How to setup Encrypted Connections in Asterisk with Polycom Phones

So you think no one can listen in on your VOIP conversations, eh? Well... if you haven't setup Secure Real Time Transport (SRTP), your voice communications can be hacked into by just about anyone!

First, let's talk about the intended audience for this article, and give some background on the technologies themselves.

Intended Audience

This topic is for advanced users of Asterisk and VoIP communications. It assumes not only a basic knowledge of the Asterisk and VoIP platform, but also of SIP, XML, and Polycom configurations.

In short, it's time to put your big-boy shorts on, and break out your best grep skills. If you're not a super-geek in the VoIP telephony world, this article won't serve you much immediately; however, concept-wise, it will certainly be a good read.

Platforms Discussed: A glossary of sorts...

Next, let's debunk some common misconceptions:


The solution? Encrypt your traffic.

Asterisk allows for the encryption of VoIP traffic between two endpoints using SRTP (Secure Real-time Transport Protocol). Of course, this support is not built in natively.

To Get SRTP, install asterisk from the srtp svn in the following manner:

1. Prep the System

As usual, this is for an Ubuntu based system. Your setup may vary if you are using a different distro.

    #Setup the system

    apt-get install
    apt-get install subversion
    apt-get install make
    apt-get install linux-source
    apt-get install kernel-package
    apt-get install linux-kernel-headers
    apt-get install linux-headers linux-headers-`uname -r`

    #Install other needed stuff

    aptitude install libconfig-tiny-perl libcupsimage2 libcups2 libmime-lite-perl libemail-date-format-perl libfile-sync-perl libfreetype6 libspandsp1 libtiff-tools libtiff4 libjpeg62 libmime-types-perl libpaper-utils psutils libpaper1 ncurses ncurses-dev libncurses-dev libncurses-gst ncurses-term libnewt libnewt-dev libnewt-pic libxml2 libxml2-dev libspandsp-dev libspandsp1 bison

    #Change to the proper directory
    cd /usr/src/

    #Get SRTP
    #You can update the SRTP version by changing the VERSION value on the next line. Check http://srtp.sourceforge.net/download.html for the most current version
    number
    VERSION=1.4.2.tgz
    wget http://srtp.sourceforge.net/srtp-$VERSION
    tar -zxvf srtp-$VERSION
    cd srtp-$VERSION
    ./configure
    make
    make runtest
    make install

    cd /usr/src/

    # Get asterisk
    svn co http://svn.digium.com/svn/asterisk/team/group/srtp/ asterisk

    # Get DAHDI Kernel
    svn co http://svn.digium.com/svn/dahdi/linux/trunk dahdi-kernel

    # Get DAHDI Tools
    svn co http://svn.digium.com/svn/dahdi/tools/trunk dahdi-tools

    # Get libpri
    svn co http://svn.digium.com/svn/libpri/branches/1.4/ libpri

Select all Open in new window

Compile The Asterisk Files

    # Compile libpri

    cd /usr/src/libpri
    make

    # Compile the DAHDI kernel
    cd /usr/src/dahdi-kernel
    make
    make install

    # Compile the tools
    cd /usr/src/dahdi-tools
    ./configure
    make
    make install
    make config

    # Compile asterisk
    cd /usr/src/asterisk
    ./configure
    make
    make install

    #Set asterisk to start automatically through init.d
    make config

    #Create sample files for a first time user. DO NOT run this if you already have configs you want to keep! They will be over written!
    make samples

Select all Open in new window

2. Configure Asterisk for Secure Calls

Open up sip.conf, and directly under the [general] section add this line:

srtpcapable=yes

Select all Open in new window

3. Configure the Dialplan

The next part is easy, you just need to tell Asterisk via dialplan code that you want SRTP used when certain extensions are dialed. You accomplish this by using SIPPEER to set a variable. Don’t worry about understanding that. You can just copy paste what I have below.

[local_stations]
    exten => _XXXX,1,Set(_SIPSRTP=${SIPPEER(${EXTEN},srtpcapable)})
    exten => _XXXX,n,Dial(SIP/${EXTEN})

Select all Open in new window

The examples above will, for any given 4 digit extension, tell Asterisk to use SRTP if the endpoint supports it.

4. Configure Your Polycoms for SRTP

The last step is to configure your Polycom phones (the endpoints) for SRTP.  There are two types of secure setups that we are going to discuss: Full Security, and Half Security.

Full Security
Explanation

Full security denotes that all endpoints in the system must support SRTP or the calls will be dropped. This is most appropriate when you are using a closed system (one that you have complete control over) that does not use any sort of ITSP (unless your ITSP supports SRTP).

In the full security setup, the Polycom phones will accept no excuses for media transport. If, during the call setup, the phone sees that the endpoint does not support SRTP, it will just drop the call, and you will get a re-order.  Here's the code:

    sec.srtp.enable="1"
    sec.srtp.leg.enable="1"
    sec.srtp.offer="1"
    sec.srtp.require="1"

Select all Open in new window

Half Security
Explanation

Half security (despite the not-so-secure sounding name) is a compromise. In a half security configuration, the Polycom phones will request SRTP as a priority; however, if the other endpoint does not support SRTP, it will still connect the call using standard RTP.

This setup is most useful if you have a phone that needs to be able to make both secured and unsecured calls.

For instance, let’s say you have a phone on an executive’s desk. He needs to be able to order a pizza, as well as call his partner on a secure, encrypted connection. In Asterisk, you would simply set this up as two extensions. One that lives in a context of extensions.conf where it can make all the phone calls it wants in an unsecured manner, but cannot dial the secure extension, and one that lives in a secure context that can only make secured calls.

The line indicators could be something like "4101" for the extension, and "Secure" for the SRTP line.

Under half security, he could use extension 4101 for regular calling, and then use the “secure” line to make encrypted called.  Here's the code:

    sec.srtp.enable="1"
    sec.srtp.leg.enable="1"
    sec.srtp.offer="1"
    sec.srtp.sessionParams.noAuth.offer="1"
    sec.srtp.sessionParams.leg.noAuth.offer="1"
    sec.srtp.sessionParams.leg.noAuth.require="1"
    sec.srtp.sessionParams.IP_4000.noAuth.offer="1"

Select all Open in new window

Configuring SRTP it the Easy Way

www.phoneprovisioning.com allows you to configure half security automatically when you configure your phone using the free service.

When setting up your phone in the www.phoneprovisioning.com interface, just click the “Force SRTP” checkbox, and hit update. It will enforce SRTP on that particular phone.

Credits:
This article was originally published in the Polycom VoIP and Asterisk How To blog from www.phoneprovisioning.com. Reprinted here with permission.