asterisk users - Dec 2004 - How to connect two Asterisks as secure as possible without too much additional bandwidth ?

Hi,

I plan to connect to remote Asterisk that will terminate calls to ISDN
primary channel. I'd certainly like to secure this type of service, so would
kindly ask for any advice on how to secure this authentication as much as
reasonably possible.

Since there is long IP route I guess VPN will take too much additional
bandwidth...

Regards,

Robert.

Robert Rozman wrote:
> Hi,
> 
> I plan to connect to remote Asterisk that will terminate calls to ISDN
> primary channel. I'd certainly like to secure this type of service, so
would
> kindly ask for any advice on how to secure this authentication as much as
> reasonably possible.
What are you trying to secure? The entire datastream, the 
authentication(username/passwords), and/or the voice traffic itself?

--
Andrew Thompson
http://aktzero.com/

I would love to see it.. but we need to get that codec ordering stuff tony
and I worked on but nobody seems to be even remotely interested in.

http://bugs.digium.com/bug_view_page.php?bug_id=0002971

bkw
> -----Original Message-----
> From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-
> bounces@lists.digium.com] On Behalf Of Olle E. Johansson
> Sent: Monday, December 27, 2004 3:07 PM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [Asterisk-Users] How to connect two Asterisks as
> secureaspossiblewithout too much additional bandwidth ?
> 
> Brian West wrote:
> > OpenVPN
> >
> What happened to AES in IAX2?
> 
> /O
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users@lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

Couldn't you just tunnel the involved ports over SSH?  As far as bandwidth
is concerned you could enable compression and may even end up with a smaller
data stream.  You could generate both keys before hand and very simply do
this on a *nix box.  This would probably require both peers to have an
adequate speed cpu, enough to avoid any delay added by the encrypting
subsequently causing jitter. 
Is this flawed because RTP streams are on unpredictable ports?  I think only
signaling (SIP/IAX) uses 5060 and RTP streams take place on random ports.

Rustin Bergren

-----Original Message-----
From: asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Robert Rozman
Sent: Saturday, December 25, 2004 9:07 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [Asterisk-Users] How to connect two Asterisks as secure as
possiblewithout too much additional bandwidth ?

Hi,

I plan to connect to remote Asterisk that will terminate calls to ISDN
primary channel. I'd certainly like to secure this type of service, so would
kindly ask for any advice on how to secure this authentication as much as
reasonably possible.

Since there is long IP route I guess VPN will take too much additional
bandwidth...

Regards,

Robert.

_______________________________________________
Asterisk-Users mailing list
Asterisk-Users@lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

This problem is being solved.
See 
http://lists.digium.com/pipermail/asterisk-users/2004-November/073666.html
I am currently in pre-testing phase of development.

Features include:
       Optional Secondary Compression
       Selectable Encryption Level, from 32bit to 1024bit
       Uses UDP
       Voice and Data over same Link
       Trunking
       ADSI Support

--
Christopher Dobbs

I am a VoicePulse.com user although I have never been able to connect.
I have no dialtone nor can I determine if I have been authenticated.
Do I need to configure for sip? I was told I did not need SIP. 
Voicepulse does support sip . . . 

Asterisk does start and runs stably. I can login locally with "asterisk
-r"
no problem. When I logged into my SPA 2000 using its web interface I noticed 
it is not registered. Below are my ipfilter and ipnat rules. (The firewall/
gateway is FreeBSD 5.3 but since I could not compile asterisk on FreeBSD 5.3 an
"internal" gentoo machine is running it.)

from /var/log/asterisk/messages:

Dec 29 03:05:19 WARNING[18636]: Unable to open IAX timing interface: No such
file or directory
Dec 29 03:05:20 WARNING[18636]: Unable to get our IP address, Skinny disabled
Dec 29 03:05:20 WARNING[18636]: Read error on sound device: Resource temporarily
unavailable
Dec 29 03:05:20 WARNING[18636]: Unable to get IP address for
localhost.localdomain, SIP disabled
Dec 29 03:07:48 WARNING[18664]: Unable to open pseudo channel for timing... 
Sound may be choppy.
Dec 29 03:07:48 WARNING[18664]: Unable to get our IP address, MGCP disabled

I am able to access the Internet in any other protocol from the Asterisk/Gentoo
box.

ipnat.conf:

rdr fxp0 0.0.0.0/0 port 4569 -> 10.0.0.147 port 4569 udp
rdr fxp0 0.0.0.0/0 port 5036 -> 10.0.0.147 port 5036 udp
rdr fxp0 0.0.0.0/0 port 5060 -> 10.0.0.147 port 5060 udp
map fxp0 10.0.0.0/24 -> 0/32 portmap tcp/udp 10000:65000
map fxp0 10.0.0.0/24 -> 0/32

pertinant ipf.conf rules:

Internal NIC is vr0

pass in quick on vr0 from any to any
pass out quick on vr0 from any to any

External NIC is fxp0 but I need not mention it in the below rules.

pass in quick proto udp from 66.234.228.170 to 24.98.219.30/32 port = 4569 group
 10
 pass in quick proto udp from 66.234.228.170 to 24.98.219.30/32 port = 5036
group
  10
  pass in quick proto udp from 66.234.228.170 to 24.98.219.30/32 port = 5060
group
   10