Trying to get pjsip and tls

Asterisk Asterisk SIP
1

Hi I’m in need of some help

I have tried setting up and the phone (Zoiper) does register but gets a sip/488 Not acceptable here bearer capability not presently available When trying to call and can’t receive calls My trunk gateway is a cisco cube and I’m using chan_sip to connect to it over port 5060. Pjsip is listening on port 5061 for tls

my pjsip_wizard.conf file

[dsiemens]
type = wizard
accepts_auth = yes
accepts_registrations = yes
transport = transport-tls
has_hint = yes
hint_exten = 32897
aor/max_contacts = 5
inbound_auth/username = dsiemens
inbound_auth/password = testpassword
endpoint/allow = ulaw
endpoint/context = stations
endpoint/rewrite_contact = yes

my pjsip.conf file
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1
verify_client=no
verify_server=no

There is no nat involved in this setup. All is on private network space with routing.

pjsip logger data
[Oct 31 06:44:40] <— Received SIP request (1377 bytes) from TLS:10.119.101.243:50330 —>
[Oct 31 06:44:40] INVITE sip:998166121399@10.123.240.20;transport=TLS SIP/2.0
[Oct 31 06:44:40] Via: SIP/2.0/TLS 10.119.101.243:5061;branch=z9hG4bK-524287-1—9170592cea141632
[Oct 31 06:44:40] Max-Forwards: 70
[Oct 31 06:44:40] Contact: sip:dsiemens@10.119.101.243:5061;transport=tls
[Oct 31 06:44:40] To: sip:998166121399@10.123.240.20;transport=TLS
[Oct 31 06:44:40] From: sip:dsiemens@10.123.240.20;transport=TLS;tag=e67b5677
[Oct 31 06:44:40] Call-ID: oF3gVb4kL31fjeEx5ondOQ…
[Oct 31 06:44:40] CSeq: 1 INVITE
[Oct 31 06:44:40] Content-Type: application/sdp
[Oct 31 06:44:40] User-Agent: Z 3.14.38765 rv2.8.3
[Oct 31 06:44:40] Allow-Events: presence, kpml, talk
[Oct 31 06:44:40] Content-Length: 868
[Oct 31 06:44:40]
[Oct 31 06:44:40] v=0
[Oct 31 06:44:40] o=Z 0 0 IN IP4 10.119.101.243
[Oct 31 06:44:40] s=Z
[Oct 31 06:44:40] c=IN IP4 10.119.101.243
[Oct 31 06:44:40] t=0 0
[Oct 31 06:44:40] m=audio 20000 RTP/SAVP 18 3 110 8 0 97 101
[Oct 31 06:44:40] a=rtpmap:18 G729/8000
[Oct 31 06:44:40] a=fmtp:18 annexb=no
[Oct 31 06:44:40] a=rtpmap:110 speex/8000
[Oct 31 06:44:40] a=rtpmap:97 iLBC/8000
[Oct 31 06:44:40] a=fmtp:97 mode=30
[Oct 31 06:44:40] a=rtpmap:101 telephone-event/8000
[Oct 31 06:44:40] a=fmtp:101 0-16
[Oct 31 06:44:40] a=sendrecv
[Oct 31 06:44:40] a=crypto:5 AES_256_CM_HMAC_SHA1_80 inline:wMcs/Els9tOr90YPjbtCHOrhvdikBrtRKCSM0x4LXY0CGfyfHs9qqUEislybog==
[Oct 31 06:44:40] a=crypto:6 AES_256_CM_HMAC_SHA1_32 inline:wMcs/Els9tOr90YPjbtCHOrhvdikBrtRKCSM0x4LXY0CGfyfHs9qqUEislybog==
[Oct 31 06:44:40] a=crypto:3 AES_192_CM_HMAC_SHA1_80 inline:wMcs/Els9tOr90YPjbtCHOrhvdikBrtRKCSM0x4LXY0CGfyfHs8=
[Oct 31 06:44:40] a=crypto:4 AES_192_CM_HMAC_SHA1_32 inline:wMcs/Els9tOr90YPjbtCHOrhvdikBrtRKCSM0x4LXY0CGfyfHs8=
[Oct 31 06:44:40] a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:wMcs/Els9tOr90YPjbtCHOrhvdikBrtRKCSM0x4L
[Oct 31 06:44:40] a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:wMcs/Els9tOr90YPjbtCHOrhvdikBrtRKCSM0x4L
[Oct 31 06:44:40]
[Oct 31 06:44:40] <— Transmitting SIP response (519 bytes) to TLS:10.119.101.243:50330 —>
[Oct 31 06:44:40] SIP/2.0 401 Unauthorized
[Oct 31 06:44:40] Via: SIP/2.0/TLS 10.119.101.243:5061;rport=50330;received=10.119.101.243;branch=z9hG4bK-524287-1—9170592cea141632
