Re: [asterisk-users] TLS/SRTP calls go to circuit busy.
Once again, thanks for your reply. I had done some research already but forget to include it in my previous email. I did find a bug that is remarkably similar to the issues that I'm having. The bug number is 18674. Thanks, Mitch Johnson Message: 8 Date: Fri, 04 Mar 2011 00:34:45 -0600 From: Terry Wilson twil...@digium.com Subject: Re: [asterisk-users] TLS/SRTP calls go to circuit busy. To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Message-ID: 4d708805.3060...@digium.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 03/03/2011 02:22 PM, Mitch Johnson wrote: Thanks so much for pointing this out. I was curious why the commands in the documentation differed to the commands I was using. That problem is fixed, but now I have a new issue. I can call with no issues, however, as soon as I answer one of the calls I see the error: ast_srtp_unprotect: SRTP unprotect: authentication failure. Below is a snippet of the debug as the call is answered. The best thing to do at this point would be to file a bug report with the info at which point it will eventually probably be assigned to me (unless some awesome person comes up with a fix first!) to look at. If I have a bit of free time, I'll try to take a peek at it. If you can post the sip debug output of the entire offer/answer exchange to the bug report, it will help greatly. Terry -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS/SRTP calls go to circuit busy.
Thanks so much for pointing this out. I was curious why the commands in the
documentation differed to the commands I was using.
That problem is fixed, but now I have a new issue. I can call with no issues,
however, as soon as I answer one of the calls I see the error:
ast_srtp_unprotect: SRTP unprotect: authentication failure. Below is a
snippet of the debug as the call is answered.
v=0
o=root 306031538 306031538 IN IP4 172.16.200.60
s=Asterisk PBX 1.8.2.4
c=IN IP4 172.16.200.60
t=0 0
m=audio 15274 RTP/SAVP 0 3 96
a=rtpmap:0 PCMU/8000
a=rtpmap:3 GSM/8000
a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-16
a=ptime:20
a=sendrecv
a=crypto:1 AES_CM_128_HMAC_SHA1_32
inline:iINHae+LvAVdSJwhOJjE3BtyZLVuYFG6ctUjDZst
[Mar 3 15:02:25] WARNING[13599]: res_srtp.c:338 ast_srtp_unprotect: SRTP
unprotect: authentication failure
--- SIP read from TLS:172.16.201.10:50600 ---
BYE sip:6003@172.16.200.60:5061;transport=TLS SIP/2.0
Via: SIP/2.0/TLS
172.16.201.10:50600;rport;branch=z9hG4bKPjbLo4aOOGOax.f5DovLkV-rasCIhsca7A
Max-Forwards: 70
From: Asterisk sip:6004@172.16.200.60;tag=Kbf7ZANMEn4pRtHrYTZJkOfqYg226z-I
To: sip:6003@172.16.200.60;tag=as21b6a1ac
Call-ID: LWPc00KmvuwzLJfizX-2.7fBtE8ILwhX
CSeq: 6714 BYE
Content-Length: 0
-
--- (8 headers 0 lines) ---
--- Reliably Transmitting (NAT) to 172.16.201.10:50600 ---
SIP/2.0 487 Request Terminated
Via: SIP/2.0/TLS
172.16.201.10:50600;branch=z9hG4bKPjbJVHFgqcrclq3kJh9hDZfg-I6joRN3QL;received=172.16.201.10;rport=50600
From: Asterisk sip:6004@172.16.200.60;tag=Kbf7ZANMEn4pRtHrYTZJkOfqYg226z-I
To: sip:6003@172.16.200.60;tag=as21b6a1ac
Call-ID: LWPc00KmvuwzLJfizX-2.7fBtE8ILwhX
CSeq: 6713 INVITE
Server: Asterisk PBX 1.8.2.4
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO,
PUBLISH
Supported: replaces, timer
Content-Length: 0
Message: 8
Date: Tue, 1 Mar 2011 10:04:14 -0600
From: Terry Wilson twil...@digium.com
Subject: Re: [asterisk-users] TLS/SRTP calls go to circuit busy.
