asterisk users - Sep 2013 - Asterisk 11.5.1 / TLS and Media Encryption / Blink as Client / no audio

Hi,

I use Asterisk 11.5.1 and it works fine. :)

Now I want to use TLS and media encryption. I followed this guide:
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

When I place a call via Blink-Client (0.5.0) I get connected and Blink 
shows 2 locks. The blue lock shows "Signaling is encrypted using TLS" 
and the orange lock shows "Media is encrypted using sRTP". BUT i hear
no
audio. After ~60 seconds I get the following message:
NOTICE[21005]: chan_sip.c:28800 check_rtp_timeout: Disconnecting call 
'SIP/tgoellner-0000002c' for lack of RTP activity in 62 seconds

"sip show peers" shows me, that my Blink-Client is registered on port 
60071. All other SIP-Clients (no TLS an no media encryption) are 
registered at port 5060.

I tried to open the tcp and udp port range from 10000 to 61000 (in 
iptables). But with no success.

I am not sure, but I think it's a firewall/NAT problem?! (Yes, my client 
is behind a router > NAT)

Any idea?

-Thorsten-

On Tue, Sep 3, 2013 at 8:58 AM, Thorsten G?llner <tg at ovm-group.com>
wrote:
> Hi,
>
> I use Asterisk 11.5.1 and it works fine. :)
>
> Now I want to use TLS and media encryption. I followed this guide:
> https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial
>
> When I place a call via Blink-Client (0.5.0) I get connected and Blink
shows
> 2 locks. The blue lock shows "Signaling is encrypted using TLS"
and the
> orange lock shows "Media is encrypted using sRTP". BUT i hear no
audio.
> After ~60 seconds I get the following message:
> NOTICE[21005]: chan_sip.c:28800 check_rtp_timeout: Disconnecting call
> 'SIP/tgoellner-0000002c' for lack of RTP activity in 62 seconds
>
> "sip show peers" shows me, that my Blink-Client is registered on
port 60071.
> All other SIP-Clients (no TLS an no media encryption) are registered at
port
> 5060.
>
> I tried to open the tcp and udp port range from 10000 to 61000 (in
> iptables). But with no success.
>
> I am not sure, but I think it's a firewall/NAT problem?! (Yes, my
client is
> behind a router > NAT)
>
> Any idea?
It would help to  wireshark or tcpdump on the system and see if you
can verify what is happening on the wire (both on the client side and
Asterisk side). Then turn on RTP debug in Asterisk and compare that to
what you see on the wire.

You could always try putting a separate, isolated machine temporarily
in a DMZ, then try the same configuration there. If it works there,
you can capture the successful traffic and see what ports and things
you need open on the firewalled system.


-- 
Rusty Newton
Digium, Inc. | Community Support Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
direct: +1 256 428 6200

Check us out at: http://digium.com & http://asterisk.org