I'm in the process of testing a TLS/SRTP install. My experience is
improving with each new challenge, but this one is a great test of my 2
month experience with Asterisk.
When I dial 6003 from 6001, it takes 35 seconds until I get the error
message that 6003 is circuit-busy.
Any help would greatly be appreciated. Below is the error message and the
extensions and sip.conf files.
*CLI> == Using SIP RTP CoS mark 5
-- Executing [6003 at myphones:1] Set("SIP/6001-0000000c",
"_SIPSRTP_CRYPTO=enable") in new stack
-- Executing [6003 at myphones:2] Dial("SIP/6001-0000000c",
"SIP/6003") in
new stack
== Using SIP RTP CoS mark 5
-- Called 6003
-- SIP/6003-0000000d is circuit-busy
== Everyone is busy/congested at this time (1:0/1/0)
-- Auto fallthrough, channel 'SIP/6001-0000000c' status is
'CONGESTION'
extensions.conf
[myphones]
;exten => 6001,1,Dial(SIP/6001)
;exten => 6001,2,Hangup()
exten => 6001,1,Set(_SIPSRTP_CRYPTO=enable)
exten => 6001,2,Dial(SIP/${EXTEN})
;exten => 6002,1,Dial(SIP/6002)
;exten => 6002,2,Hangup()
exten => 6002,1,Set(_SIPSRTP_CRYPTO=enable)
exten => 6002,2,Dial(SIP/${EXTEN})
;exten => 6003,1,Dial(SIP/6003)
;exten => 6003,2,Hangup()
exten => 6003,1,Set(_SIPSRTP_CRYPTO=enable)
exten => 6003,2,Dial(SIP/${EXTEN})
;exten => 6004,1,Dial(SIP/6004)
;exten => 6004,2,Hangup()
exten => 6004,1,Set(_SIPSRTP_CRYPTO=enable)
exten => 6004,2,Dial(SIP/${EXTEN})
exten => 6005,1,Dial(SIP/6005)
exten => 6005,2,Hangup()
;exten => 6005,1,Set(_SIPSRTP_CRYPTO=enable)
;exten => 6005,2,Dial(SIP/${EXTEN})
exten => 6006,1,Dial(SIP/6005)
exten => 6006,2,Hangup()
;exten => 6006,1,Set(_SIPSRTP_CRYPTO=enable)
;exten => 6006,2,Dial(SIP/${EXTEN})
exten => 600,1,NoOp( start)
exten => 600,n,NOOp( SECURE SIGNALING ${CHANNEL(secure_signaling)} )
exten => 600,n,NOOp( SECURE media ${CHANNEL(secure_media)} )
exten => 600,n,Answer()
exten => 600,n,Playback(demo-echotest)
exten => 600,n,Echo()
exten => _X.,1,Dial(SIP/CM8/${EXTEN:0},30,rt)
[general]
tlsenable=yes
tlsbindaddr=172.16.200.60
;tlsprivatekey=/usr/local/ssl/misc/asteriskkey.pem
;tlscertfile=/usr/local/ssl/misc/asteriskcert.pem
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
;tlscafile=/usr/local/ssl/misc/demoCA/cacert.pem
tlsclientmethod=tlsv1
[6001]
type=friend
secret=erasmus123
callerid="Mitch-MacBook" <6001>
;nat=yes
host=dynamic
;canreinvite=no
context=myphones
allow=ulaw
allow=gsm
allow=g726
;transport=udp
transport=tls
encryption=yes
port=5061
regexten=6001
[6002]
type=friend
secret=erasmus123
callerid="Tami" <6002>
host=dynamic
canreinvite=no
context=myphones
allow=ulaw
allow=gsm
allow=g726
;transport=udp
transport=tls
encryption=yes
port=5061
regexten=6002
[6003]
type=friend
secret=erasmus123
callerid="iPad" <6003>
host=dynamic
;canreinvite=no
;nat=yes
context=myphones
allow=ulaw
allow=gsm
allow=g726
;transport=udp
transport=tls
encryption=yes
port=5061
regexten=6003
[6004]
type=friend
secret=erasmus123
callerid="iPhone-Mitch" <6004>
;nat=yes
host=dynamic
;canreinvite=no
context=myphones
allow=ulaw
allow=gsm
allow=g726
;transport=udp
transport=tls
encryption=yes
port=5061
regexten=6004
[6005]
type=friend
secret=erasmus123
callerid="SNOM" <6005>
host=dynamic
;canreinvite=no
context=myphones
allow=ulaw
allow=gsm
allow=g726
transport=udp
;transport=tls
;encryption=yes
;port=5061
regexten=6005
[6006]
type=friend
secret=erasmus123
callerid=" <6006>
host=dynamic
;canreinvite=no
context=myphones
allow=ulaw
allow=gsm
allow=g726
transport=udp
;transport=tls
;encryption=yes
;port=5061
regex
[CM8]
type=friend
host=172.16.200.100
;canreinvite=yes
;disallow=all
allow=ulaw
allow=ulaw
;qualify=yes
;nat=no
context=myphones
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20110228/ee25064a/attachment.htm>
On Feb 28, 2011, at 7:19 PM, mitch Johnson wrote:> I'm in the process of testing a TLS/SRTP install. My experience is improving with each new challenge, but this one is a great test of my 2 month experience with Asterisk.> [myphones] > > ;exten => 6001,1,Dial(SIP/6001) > ;exten => 6001,2,Hangup() > exten => 6001,1,Set(_SIPSRTP_CRYPTO=enable) > exten => 6001,2,Dial(SIP/${EXTEN}) >There is no such thing as the _SIPSRTP_CRYPTO variable. That was from a very old version of the SRTP patch. Ignore pretty much anything on issue 5413 and instead look at https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial and https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics. You would use encryption=yes/no in sip.conf and Set(CHANNEL(secure_bridge_signaling)=1) to force SRTP calls. I'm assuming that you are using Asterisk 1.8 instead of one of the patches on issue 5413--if not, then do that. ;-) -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110301/f3436edc/attachment.htm>