To: Asterisk Users Mailing List - Non-Commercial Discussion
asterisk-users@lists.digium.com
Message-ID: b401c9b4-0721-43b4-9762-c3f02483b...@digium.com
Content-Type: text/plain; charset=us-ascii
On Feb 28, 2011, at 7:19 PM, mitch Johnson wrote:
I'm in the process of testing a TLS/SRTP install. My experience is
improving with each new challenge, but this one is a great test of my 2
month experience with Asterisk.
[myphones]
;exten = 6001,1,Dial(SIP/6001)
;exten = 6001,2,Hangup()
exten = 6001,1,Set(_SIPSRTP_CRYPTO=enable)
exten = 6001,2,Dial(SIP/${EXTEN})
There is no such thing as the _SIPSRTP_CRYPTO variable. That was from a very
old version of the SRTP patch. Ignore pretty much anything on issue 5413 and
instead look at
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial and
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics. You
would use encryption=yes/no in sip.conf and
Set(CHANNEL(secure_bridge_signaling)=1) to force SRTP calls. I'm assuming
that you are using Asterisk 1.8 instead of one of the patches on issue
5413--if not, then do that. ;-)
-- next part --
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20110301/f3436edc/attachment-0001.htm
--
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS/SRTP calls go to circuit busy.
On 03/03/2011 02:22 PM, Mitch Johnson wrote: Thanks so much for pointing this out. I was curious why the commands in the documentation differed to the commands I was using. That problem is fixed, but now I have a new issue. I can call with no issues, however, as soon as I answer one of the calls I see the error: ast_srtp_unprotect: SRTP unprotect: authentication failure. Below is a snippet of the debug as the call is answered. The best thing to do at this point would be to file a bug report with the info at which point it will eventually probably be assigned to me (unless some awesome person comes up with a fix first!) to look at. If I have a bit of free time, I'll try to take a peek at it. If you can post the sip debug output of the entire offer/answer exchange to the bug report, it will help greatly. Terry -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS/SRTP calls go to circuit busy.
On Feb 28, 2011, at 7:19 PM, mitch Johnson wrote:
I'm in the process of testing a TLS/SRTP install. My experience is improving
with each new challenge, but this one is a great test of my 2 month
experience with Asterisk.
[myphones]
;exten = 6001,1,Dial(SIP/6001)
;exten = 6001,2,Hangup()
exten = 6001,1,Set(_SIPSRTP_CRYPTO=enable)
exten = 6001,2,Dial(SIP/${EXTEN})
There is no such thing as the _SIPSRTP_CRYPTO variable. That was from a very
old version of the SRTP patch. Ignore pretty much anything on issue 5413 and
instead look at
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial and
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics. You would
use encryption=yes/no in sip.conf and Set(CHANNEL(secure_bridge_signaling)=1)
to force SRTP calls. I'm assuming that you are using Asterisk 1.8 instead of
one of the patches on issue 5413--if not, then do that. ;-)
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] TLS/SRTP calls go to circuit busy.
I'm in the process of testing a TLS/SRTP install. My experience is
improving with each new challenge, but this one is a great test of my 2
month experience with Asterisk.
When I dial 6003 from 6001, it takes 35 seconds until I get the error
message that 6003 is circuit-busy.
Any help would greatly be appreciated. Below is the error message and the
extensions and sip.conf files.
