Unable to call secure SIP+TLS call on outgoing trunk

I have configured Twilio Elastic SIP trunk with asterisk box. SIP trunk is configured to be secure with TLS and SRTP. The flow is, Twilio trunk places a call to our asterisk box and then asterisk box dials new number on outgoing twilio trunk.

Having configured secure trunk between Twilio and asterisk, I see that asterisk is receiving secure call from Twilio but when I continue the call by Dial cmd on outgoing trunk, it goes out as insecure INVITE and twilio server responds with 488 secure SIP transport is required.

This is the sip.conf

[general]
bindport=5090
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1 ;none of the others seem to work with Blink as the client
tlsdontverifyserver=yes

disallow=all
allow=ulaw
allow=alaw
allow=gsm
qualify=no
directmedia=yes
directrtpsetup=yes
canreinvite=yes
externip=34.204.71.122

vsp
type=peer
context=from-vsp
host=dynamic

vsp1
host=10.0.36.133

vsp2
host=34.207.132.108

twilio-trunk
type=peer
context=from-twilio ;Which dialplan to use for incoming calls
dtmfmode=rfc2833
;canreinivite=yes
directmedia=yes
directrtpsetup=yes
insecure=port,invite
transport=tls
encryption=yes
media_encryption=sdes

twilio0
host=dev-vsp-trunk-secure.pstn.twilio.com ;Our Termination URI
remotesecret=****** ;password, if you are using credentials
defaultuser=******* ;username, if you are usingcredentials

twilio1
host=54.172.60.2

This is the extensions.conf

[from-twilio]
exten => +13095189039,1,GotoIf($["${CHANNEL(secure_signaling)}" = “1”]?:fail)
exten => +13095189039,n,GotoIf($["${CHANNEL(secure_media)}" = “1”]?:fail)
exten => +13095189039,n,Dial(SIP/+919873634798@dev-vsp-trunk-secure.pstn.twilio.com)
exten => +13095189039,n,Hangup
exten => +13095189039,n(fail),Playback(vm-goodbye)
exten => +13095189039,n,Hangup

This is the PCAP trace.
https://drive.google.com/file/d/1KithVU4odW8D5XsObZgtMRpPt7eblTGL/view?usp=sharing

Thanks in advance.

Regards
Durgesh

There is no dev-vsp-trunk-secure.pstn.twilio.com section in your sip.conf, so Asterisk will make a call based only on the information in the general section.

Also note that canreinvite and directmedia are the same thing, so you can’t sensibly specify both.

Why are you trying to use TLS with man in the middle attack checking disabled?

Thanks David. You hit the buill’s eye. There was no section for outgoing domain. that fixed the issue.

I wanted to bypass the media altogether hence I put all possible configuration to do so. But I haven’t been able to bypass media at all. Hence canreinvite and directmedia both enabled.

Regarding man in the middle attack, are you referring to ‘tlsdontverifyserver=yes’ ? If so, eventually, I will disable it.

Thanks for all the help.

If SRTP is enabled then direct media is disabled.

1 Like