[Oct 31 06:44:40] Call-ID: oF3gVb4kL31fjeEx5ondOQ…
[Oct 31 06:44:40] From: sip:dsiemens@10.123.240.20;tag=e67b5677
[Oct 31 06:44:40] To: sip:998166121399@10.123.240.20;tag=z9hG4bK-524287-1—9170592cea141632
[Oct 31 06:44:40] CSeq: 1 INVITE
[Oct 31 06:44:40] WWW-Authenticate: Digest realm=“asterisk”,nonce=“1540993480/20cfdbd1b2e1e5b746fa23dd71cc8bc3”,opaque=“4c607bf05724a7d9”,algorithm=md5,qop=“auth”
[Oct 31 06:44:40] Server: Asterisk PBX 16.0.0
[Oct 31 06:44:40] Content-Length: 0
[Oct 31 06:44:40]
[Oct 31 06:44:40]
[Oct 31 06:44:41] <— Received SIP request (367 bytes) from TLS:10.119.101.243:50330 —>
[Oct 31 06:44:41] ACK sip:998166121399@10.123.240.20;transport=TLS SIP/2.0
[Oct 31 06:44:41] Via: SIP/2.0/TLS 10.119.101.243:5061;branch=z9hG4bK-524287-1—9170592cea141632
[Oct 31 06:44:41] Max-Forwards: 70
[Oct 31 06:44:41] To: sip:998166121399@10.123.240.20;tag=z9hG4bK-524287-1—9170592cea141632
[Oct 31 06:44:41] From: sip:dsiemens@10.123.240.20;transport=TLS;tag=e67b5677
[Oct 31 06:44:41] Call-ID: oF3gVb4kL31fjeEx5ondOQ…
[Oct 31 06:44:41] CSeq: 1 ACK
[Oct 31 06:44:41] Content-Length: 0
[Oct 31 06:44:41]
[Oct 31 06:44:41]
[Oct 31 06:44:41] <— Received SIP request (1687 bytes) from TLS:10.119.101.243:50330 —>
[Oct 31 06:44:41] INVITE sip:998166121399@10.123.240.20;transport=TLS SIP/2.0
[Oct 31 06:44:41] Via: SIP/2.0/TLS 10.119.101.243:5061;branch=z9hG4bK-524287-1—285072723dbc3bc4
[Oct 31 06:44:41] Max-Forwards: 70
[Oct 31 06:44:41] Contact: sip:dsiemens@10.119.101.243:5061;transport=tls
[Oct 31 06:44:41] To: sip:998166121399@10.123.240.20;transport=TLS
[Oct 31 06:44:41] From: sip:dsiemens@10.123.240.20;transport=TLS;tag=e67b5677
[Oct 31 06:44:41] Call-ID: oF3gVb4kL31fjeEx5ondOQ…
[Oct 31 06:44:41] CSeq: 2 INVITE
[Oct 31 06:44:41] Content-Type: application/sdp
[Oct 31 06:44:41] User-Agent: Z 3.14.38765 rv2.8.3
[Oct 31 06:44:41] Authorization: Digest username=“dsiemens”,realm=“asterisk”,nonce=“1540993480/20cfdbd1b2e1e5b746fa23dd71cc8bc3”,uri=“sip:998166121399@10.123.240.20;transport=TLS”,response=“9d34a995ac26a58c0be0d592a90eaa88”,cnonce=“f910af632a24e7c9ab09f9e15b7fb6a8”,nc=00000001,qop=auth,algorithm=md5,opaque=“4c607bf05724a7d9”
[Oct 31 06:44:41] Allow-Events: presence, kpml, talk
[Oct 31 06:44:41] Content-Length: 868
[Oct 31 06:44:41]
[Oct 31 06:44:41] v=0
[Oct 31 06:44:41] o=Z 0 0 IN IP4 10.119.101.243
[Oct 31 06:44:41] s=Z
[Oct 31 06:44:41] c=IN IP4 10.119.101.243
[Oct 31 06:44:41] t=0 0
[Oct 31 06:44:41] m=audio 20000 RTP/SAVP 18 3 110 8 0 97 101
[Oct 31 06:44:41] a=rtpmap:18 G729/8000
[Oct 31 06:44:41] a=fmtp:18 annexb=no
[Oct 31 06:44:41] a=rtpmap:110 speex/8000
[Oct 31 06:44:41] a=rtpmap:97 iLBC/8000
[Oct 31 06:44:41] a=fmtp:97 mode=30
[Oct 31 06:44:41] a=rtpmap:101 telephone-event/8000
[Oct 31 06:44:41] a=fmtp:101 0-16
[Oct 31 06:44:41] a=sendrecv
[Oct 31 06:44:41] a=crypto:5 AES_256_CM_HMAC_SHA1_80 inline:wMcs/Els9tOr90YPjbtCHOrhvdikBrtRKCSM0x4LXY0CGfyfHs9qqUEislybog==
[Oct 31 06:44:41] a=crypto:6 AES_256_CM_HMAC_SHA1_32 inline:wMcs/Els9tOr90YPjbtCHOrhvdikBrtRKCSM0x4LXY0CGfyfHs9qqUEislybog==
[Oct 31 06:44:41] a=crypto:3 AES_192_CM_HMAC_SHA1_80 inline:wMcs/Els9tOr90YPjbtCHOrhvdikBrtRKCSM0x4LXY0CGfyfHs8=
