Stefan Gofferje
2008-Aug-08 20:23 UTC
[asterisk-users] IAX2 encryption - LAN. no, INET: yes???
Hi, I have configured all IAX clients with encryption. I use Zoiper as a softphone. When I make a call in the LAN from desktop-PC to *, the call is - according to wireshark not encrypted. Wireshark identifies the packets as normal G.711 mu-law packets. However, * reports the client as encrypted: k-tanco*CLI> iax2 show peers Name/Username Host Mask Port Status sgofferj RFC-1918 IP (D) 255.255.255.255 4570 (E) OK (2 ms) Funnily, if my friend calls me from internet - also with Zoiper - Wireshark cannot identify the packets so I conclude, the call is encrypted. Does this make any sense? Terve, Stefan -- Last words of a stormchaser: "Where is that rotation on the radar?!"
Russell Bryant
2008-Aug-11 16:06 UTC
[asterisk-users] IAX2 encryption - LAN. no, INET: yes???
Stefan Gofferje wrote:> I have configured all IAX clients with encryption. I use Zoiper as a > softphone. When I make a call in the LAN from desktop-PC to *, the call > is - according to wireshark not encrypted. Wireshark identifies the > packets as normal G.711 mu-law packets. However, * reports the client as > encrypted: > > k-tanco*CLI> iax2 show peers > Name/Username Host Mask Port Status > sgofferj RFC-1918 IP (D) 255.255.255.255 4570 (E) OK > (2 ms) > > Funnily, if my friend calls me from internet - also with Zoiper - > Wireshark cannot identify the packets so I conclude, the call is encrypted. > Does this make any sense?You'd have to provide a packet capture to see exactly what is happening. It sounds like on the call leg between your client and Asterisk, it isn't offering encryption as a capability, so it doesn't get used. However, when your friend calls you, and Asterisk makes a call out to your client, it offers encryption, and your client accepts it. -- Russell Bryant Senior Software Engineer Open Source Team Lead Digium, Inc.
Stefan Gofferje
2008-Aug-11 17:16 UTC
[asterisk-users] IAX2 encryption - LAN. no, INET: yes???
Russell Bryant schrieb:> Interesting. Here are a couple more sanity checks you can do. First, > double check to ensure that your entry in iax.conf has encryption=yes > set. Also, when you make the call into Asterisk, set the verbose > setting up a bit. You should see output from chan_iax2 which indicates > what peer you are authenticating as. Make sure that the call is > matching the entry that you think it is.I will do some more testing as you suggested.> Also, is there any encryption option in Zoiper that you have to enable?Not to my knowledge. I will send an issue report to asteriskguru also.>> Would it make sense to introduce a parameter forceencryption=yes per >> peer in iax.conf? In sensitive environments, people want to be certain >> that a call is encrypted. They probably rather want a call to fail than >> have a call that might be unencrypted without knowing it. > > That is a good suggestion.Opened a bug for that (0013285) :). Terve, Stefan -- Last words of a stormchaser: "Where is that rotation on the radar?!"