Thanks so much for pointing this out. I was curious why the commands in the documentation differed to the commands I was using. That problem is fixed, but now I have a new issue. I can call with no issues, however, as soon as I answer one of the calls I see the error: ast_srtp_unprotect: SRTP unprotect: authentication failure. Below is a snippet of the debug as the call is answered. v=0 o=root 306031538 306031538 IN IP4 172.16.200.60 s=Asterisk PBX 1.8.2.4 c=IN IP4 172.16.200.60 t=0 0 m=audio 15274 RTP/SAVP 0 3 96 a=rtpmap:0 PCMU/8000 a=rtpmap:3 GSM/8000 a=rtpmap:96 telephone-event/8000 a=fmtp:96 0-16 a=ptime:20 a=sendrecv a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:iINHae+LvAVdSJwhOJjE3BtyZLVuYFG6ctUjDZst <------------> [Mar 3 15:02:25] WARNING[13599]: res_srtp.c:338 ast_srtp_unprotect: SRTP unprotect: authentication failure <--- SIP read from TLS:172.16.201.10:50600 ---> BYE sip:6003 at 172.16.200.60:5061;transport=TLS SIP/2.0 Via: SIP/2.0/TLS 172.16.201.10:50600;rport;branch=z9hG4bKPjbLo4aOOGOax.f5DovLkV-rasCIhsca7A Max-Forwards: 70 From: "Asterisk" <sip:6004 at 172.16.200.60>;tag=Kbf7ZANMEn4pRtHrYTZJkOfqYg226z-I To: <sip:6003 at 172.16.200.60>;tag=as21b6a1ac Call-ID: LWPc00KmvuwzLJfizX-2.7fBtE8ILwhX CSeq: 6714 BYE Content-Length: 0 <-------------> --- (8 headers 0 lines) --- <--- Reliably Transmitting (NAT) to 172.16.201.10:50600 ---> SIP/2.0 487 Request Terminated Via: SIP/2.0/TLS 172.16.201.10:50600;branch=z9hG4bKPjbJVHFgqcrclq3kJh9hDZfg-I6joRN3QL;received=172.16.201.10;rport=50600 From: "Asterisk" <sip:6004 at 172.16.200.60>;tag=Kbf7ZANMEn4pRtHrYTZJkOfqYg226z-I To: <sip:6003 at 172.16.200.60>;tag=as21b6a1ac Call-ID: LWPc00KmvuwzLJfizX-2.7fBtE8ILwhX CSeq: 6713 INVITE Server: Asterisk PBX 1.8.2.4 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0> > Message: 8 > Date: Tue, 1 Mar 2011 10:04:14 -0600 > From: Terry Wilson <twilson at digium.com> > Subject: Re: [asterisk-users] TLS/SRTP calls go to circuit busy. > To: Asterisk Users Mailing List - Non-Commercial Discussion > <asterisk-users at lists.digium.com> > Message-ID: <B401C9B4-0721-43B4-9762-C3F02483B52B at digium.com> > Content-Type: text/plain; charset="us-ascii" > > On Feb 28, 2011, at 7:19 PM, mitch Johnson wrote: > >> I'm in the process of testing a TLS/SRTP install. My experience is improving with each new challenge, but this one is a great test of my 2 month experience with Asterisk. > >> [myphones] >> >> ;exten => 6001,1,Dial(SIP/6001) >> ;exten => 6001,2,Hangup() >> exten => 6001,1,Set(_SIPSRTP_CRYPTO=enable) >> exten => 6001,2,Dial(SIP/${EXTEN}) >> > > There is no such thing as the _SIPSRTP_CRYPTO variable. That was from a very old version of the SRTP patch. Ignore pretty much anything on issue 5413 and instead look at https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial and https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics. You would use encryption=yes/no in sip.conf and Set(CHANNEL(secure_bridge_signaling)=1) to force SRTP calls. I'm assuming that you are using Asterisk 1.8 instead of one of the patches on issue 5413--if not, then do that. ;-) > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110301/f3436edc/attachment-0001.htm> > > ------------------------------ >
> Once again, thanks for your reply. I had done some research already but forget to include it in my previous email. I did find a bug that is remarkably similar to the issues that I'm having. The bug number is 18674.Thanks, Mitch Johnson> Message: 8 > Date: Fri, 04 Mar 2011 00:34:45 -0600 > From: Terry Wilson <twilson at digium.com> > Subject: Re: [asterisk-users] TLS/SRTP calls go to circuit busy. > To: Asterisk Users Mailing List - Non-Commercial Discussion > <asterisk-users at lists.digium.com> > Message-ID: <4D708805.3060409 at digium.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 03/03/2011 02:22 PM, Mitch Johnson wrote: >> Thanks so much for pointing this out. I was curious why the commands in the documentation differed to the commands I was using. >> >> That problem is fixed, but now I have a new issue. I can call with no issues, however, as soon as I answer one of the calls I see the error: ast_srtp_unprotect: SRTP unprotect: authentication failure. Below is a snippet of the debug as the call is answered. > The best thing to do at this point would be to file a bug report with > the info at which point it will eventually probably be assigned to me > (unless some awesome person comes up with a fix first!) to look at. If I > have a bit of free time, I'll try to take a peek at it. If you can post > the sip debug output of the entire offer/answer exchange to the bug > report, it will help greatly. > > Terry >