[Oct 31 06:44:41] a=crypto:4 AES_192_CM_HMAC_SHA1_32 inline:wMcs/Els9tOr90YPjbtCHOrhvdikBrtRKCSM0x4LXY0CGfyfHs8=
[Oct 31 06:44:41] a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:wMcs/Els9tOr90YPjbtCHOrhvdikBrtRKCSM0x4L
[Oct 31 06:44:41] a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:wMcs/Els9tOr90YPjbtCHOrhvdikBrtRKCSM0x4L
[Oct 31 06:44:41]
[Oct 31 06:44:41] == Setting global variable ‘SIPDOMAIN’ to ‘10.123.240.20’
[Oct 31 06:44:41] <— Transmitting SIP response (326 bytes) to TLS:10.119.101.243:50330 —>
[Oct 31 06:44:41] SIP/2.0 100 Trying
[Oct 31 06:44:41] Via: SIP/2.0/TLS 10.119.101.243:5061;rport=50330;received=10.119.101.243;branch=z9hG4bK-524287-1—285072723dbc3bc4
[Oct 31 06:44:41] Call-ID: oF3gVb4kL31fjeEx5ondOQ…
[Oct 31 06:44:41] From: sip:dsiemens@10.123.240.20;tag=e67b5677
[Oct 31 06:44:41] To: sip:998166121399@10.123.240.20
[Oct 31 06:44:41] CSeq: 2 INVITE
[Oct 31 06:44:41] Server: Asterisk PBX 16.0.0
[Oct 31 06:44:41] Content-Length: 0
[Oct 31 06:44:41]
[Oct 31 06:44:41]
[Oct 31 06:44:41] <— Transmitting SIP response (380 bytes) to TLS:10.119.101.243:50330 —>
[Oct 31 06:44:41] SIP/2.0 488 Not Acceptable Here
[Oct 31 06:44:41] Via: SIP/2.0/TLS 10.119.101.243:5061;rport=50330;received=10.119.101.243;branch=z9hG4bK-524287-1—285072723dbc3bc4
[Oct 31 06:44:41] Call-ID: oF3gVb4kL31fjeEx5ondOQ…
[Oct 31 06:44:41] From: sip:dsiemens@10.123.240.20;tag=e67b5677
[Oct 31 06:44:41] To: sip:998166121399@10.123.240.20;tag=0790865c-2954-4ff3-b6b2-4686a9c3d0f9
[Oct 31 06:44:41] CSeq: 2 INVITE
[Oct 31 06:44:41] Server: Asterisk PBX 16.0.0
[Oct 31 06:44:41] Content-Length: 0
[Oct 31 06:44:41]
[Oct 31 06:44:41]
[Oct 31 06:44:41] <— Received SIP request (368 bytes) from TLS:10.119.101.243:50330 —>
[Oct 31 06:44:41] ACK sip:998166121399@10.123.240.20;transport=TLS SIP/2.0
[Oct 31 06:44:41] Via: SIP/2.0/TLS 10.119.101.243:5061;branch=z9hG4bK-524287-1—285072723dbc3bc4
[Oct 31 06:44:41] Max-Forwards: 70
[Oct 31 06:44:41] To: sip:998166121399@10.123.240.20;tag=0790865c-2954-4ff3-b6b2-4686a9c3d0f9
[Oct 31 06:44:41] From: sip:dsiemens@10.123.240.20;transport=TLS;tag=e67b5677
[Oct 31 06:44:41] Call-ID: oF3gVb4kL31fjeEx5ondOQ…
[Oct 31 06:44:41] CSeq: 2 ACK
[Oct 31 06:44:41] Content-Length: 0
[Oct 31 06:44:41]
[Oct 31 06:44:41]

2

This wouldn’t bind PJSIP to port 5061; it’d try to bind it to the default port, 5060. You’d need:

bind=0.0.0.0:5061
3

I’m bound on the right port

 0 0.0.0.0:5061            0.0.0.0:*               LISTEN      7652/asterisk

And I’m also generating traffic for this

as well
ip-10-123-240-20*CLI> pjsip show transports

Transport: <TransportId…> <BindAddress…>

Transport: transport-tls tls 0 0 0.0.0.0:5061

Objects found: 1

4

I stand corrected. I must presume then that the transport selection of tls defaults to port 5061.

5

That line indicates that the endpoint is requesting media encryption. I don’t use wizards, so I can’t comment on them. But, for a normal endpoint, one would need to set media_encryption if what’s showing up is requesting SAVP.

6

That was it. I set the media_encryption = sdes

A lot of stuff is messed up yet on the total config one step forward.

7

so now I want to try over the internet where NAT is involved.
What changes do I need to the config

8

dsiemens did you get it working with NAT?