-tls
trust_connected_line : yes
trust_id_inbound : false
trust_id_outbound : false
use_avpf : false
use_ptime : false
user_eq_phone : false
voicemail_extension :
webrtc : no
all endpoints
Endpoint: 155/155 Not in use 0 of inf
InAuth: 155-iauth/155
Aor: 155 2
Contact: 155/sip:155@192.168.1.206:50362;transport= 7bb7e00d67 NonQual nan
Endpoint: 255/255 Unavailable 0 of inf
InAuth: 255-iauth/255
Aor: 255 2
Endpoint: 355/355 Not in use 0 of inf
InAuth: 355-iauth/355
Aor: 355 2
Contact: 355/sip:355@192.168.5.11:45035;x-reg=76E24 2a18060d91 NonQual nan
Endpoint: twilio-na-us Not in use 0 of inf
OutAuth: twilio-na-us-oauth/asterisk-pbx
Aor: twilio-na-us 0
Contact: twilio-na-us/sip:voice-example.pstn.ash 89788cb830 Avail 22.558
Contact: twilio-na-us/sip:voice-example.pstn.uma d916ce4f4a Avail 407.569
Transport: 0.0.0.0-tls tls 3 96 0.0.0.0:5061
Identify: twilio-na-us-identify/twilio-na-us
Match: 54.172.60.0:5061/32
Match: 54.172.60.1:5061/32
Match: 54.172.60.2:5061/32
Match: 54.172.60.3:5061/32
Match: 54.244.51.1:5061/32
Match: 54.244.51.0:5061/32
Match: 54.244.51.2:5061/32
Objects found: 4
I hope they donât come back and tell me they donât support pjsip since their suggestions seem like a reworked chan_sip config. I may just start from scratch on this if they canât help me.
Starting from scratch, here is my draft pjsip config, this was hacked together using twilioâs âsuggestionsâ and following here: https://docs.asterisk.org/Configuration/Channel-Drivers/SIP/Configuring-res_pjsip/res_pjsip-Configuration-Examples/#a-sip-trunk-to-your-service-provider-including-outbound-registration
Have no idea if it will work, but I think it is pretty close. Hope to have time later to start testing. As always, open to criticisms.
[global]
type=global
; =================TRANSPORTS
[transport-udp-nat]
type=transport
protocol=udp
bind=0.0.0.0:5060
external_media_address=voice.example.com
external_signaling_address=voice.example.com
allow_reload=no
tos=cs3
cos=3
local_net=192.168.1.0/24
local_net=192.168.2.0/24
local_net=192.168.5.0/24
local_net=192.168.50.0/24
[transport-tls-nat]
type=transport
protocol=tls
bind=0.0.0.0:5061
external_signaling_address=voice.example.com
external_signaling_address=voice.example.com
; trunk cert for ingress
ca_list_file=/etc/asterisk/keys/ca.crt
; trunk cert for egress
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
; method=tlsv1_2
; cipher=
verify_client=no
verify_server=no
allow_reload=no
tos=cs3
cos=3
local_net=192.168.1.0/24
local_net=192.168.2.0/24
local_net=192.168.5.0/24
local_net=192.168.50.0/24
;========== TRUNK TEMPLATE
[twilio-trunks](!)
type=endpoint
transport=transport-tls-nat
context=from-pstn
disallow=all
allow=ulaw
; twilio specific
t38_udptl=no
t38_udptl_ec=none
fax_detect=no
trust_id_inbound=no
t38_udptl_nat=no
direct_media=no
rewrite_contact=yes
rtp_symmetric=yes
dtmf_mode=rfc4733
allow_subscribe = no
qualify_frequency = 60
media_encryption = sdes
[auth-out](!)
type=auth
auth_type=userpass
;=============TRUNK
[twilio0](twilio-trunks)
aors=twilio0-aors
outbound_auth=twilio0-auth
[twilio0-aors]
type=aor
contact=sip:voice-example.pstn.twilio.com:5061
[twilio0-ident]
type=identify
endpoint=twilio0
match=54.172.60.0
match=54.172.60.1
match=54.172.60.2
match=54.172.60.3
[twilio0-auth](auth-out)
password=xxxxsecretxxxxx
username=ast-pbx
; ============= EXTENSIONS =============
;==============ENDPOINT TEMPLATES
[endpoint-basic](!)
type=endpoint
transport=transport-udp-nat
context=from-internal
disallow=all
allow=ulaw
; twilio specifics
tos_audio=ef
tos_video=af41
cos_audio=5
cos_video=4
dtmf_mode = rfc4733
aggregate_mwi = yes
use_avpf = no
rtcp_mux = no
bundle = no
ice_support = no
media_use_received_transport = no
trust_id_inbound = yes
media_encryption = no
timers = yes
media_encryption_optimistic = no
send_pai = yes
rtp_symmetric = yes
rewrite_contact = yes
force_rport = yes
language = en
[auth-userpass](!)
type=auth
auth_type=userpass
[aor-single-reg](!)
type=aor
max_contacts=2
;=========== EXTENSION 155
[155](endpoint-basic)
auth=auth155
aors=155
[auth155](auth-userpass)
password=secretpw
username=155
[155](aor-single-reg)
;=========== EXTENSION 255
[255](endpoint-basic)
auth=auth255
aors=255
[auth255](auth-userpass)
password=secretpw
username=255
[255](aor-single-reg)
;=========== EXTENSION 355
[355](endpoint-basic)
auth=auth355
aors=155
[auth355](auth-userpass)
password=secretpw
username=355
[355](aor-single-reg)
This should be, or include, the certificate that Twilio use to sign the certificates for their server. Putting Asteriskâs CA certificate here isnât going to be useful for Twilio connectivity. You include it here when you have used it to sign certificates installed in local phones.
Thanks David for catching that.
I could try to make it simpler, but I am assuming I need all those settings (tos_audio, tos_video, etc.) for Twilio. I have asked them for their required settings but just get crickets out of them.
Well my week of fun is coming to a close, finally have everything working over tls with media encryption.
So for anyone following along, there were two configuration omissions on the Twilio guide that needed to be addressed.
The âno matching endpointâ was rectified with these additions (would go under the âtrunk_defaultsâ on the twilio config:
identify/match=54.172.60.0/30
identify/match=54.172.51.0/30
identify/match=34.203.250.0/23
identify/match=168.86.128.0/18
Or as it is in my config:
[twilio0-ident]
type=identify
endpoint=twilio0
match=54.172.60.0/30
match=54.172.51.0/30
match=34.203.250.0/23
match=168.86.128.0/18
I donât really understand why these were needed just enabling encryption, but they were.
Once I got that sorted out after using the new pjsip config, I needed to enable media encryption on the extension endpoints and set the transport to tls with these additions:
For endpoints/template:
transport=transport-tls-nat
media_encryption = sdes
for the stock Twilio guide these would need to be added to the âuser_defaultsâ section in the wizard file:
endpoint/transport=0.0.0.0-tls
endpoint/media_encryption = sdes
Big Thanks to David for the sanity checks on this learning exercise!
Happy SIPing!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.