[asterisk-users] Asterisk and SRTP
Hi experts, I am trying Asterisk SRTP in my environment, and find that when Asterisk is behind a NAT, the audi/video UDP ports opened for SRTP relay by Asterisk are local ports on the Asterisk server, media from the two clients out of the NAT (for example from Internet) can not reach the ports, and thus the two client can not establish the secure call via Asterisk. I have set up a STUN server and configured in rtp.conf, but seems Asterisk does not do STUN before it opens ports for SRTP. BTW, Non-SRTP call can work though. Anyone can give advice on how to make SRTP work in such an env? Thanks a lot in advance! William Wu -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Asterisk Call Redirection
Hi Guys, I am able to divert a incoming phone call from asterisk to a sip softphone. Is it possible to redirect a call to a serial port? If so how would I do it? I don't mind a brief explanation. There is a ppp/dialup server listening on serial port. Thanks, Tim -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk Call Redirection
These are at completely different levels of the ISO stack...question is making sense to me. (What does it mean to divert a call to a serial port). Do you mean route a call over a link that is ppp/dialup and connected to another endpoint on the other side of that link? If so you would have to configure your serial port/link to be on demand, allow the OS to bring up the link, making the route available, and then allowing Asterisk to bridge the call to an IP on a subnet on the other side of that link. So your focus should perhaps be: - Setting up on demand link - Configuring Asterisk (if possible) to try the connection to the endpoint long enough for the link to come up. Hope I understood right... From: asterisk-users-boun...@lists.digium.com asterisk-users-boun...@lists.digium.com on behalf of Tim ad...@securesec.com Sent: Saturday, April 5, 2014 3:16 PM To: Asterisk Users List Subject: [asterisk-users] Asterisk Call Redirection Hi Guys, I am able to divert a incoming phone call from asterisk to a sip softphone. Is it possible to redirect a call to a serial port? If so how would I do it? I don't mind a brief explanation. There is a ppp/dialup server listening on serial port. Thanks, Tim -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk and SRTP
On 04/05/2014 07:56 PM, William Wu wrote: Hi experts, I am trying Asterisk SRTP in my environment, and find that when Asterisk is behind a NAT, the audi/video UDP ports opened for SRTP relay by Asterisk are local ports on the Asterisk server, media from the two clients out of the NAT (for example from Internet) can not reach the ports, and thus the two client can not establish the secure call via Asterisk. I have set up a STUN server and configured in rtp.conf, but seems Asterisk does not do STUN before it opens ports for SRTP. BTW, Non-SRTP call can work though. Anyone can give advice on how to make SRTP work in such an env? I have no problems with a TLS/SRTP call between a GSM with CSipSimple and Asterisk 11.8.1 behind NAT. Have you configured the NAT options in sip.conf? externip=... localnet=... nat=... You may also need to add/change the options below. Check the sip.conf example file to see what these options do and use what's best for your situation. canreinvite=no directmedia=no directrtpsetup=no HTH, Patrick -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk 1.6
Another option we like, but i depends on your preferences is to run them over openvpn. Works for Mac, Linux and Windows clients. Since all out clients are under our control we use openvpn a lot and yealink and other phones have it built in so they can connect directly once initially setup Cheers Duncan On 5/04/2014, at 4:36 am, motty cruz motty.c...@gmail.com wrote: that sounds feasible, Thanks Michelle, On Fri, Apr 4, 2014 at 8:25 AM, Michelle Dupuis mdup...@ocg.ca wrote: If you know your users are all from with your country, or state, or even city, you could restrict geographic access in your secast.conf file like this: ruledefault=deny ruleexceptions=NA:CA:Ontario:|NA:US:Michigan:Detroit|::Ohio:|NA The above would: - By default deny all source IP's anywhere in the world - Let in only source IP's from: 1. North America (continent), Canada (country), Ontario (region) 2. North America (continent), USA (country), Michigan (region), Detroit (city) 3. Any region called 'Ohio' anywhere in the world (not sure why you would do that but fun example) 4. Anywhere in North America So you can open up your system based solely on where you know your real users are located. -=Michelle=- From: asterisk-users-boun...