asterisk users - Jul 2014 - Rejecting secure audio stream without encryption details - when using ws clients and Kamailio integration

Greetings,

I've noticed a problem that might originate from my Asterisk configuration,
could use a hand in sorting it out. Problem is a 488 response from Asterisk
whenever it gets RTP/SAVPF profile in the SDP.

My current setup has Asterisk Kamailio realtime integration, and Kamailio
uses dispatcher to route calls for Asterisk to handle. Now I have only one
Asterisk, on the same machine as Kamailio. The version is 11.10.2. With
Kamailio I use rtpengine, which affects SDP descriptions when 488 response
is received.

My goal is to enable two websocket clients using Chrome to call each other,
using Kamailio as outbound proxy. Kamailio routes signaling to Asterisk,
and then back to clients. Currently the problem is RTP, when INVITE is
received from client A to Kamailio, it is relayed to Asterisk. Asterisk
responds with 488 Not Acceptable here and the cli says:

 NOTICE[11642][C-00000006]: chan_sip.c:10124 process_sdp: Received SAVPF
profle in audio offer but AVPF is not enabled, enabling: audio 30212
RTP/SAVPF 111 103 104 0 8 106 105 13 126
 WARNING[11642][C-00000006]: chan_sip.c:10509 process_sdp: Rejecting secure
audio stream without encryption details: audio 30212 RTP/SAVPF 111 103 104
0 8 106 105 13 126


Strange thing is, I don't know why Asterisk says AVPF is not enabled. The
warning about rejecting the audio stream must be behind the 488 response
but I didn't find any answers that would solve my case so I must turn to
you guys. In my sip.conf I have savpf=yes, but is there something else I
need to enable or change in the configs or change my peer configurations?

I'm not sure if this is relevant but I checked that Asterisk was
successfully compiled with res_srtp module.

Here's my sip.conf contents:

bindport = 5070 ; using this since Kamailio is at 5060
bindaddr = PU.BL.IC.IP
tcpenable = yes ;no
limitonpeers = yes
rtcachefriends = yes    ; for realtime
rtupdate=yes
tos_sip=cs3
tos_audio=ef
useragent=MyAsterisk
realm = myrealm.com

autodomain=no
domain=PU.BL.IC.IP
domain=testers.com

allowexternaldomains=no
allowguest=no
avpf=yes
encryption=yes

transport=ws,udp
icesupport=yes
srvlookup=yes


And here's an example of a ws client in my realtime peer table:

                id: 4
              name: 660
            ipaddr: PU.BL.IC.IP
              port: 5060
        regseconds: 1406368294
       defaultuser: 660
       fullcontact: sip:660 at PU.BL.IC.IP:5060
         regserver:
         useragent:
            lastms: 0
              host: dynamic
              type: friend
           context: default
              deny: 0.0.0.0/0.0.0.0
            permit: PU.BL.IC.IP
            secret: NULL
         md5secret: NULL
      remotesecret: NULL
         transport: NULL
          dtmfmode: NULL
       directmedia: NULL
               nat: force_rport,comedia
         callgroup: NULL
       pickupgroup: NULL
          language: NULL
          disallow: NULL
             allow: NULL
          insecure: NULL
         trustrpid: NULL
    progressinband: NULL
      promiscredir: NULL
     useclientcode: NULL
       accountcode: NULL
            setvar: NULL
          callerid: NULL
          amaflags: NULL
       callcounter: NULL
         busylevel: NULL
      allowoverlap: NULL
    allowsubscribe: NULL
      videosupport: NULL
    maxcallbitrate: NULL
 rfc2833compensate: NULL
           mailbox: NULL
    session-timers: NULL
   session-expires: NULL
     session-minse: NULL
 session-refresher: NULL
t38pt_usertpsource: NULL
          regexten: NULL
        fromdomain: testers.com
          fromuser: 660
           qualify: NULL
         defaultip: NULL
        rtptimeout: NULL
    rtpholdtimeout: NULL
          sendrpid: NULL
     outboundproxy: PU.BL.IC.IP
           timert1: NULL
            timerb: NULL
       qualifyfreq: NULL
      constantssrc: NULL
     contactpermit: NULL
       contactdeny: NULL
       usereqphone: NULL
       textsupport: NULL
         faxdetect: NULL
          buggymwi: NULL
              auth: NULL
          fullname: NULL
         trunkname: NULL
        cid_number: NULL
       callingpres: NULL
      mohinterpret: NULL
        mohsuggest: NULL
        parkinglot: NULL
      hasvoicemail: NULL
      subscribemwi: NULL
           vmexten: NULL
       autoframing: NULL
      rtpkeepalive: NULL
        call-limit: NULL
   g726nonstandard: NULL
  ignoresdpversion: NULL
     allowtransfer: NULL
           dynamic: NULL
              path: NULL
       supportpath: NULL
         sippasswd: my-md5-pwd
              rpid: NULL
            domain: testers.com
        sippasswd2: NULL


