UDP and TLS on different interfaces


#1

Hi there!
I am configuring my PBX with chan_sip and everything works fine. I also have configured TLS, but my phones do not support it. So, I would like to use TLS for remote users and UDP for internal users. I have two interfaces, one with a private IP and one with a public one.
How could I configure two different transport protocols for the same extension? Remote users can use the same extensions as internal users.

Cheers:)


#2

Extension don’t have transport protocols!

My guess is this is more a phone thing. The phone needs to register over TLS when remote and register over UDP when local. Altough I’m not certain, I’d hope the transport is taken from the Contact header of the registration.


#3

This is the setup I need to configure but don’t know how:

SIP phone from Internet -> External interface -> TLS -> Extension 200

SIP phone from local network -> Internal interface -> UDP -> Extension 200

A phone from Internet cannot reach UDP and a phone from local cannot reach TLS. How can I configure this in sip.conf?


#4

You don’t. As I said, you configure it in the phone.

Also, the arrow to Extension 200 is wrong. The sip.conf entries don’t have to be the same for the two case, although making them different may require changing the device name, as well as the transport. Extension 201 can try calling both devices. Extensions are irrelevant for incoming calls.


#5

The schema is for the phone registration not for an incoming call, sorry. In the configuration that I have now, TLS is enabled but UDP is not listening anymore. Current configuration:

[general]
srvlookup=yes
qualify=yes
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/ca.pem
tlscafile=/ca.crt
tlsclientmethod=ALL
tlscipher=ALL
tlsdontverifyserver=yes
nat=force_rport,comedia
context=incoming

[200]
type=friend
context=internal
allow=alaw,ulaw
host=dynamic
transport=tls
secret=secret

How do I re-enable UDP but maintaining TLS?


#6

transport=tls,udp

or probably better,

{200U]

transport=udp

[200T]

transport=tls

Also please change type=friend to type=peer. Although not relevant to the current issue, it is more secure.

Also how do you stop the UDP only device and the TLS capable device registering at the same time? chan_sip doesn’t support that.