Re: [asterisk-users] TLS/SRTP calls go to circuit busy.
Once again, thanks for your reply. I had done some research already but forget to include it in my previous email. I did find a bug that is remarkably similar to the issues that I'm having. The bug number is 18674. Thanks, Mitch Johnson Message: 8 Date: Fri, 04 Mar 2011 00:34:45 -0600 From: Terry Wilson twil...@digium.com Subject: Re: [asterisk-users] TLS/SRTP calls go to circuit busy. To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Message-ID: 4d708805.3060...@digium.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 03/03/2011 02:22 PM, Mitch Johnson wrote: Thanks so much for pointing this out. I was curious why the commands in the documentation differed to the commands I was using. That problem is fixed, but now I have a new issue. I can call with no issues, however, as soon as I answer one of the calls I see the error: ast_srtp_unprotect: SRTP unprotect: authentication failure. Below is a snippet of the debug as the call is answered. The best thing to do at this point would be to file a bug report with the info at which point it will eventually probably be assigned to me (unless some awesome person comes up with a fix first!) to look at. If I have a bit of free time, I'll try to take a peek at it. If you can post the sip debug output of the entire offer/answer exchange to the bug report, it will help greatly. Terry -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS/SRTP calls go to circuit busy.
Thanks so much for pointing this out. I was curious why the commands in the documentation differed to the commands I was using. That problem is fixed, but now I have a new issue. I can call with no issues, however, as soon as I answer one of the calls I see the error: ast_srtp_unprotect: SRTP unprotect: authentication failure. Below is a snippet of the debug as the call is answered. v=0 o=root 306031538 306031538 IN IP4 172.16.200.60 s=Asterisk PBX 1.8.2.4 c=IN IP4 172.16.200.60 t=0 0 m=audio 15274 RTP/SAVP 0 3 96 a=rtpmap:0 PCMU/8000 a=rtpmap:3 GSM/8000 a=rtpmap:96 telephone-event/8000 a=fmtp:96 0-16 a=ptime:20 a=sendrecv a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:iINHae+LvAVdSJwhOJjE3BtyZLVuYFG6ctUjDZst [Mar 3 15:02:25] WARNING[13599]: res_srtp.c:338 ast_srtp_unprotect: SRTP unprotect: authentication failure --- SIP read from TLS:172.16.201.10:50600 --- BYE sip:6003@172.16.200.60:5061;transport=TLS SIP/2.0 Via: SIP/2.0/TLS 172.16.201.10:50600;rport;branch=z9hG4bKPjbLo4aOOGOax.f5DovLkV-rasCIhsca7A Max-Forwards: 70 From: Asterisk sip:6004@172.16.200.60;tag=Kbf7ZANMEn4pRtHrYTZJkOfqYg226z-I To: sip:6003@172.16.200.60;tag=as21b6a1ac Call-ID: LWPc00KmvuwzLJfizX-2.7fBtE8ILwhX CSeq: 6714 BYE Content-Length: 0 - --- (8 headers 0 lines) --- --- Reliably Transmitting (NAT) to 172.16.201.10:50600 --- SIP/2.0 487 Request Terminated Via: SIP/2.0/TLS 172.16.201.10:50600;branch=z9hG4bKPjbJVHFgqcrclq3kJh9hDZfg-I6joRN3QL;received=172.16.201.10;rport=50600 From: Asterisk sip:6004@172.16.200.60;tag=Kbf7ZANMEn4pRtHrYTZJkOfqYg226z-I To: sip:6003@172.16.200.60;tag=as21b6a1ac Call-ID: LWPc00KmvuwzLJfizX-2.7fBtE8ILwhX CSeq: 6713 INVITE Server: Asterisk PBX 1.8.2.4 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 Message: 8 Date: Tue, 1 Mar 2011 10:04:14 -0600 From: Terry Wilson twil...@digium.com Subject: Re: [asterisk-users] TLS/SRTP calls go to circuit busy. To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Message-ID: b401c9b4-0721-43b4-9762-c3f02483b...@digium.com Content-Type: text/plain; charset=us-ascii On Feb 28, 2011, at 7:19 PM, mitch Johnson wrote: I'm in the process of testing a TLS/SRTP install. My experience is improving with each new challenge, but this one is a great test of my 2 month experience with Asterisk. [myphones] ;exten = 6001,1,Dial(SIP/6001) ;exten = 6001,2,Hangup() exten = 6001,1,Set(_SIPSRTP_CRYPTO=enable) exten = 6001,2,Dial(SIP/${EXTEN}) There is no such thing as the _SIPSRTP_CRYPTO variable. That was from a very old version of the SRTP patch. Ignore pretty much anything on issue 5413 and instead look at https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial and https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics. You would use encryption=yes/no in sip.conf and Set(CHANNEL(secure_bridge_signaling)=1) to force SRTP calls. I'm assuming that you are using Asterisk 1.8 instead of one of the patches on issue 5413--if not, then do that. ;-) -- next part -- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20110301/f3436edc/attachment-0001.htm -- -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS/SRTP calls go to circuit busy.
On 03/03/2011 02:22 PM, Mitch Johnson wrote: Thanks so much for pointing this out. I was curious why the commands in the documentation differed to the commands I was using. That problem is fixed, but now I have a new issue. I can call with no issues, however, as soon as I answer one of the calls I see the error: ast_srtp_unprotect: SRTP unprotect: authentication failure. Below is a snippet of the debug as the call is answered. The best thing to do at this point would be to file a bug report with the info at which point it will eventually probably be assigned to me (unless some awesome person comes up with a fix first!) to look at. If I have a bit of free time, I'll try to take a peek at it. If you can post the sip debug output of the entire offer/answer exchange to the bug report, it will help greatly. Terry -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS/SRTP calls go to circuit busy.