@lists.digium.com asterisk-users-boun...@lists.digium.com on behalf of motty cruz motty.c...@gmail.com Sent: Friday, April 4, 2014 11:15 AM To: Asterisk Users List Subject: Re: [asterisk-users] Asterisk 1.6 Hello Ishfaq, outside users usually travel around the country and connect from different network, so it won't be possible to lock it down to specific IP. Thanks for your support. On Fri, Apr 4, 2014 at 8:03 AM, Ishfaq Malik i...@pack-net.co.uk wrote: On 4 April 2014 15:22, motty cruz motty.c...@gmail.com wrote: thank you all for your support. I am using Linux, I only have about 7 users outside our home network. I will learn fail2ban and will use it accordingly. again Thanks for your support. Do the 7 users outside of your home network always connect from the same IP addresses? If so, you can just lock down your SIP port to those 7 IPs explicitly in your IPTables configuration. Another option would be to change which port you're running SIP on. -- Ishfaq Malik Department: VOIP Support Company: Packnet Limited t: +44 (0)845 004 4994 f: +44 (0)161 660 9825 e: i...@pack-net.co.uk w: http://www.pack-net.co.uk Registered Address: PACKNET LIMITED, Duplex 2, Ducie House 37 Ducie Street Manchester, M1 2JW COMPANY REG NO. 04920552 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] IAX2 Trunk Encryption
I have. On the receiving side I had gotten: [2014-04-05 23:28:12] WARNING[1832] chan_iax2.c: Rejected connect attempt. No secret present while force encrypt enabled. I had no secret because I was using RSA authentication and didn't think I needed it, so I added EXACTLY the same line on both sides (copy/paste). Now I get: [2014-04-05 23:30:42] NOTICE[1832] chan_iax2.c: Call Terminated, Incoming call is unencrypted while force encrypt is enabled. On the sending side I really get nothing useful: [2014-04-05 23:30:42] VERBOSE[2795][C-0002] pbx.c: -- Executing [s@macro-dialout-trunk:22] Dial(SIP/comp-in-ch01-0001, IAX2/ch01_ch02/1234,300,Ttr) in new stack [2014-04-05 23:30:42] VERBOSE[2795][C-0002] app_dial.c: -- Called IAX2/ch01_ch02/1234 [2014-04-05 23:30:43] VERBOSE[2795][C-0002] chan_iax2.c: -- Hungup 'IAX2/ch01_ch02-17634' [2014-04-05 23:30:43] VERBOSE[2795][C-0002] app_dial.c: == Everyone is busy/congested at this time (1:0/0/1) I modified the extension and the trunk name for security reasons, but without force encryption calls flow back and forth easily. These three directives exist on both sides: encryption=yes forceencryption=yes secret=mysecretcode So I'm kind of at a loss, I can see the options set, I can see: [2014-04-05 23:59:32] VERBOSE[1832] chan_iax2.c: -- Accepting AUTHENTICATED call from xxx.yyy.zzz.aaa: when I DON'T have the force encryption set, so I can't see what else I need to do.. CEW On Fri, Apr 4, 2014 at 7:07 PM, Steve Totaro stot...@totarotechnologies.com wrote: Have you enabled IAX2 debugging and tried some test calls? Thanks, Steve T On Fri, Apr 4, 2014 at 6:59 PM, Elliott W dig...@private-address.infowrote: That answered my question as to whether it WAS encrypted, I think, and the answer is no, the credentials are but all the rest is not. That just leaves the question of what I need to do to get it encrypted.. Thanks. On Fri, Apr 4, 2014 at 12:59 PM, Steve Totaro stot...@totarotechnologies.com wrote: Wireshark. On Fri, Apr 4, 2014 at 11:13 AM, Elliott W dig...@private-address.infowrote: Ok, I think I am 90%+ there. Note: the configuration or status is the same on both sides unless otherwise noted. I am using RSA keys for authentication and the calls are coming through as authenticated so I'm sure that part works. The peer shows the (E) next to the status in Asterisk Info for the IAX2 peers The trunk configuration contains: encryption=yes So here is my question, Calls stop flowing when I use the directive: forceencryption=yes At the trunk level or higher does not matter, same effect. So my question comes down to, are my calls getting encrypted and why does this directive cause them to fail, AND how can I tell. Thanks. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users