I'd greatly appreciate help on this!

cheers,
Olli
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20140726/27df226f/attachment.html>

Hi,

I got ahead with my setup, this post helped me much:
http://forums.digium.com/viewtopic.php?f=1&t=90167&sid=66fdf8cc4be5d955ba584e989a23442f

At least the avpf setting had to be removed from sip.conf and put in the
realtime db table, defined per client. I left the encryption setting in
sip.conf. I had some problems calling from SIP client to another, then had
to define avpf=no for those clients. Personally I don't like to use
different settings to different clients, is there a way around this?

With this setup I can make calls between SIP clients but not ws clients. My
client (now I use sip.js) fails to parse the sdp - including the apparently
correct rtp profile UDP/TLS/RTP/SAVPF - and sends back 488, which makes the
call fail. I'd like to hear opinions from you guys which would be the
correct place to handle this? My setup has Asterisk Kamailio realtime
integration, and I use dispatcher in Kamailio to route calls to Asterisk.
Kamailio sounds like the logical place, but I'd rather find a way to not
change the rtp profile along the way, at least until the clients can
support that one.

cheers,
Olli





2014-07-26 12:58 GMT+03:00 Olli Heiskanen <ohjelmistoarkkitehti at
gmail.com>:
>
> Greetings,
>
> I've noticed a problem that might originate from my Asterisk
> configuration, could use a hand in sorting it out. Problem is a 488
> response from Asterisk whenever it gets RTP/SAVPF profile in the SDP.
>
> My current setup has Asterisk Kamailio realtime integration, and Kamailio
> uses dispatcher to route calls for Asterisk to handle. Now I have only one
> Asterisk, on the same machine as Kamailio. The version is 11.10.2. With
> Kamailio I use rtpengine, which affects SDP descriptions when 488 response
> is received.
>
> My goal is to enable two websocket clients using Chrome to call each
> other, using Kamailio as outbound proxy. Kamailio routes signaling to
> Asterisk, and then back to clients. Currently the problem is RTP, when
> INVITE is received from client A to Kamailio, it is relayed to Asterisk.
> Asterisk responds with 488 Not Acceptable here and the cli says:
>
>  NOTICE[11642][C-00000006]: chan_sip.c:10124 process_sdp: Received SAVPF
> profle in audio offer but AVPF is not enabled, enabling: audio 30212
> RTP/SAVPF 111 103 104 0 8 106 105 13 126
>  WARNING[11642][C-00000006]: chan_sip.c:10509 process_sdp: Rejecting
> secure audio stream without encryption details: audio 30212 RTP/SAVPF 111
> 103 104 0 8 106 105 13 126
>
>
> Strange thing is, I don't know why Asterisk says AVPF is not enabled.
The
> warning about rejecting the audio stream must be behind the 488 response
> but I didn't find any answers that would solve my case so I must turn
to
> you guys. In my sip.conf I have savpf=yes, but is there something else I
> need to enable or change in the configs or change my peer configurations?
>
> I'm not sure if this is relevant but I checked that Asterisk was
> successfully compiled with res_srtp module.
>
> Here's my sip.conf contents:
>
> bindport = 5070 ; using this since Kamailio is at 5060