On Feb 28, 2011, at 7:19 PM, mitch Johnson wrote: I'm in the process of testing a TLS/SRTP install. My experience is improving with each new challenge, but this one is a great test of my 2 month experience with Asterisk. [myphones] ;exten = 6001,1,Dial(SIP/6001) ;exten = 6001,2,Hangup() exten = 6001,1,Set(_SIPSRTP_CRYPTO=enable) exten = 6001,2,Dial(SIP/${EXTEN}) There is no such thing as the _SIPSRTP_CRYPTO variable. That was from a very old version of the SRTP patch. Ignore pretty much anything on issue 5413 and instead look at https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial and https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics. You would use encryption=yes/no in sip.conf and Set(CHANNEL(secure_bridge_signaling)=1) to force SRTP calls. I'm assuming that you are using Asterisk 1.8 instead of one of the patches on issue 5413--if not, then do that. ;-) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] TLS/SRTP calls go to circuit busy.
I'm in the process of testing a TLS/SRTP install. My experience is improving with each new challenge, but this one is a great test of my 2 month experience with Asterisk. When I dial 6003 from 6001, it takes 35 seconds until I get the error message that 6003 is circuit-busy. Any help would greatly be appreciated. Below is the error message and the extensions and sip.conf files. *CLI == Using SIP RTP CoS mark 5 -- Executing [6003@myphones:1] Set(SIP/6001-000c, _SIPSRTP_CRYPTO=enable) in new stack -- Executing [6003@myphones:2] Dial(SIP/6001-000c, SIP/6003) in new stack == Using SIP RTP CoS mark 5 -- Called 6003 -- SIP/6003-000d is circuit-busy == Everyone is busy/congested at this time (1:0/1/0) -- Auto fallthrough, channel 'SIP/6001-000c' status is 'CONGESTION' extensions.conf [myphones] ;exten = 6001,1,Dial(SIP/6001) ;exten = 6001,2,Hangup() exten = 6001,1,Set(_SIPSRTP_CRYPTO=enable) exten = 6001,2,Dial(SIP/${EXTEN}) ;exten = 6002,1,Dial(SIP/6002) ;exten = 6002,2,Hangup() exten = 6002,1,Set(_SIPSRTP_CRYPTO=enable) exten = 6002,2,Dial(SIP/${EXTEN}) ;exten = 6003,1,Dial(SIP/6003) ;exten = 6003,2,Hangup() exten = 6003,1,Set(_SIPSRTP_CRYPTO=enable) exten = 6003,2,Dial(SIP/${EXTEN}) ;exten = 6004,1,Dial(SIP/6004) ;exten = 6004,2,Hangup() exten = 6004,1,Set(_SIPSRTP_CRYPTO=enable) exten = 6004,2,Dial(SIP/${EXTEN}) exten = 6005,1,Dial(SIP/6005) exten = 6005,2,Hangup() ;exten = 6005,1,Set(_SIPSRTP_CRYPTO=enable) ;exten = 6005,2,Dial(SIP/${EXTEN}) exten = 6006,1,Dial(SIP/6005) exten = 6006,2,Hangup() ;exten = 6006,1,Set(_SIPSRTP_CRYPTO=enable) ;exten = 6006,2,Dial(SIP/${EXTEN}) exten = 600,1,NoOp( start) exten = 600,n,NOOp( SECURE SIGNALING ${CHANNEL(secure_signaling)} ) exten = 600,n,NOOp( SECURE media ${CHANNEL(secure_media)} ) exten = 600,n,Answer() exten = 600,n,Playback(demo-echotest) exten = 600,n,Echo() exten = _X.,1,Dial(SIP/CM8/${EXTEN:0},30,rt) [general] tlsenable=yes tlsbindaddr=172.16.200.60 ;tlsprivatekey=/usr/local/ssl/misc/asteriskkey.pem ;tlscertfile=/usr/local/ssl/misc/asteriskcert.pem tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt tlscipher=ALL ;tlscafile=/usr/local/ssl/misc/demoCA/cacert.pem tlsclientmethod=tlsv1 [6001] type=friend secret=erasmus123 callerid=Mitch-MacBook 6001 ;nat=yes host=dynamic ;canreinvite=no context=myphones allow=ulaw allow=gsm allow=g726 ;transport=udp transport=tls encryption=yes port=5061 regexten=6001 [6002] type=friend secret=erasmus123 callerid=Tami 6002 host=dynamic canreinvite=no context=myphones allow=ulaw allow=gsm allow=g726 ;transport=udp transport=tls encryption=yes port=5061 regexten=6002 [6003] type=friend secret=erasmus123 callerid=iPad 6003 host=dynamic ;canreinvite=no ;nat=yes context=myphones allow=ulaw allow=gsm allow=g726 ;transport=udp transport=tls encryption=yes port=5061 regexten=6003 [6004] type=friend secret=erasmus123 callerid=iPhone-Mitch 6004 ;nat=yes host=dynamic ;canreinvite=no context=myphones allow=ulaw allow=gsm allow=g726 ;transport=udp transport=tls encryption=yes port=5061 regexten=6004 [6005] type=friend secret=erasmus123 callerid=SNOM 6005 host=dynamic ;canreinvite=no context=myphones allow=ulaw allow=gsm allow=g726 transport=udp ;transport=tls ;encryption=yes ;port=5061 regexten=6005 [6006] type=friend secret=erasmus123 callerid= 6006 host=dynamic ;canreinvite=no context=myphones allow=ulaw allow=gsm allow=g726 transport=udp ;transport=tls ;encryption=yes ;port=5061 regex [CM8] type=friend host=172.16.200.100 ;canreinvite=yes ;disallow=all allow=ulaw allow=ulaw ;qualify=yes ;nat=no context=myphones -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users