*CLI == Using SIP RTP CoS mark 5
-- Executing [6003@myphones:1] Set(SIP/6001-000c,
_SIPSRTP_CRYPTO=enable) in new stack
-- Executing [6003@myphones:2] Dial(SIP/6001-000c, SIP/6003) in
new stack
== Using SIP RTP CoS mark 5
-- Called 6003
-- SIP/6003-000d is circuit-busy
== Everyone is busy/congested at this time (1:0/1/0)
-- Auto fallthrough, channel 'SIP/6001-000c' status is 'CONGESTION'
extensions.conf
[myphones]
;exten = 6001,1,Dial(SIP/6001)
;exten = 6001,2,Hangup()
exten = 6001,1,Set(_SIPSRTP_CRYPTO=enable)
exten = 6001,2,Dial(SIP/${EXTEN})
;exten = 6002,1,Dial(SIP/6002)
;exten = 6002,2,Hangup()
exten = 6002,1,Set(_SIPSRTP_CRYPTO=enable)
exten = 6002,2,Dial(SIP/${EXTEN})
;exten = 6003,1,Dial(SIP/6003)
;exten = 6003,2,Hangup()
exten = 6003,1,Set(_SIPSRTP_CRYPTO=enable)
exten = 6003,2,Dial(SIP/${EXTEN})
;exten = 6004,1,Dial(SIP/6004)
;exten = 6004,2,Hangup()
exten = 6004,1,Set(_SIPSRTP_CRYPTO=enable)
exten = 6004,2,Dial(SIP/${EXTEN})
exten = 6005,1,Dial(SIP/6005)
exten = 6005,2,Hangup()
;exten = 6005,1,Set(_SIPSRTP_CRYPTO=enable)
;exten = 6005,2,Dial(SIP/${EXTEN})
exten = 6006,1,Dial(SIP/6005)
exten = 6006,2,Hangup()
;exten = 6006,1,Set(_SIPSRTP_CRYPTO=enable)
;exten = 6006,2,Dial(SIP/${EXTEN})
exten = 600,1,NoOp( start)
exten = 600,n,NOOp( SECURE SIGNALING ${CHANNEL(secure_signaling)} )
exten = 600,n,NOOp( SECURE media ${CHANNEL(secure_media)} )
exten = 600,n,Answer()
exten = 600,n,Playback(demo-echotest)
exten = 600,n,Echo()
exten = _X.,1,Dial(SIP/CM8/${EXTEN:0},30,rt)
[general]
tlsenable=yes
tlsbindaddr=172.16.200.60
;tlsprivatekey=/usr/local/ssl/misc/asteriskkey.pem
;tlscertfile=/usr/local/ssl/misc/asteriskcert.pem
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
;tlscafile=/usr/local/ssl/misc/demoCA/cacert.pem
tlsclientmethod=tlsv1
[6001]
type=friend
secret=erasmus123
callerid=Mitch-MacBook 6001
;nat=yes
host=dynamic
;canreinvite=no
context=myphones
allow=ulaw
allow=gsm
allow=g726
;transport=udp
transport=tls
encryption=yes
port=5061
regexten=6001
[6002]
type=friend
secret=erasmus123
callerid=Tami 6002
host=dynamic
canreinvite=no
context=myphones
allow=ulaw
allow=gsm
allow=g726
;transport=udp
transport=tls
encryption=yes
port=5061
regexten=6002
[6003]
type=friend
secret=erasmus123
callerid=iPad 6003
host=dynamic
;canreinvite=no
;nat=yes
context=myphones
allow=ulaw
allow=gsm
allow=g726
;transport=udp
transport=tls
encryption=yes
port=5061
regexten=6003
[6004]
type=friend
secret=erasmus123
callerid=iPhone-Mitch 6004
;nat=yes
host=dynamic
;canreinvite=no
context=myphones
allow=ulaw
allow=gsm
allow=g726
;transport=udp
transport=tls
encryption=yes
port=5061
regexten=6004
[6005]
type=friend
secret=erasmus123
callerid=SNOM 6005
host=dynamic
;canreinvite=no
context=myphones
allow=ulaw
allow=gsm
allow=g726
transport=udp
;transport=tls
;encryption=yes
;port=5061
regexten=6005
[6006]
type=friend
secret=erasmus123
callerid= 6006
host=dynamic
;canreinvite=no
context=myphones
allow=ulaw
allow=gsm
allow=g726
transport=udp
;transport=tls
;encryption=yes
;port=5061
regex
[CM8]
type=friend
host=172.16.200.100
;canreinvite=yes
;disallow=all
allow=ulaw
allow=ulaw
;qualify=yes
;nat=no
context=myphones
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