> bindaddr = PU.BL.IC.IP
> tcpenable = yes ;no
> limitonpeers = yes
> rtcachefriends = yes    ; for realtime
> rtupdate=yes
> tos_sip=cs3
> tos_audio=ef
> useragent=MyAsterisk
> realm = myrealm.com
>
> autodomain=no
> domain=PU.BL.IC.IP
> domain=testers.com
>
> allowexternaldomains=no
> allowguest=no
> avpf=yes
> encryption=yes
>
> transport=ws,udp
> icesupport=yes
> srvlookup=yes
>
>
> And here's an example of a ws client in my realtime peer table:
>
>                 id: 4
>               name: 660
>             ipaddr: PU.BL.IC.IP
>               port: 5060
>         regseconds: 1406368294
>        defaultuser: 660
>        fullcontact: sip:660 at PU.BL.IC.IP:5060
>          regserver:
>          useragent:
>             lastms: 0
>               host: dynamic
>               type: friend
>            context: default
>               deny: 0.0.0.0/0.0.0.0
>             permit: PU.BL.IC.IP
>             secret: NULL
>          md5secret: NULL
>       remotesecret: NULL
>          transport: NULL
>           dtmfmode: NULL
>        directmedia: NULL
>                nat: force_rport,comedia
>          callgroup: NULL
>        pickupgroup: NULL
>           language: NULL
>           disallow: NULL
>              allow: NULL
>           insecure: NULL
>          trustrpid: NULL
>     progressinband: NULL
>       promiscredir: NULL
>      useclientcode: NULL
>        accountcode: NULL
>             setvar: NULL
>           callerid: NULL
>           amaflags: NULL
>        callcounter: NULL
>          busylevel: NULL
>       allowoverlap: NULL
>     allowsubscribe: NULL
>       videosupport: NULL
>     maxcallbitrate: NULL
>  rfc2833compensate: NULL
>            mailbox: NULL
>     session-timers: NULL
>    session-expires: NULL
>      session-minse: NULL
>  session-refresher: NULL
> t38pt_usertpsource: NULL
>           regexten: NULL
>         fromdomain: testers.com
>           fromuser: 660
>            qualify: NULL
>          defaultip: NULL
>         rtptimeout: NULL
>     rtpholdtimeout: NULL
>           sendrpid: NULL
>      outboundproxy: PU.BL.IC.IP
>            timert1: NULL
>             timerb: NULL
>        qualifyfreq: NULL
>       constantssrc: NULL
>      contactpermit: NULL
>        contactdeny: NULL
>        usereqphone: NULL
>        textsupport: NULL
>          faxdetect: NULL
>           buggymwi: NULL
>               auth: NULL
>           fullname: NULL
>          trunkname: NULL
>         cid_number: NULL
>        callingpres: NULL
>       mohinterpret: NULL
>         mohsuggest: NULL
>         parkinglot: NULL
>       hasvoicemail: NULL
>       subscribemwi: NULL
>            vmexten: NULL
>        autoframing: NULL
>       rtpkeepalive: NULL
>         call-limit: NULL
>    g726nonstandard: NULL
>   ignoresdpversion: NULL
>      allowtransfer: NULL
>            dynamic: NULL
>               path: NULL
>        supportpath: NULL
>          sippasswd: my-md5-pwd
>               rpid: NULL
>             domain: testers.com
>         sippasswd2: NULL
>
>
> I'd greatly appreciate help on this!
>
> cheers,
> Olli
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20140801/e1309559/attachment.html>