Solved

SRTP Setup on FreePBX

Posted on 2014-04-23
15
5,345 Views
Last Modified: 2014-04-28
Hi Experts,

I'm trying to configure SRTP for my Snom 320 phone to connect with FreePBX.

I was able to configure TLS but not SRTP. Every time I try calling an extension or to my voicemail, my phone gets disconnected straight away and give me the following error: Disconnected Not Acceptable Here. I have attached snippets of log files from my phone and freepbx server below:

Phone Log:
23/4/2014 23:00:17 [NOTICE] PHN: Certificate with subject Country: ; State: ; Locality ; Organization: MYCOMPANY; Common Name: host.domain.com.au; eMail:   is a trusted server certificate. 
23/4/2014 23:00:18 [WARN  ] PHN: SIP: process_registrar_packet: 401 needs 128 bit nonce
23/4/2014 23:00:18 [NOTICE] PHN: SIP: process auth:Match challenge for user=1002, realm=asterisk
23/4/2014 23:00:19 [ALERT ] LID: inca360_handle_kb: key event: 520826550
23/4/2014 23:00:21 [WARN  ] PHN: RTP: send_tcp_rtp: rtp name not set!
23/4/2014 23:00:21 [NOTICE] PHN: RTP: send_tcp_rtp: Caching  bytes 30/0
23/4/2014 23:00:25 [NOTICE] PHN: TPL: Socket 105 idle/connect timeout

Open in new window


FreePBX Log:
[2014-04-23 22:55:23] DEBUG[3791] chan_sip.c: Header 0 [ 52]: ACK sip:*97@192.168.0.222:5061;transport=tls SIP/2.0
[2014-04-23 22:55:23] DEBUG[3791] chan_sip.c: Header 1 [ 68]: Via: SIP/2.0/TLS 192.168.0.19:2347;branch=z9hG4bK-ucdva69vgipu;rport
[2014-04-23 22:55:23] DEBUG[3791] chan_sip.c: Header 2 [ 71]: From: "1002" <sip:1002@192.168.0.222:5061;transport=tls>;tag=1koxu447zd
[2014-04-23 22:55:23] DEBUG[3791] chan_sip.c: Header 3 [ 61]: To: <sip:*97@192.168.0.222:5061;transport=tls>;tag=as3f122996
[2014-04-23 22:55:23] DEBUG[3791] chan_sip.c: Header 4 [ 34]: Call-ID: 5357b83b3406-8sha8w22g2nw
[2014-04-23 22:55:23] DEBUG[3791] chan_sip.c: Header 5 [ 11]: CSeq: 2 ACK
[2014-04-23 22:55:23] DEBUG[3791] chan_sip.c: Header 6 [ 16]: Max-Forwards: 70
[2014-04-23 22:55:23] DEBUG[3791] chan_sip.c: Header 7 [ 74]: Contact: <sip:1002@192.168.0.19:2347;transport=tls;line=l7k7gcio>;reg-id=1
[2014-04-23 22:55:23] DEBUG[3791] chan_sip.c: Header 8 [ 17]: Content-Length: 0
[2014-04-23 22:55:23] VERBOSE[3791] chan_sip.c: --- (9 headers 0 lines) ---
[2014-04-23 22:55:23] DEBUG[3791] chan_sip.c: = Looking for Call ID: 5357b83b3406-8sha8w22g2nw (Checking From) --From tag 1koxu447zd --To-tag as3f122996
[2014-04-23 22:55:23] DEBUG[3791][C-00000030] chan_sip.c: **** Received ACK (6) - Command in SIP ACK
[2014-04-23 22:55:23] DEBUG[3791][C-00000030] chan_sip.c: Stopping retransmission on '5357b83b3406-8sha8w22g2nw' of Response 2: Match Not Found
[2014-04-23 22:55:28] DEBUG[3792] manager.c: Running action 'Login'

Open in new window


My Network Environment

FreePBX Server Spec:
1. FreePBX v 2.11
2. Asterisk 11.8
3. Debian Wheezy
4. freepbx extension settings
Phone:
1. Type: Snom320
2. Firmware: 8.7
3. snom setting
Can you please help point me in the right direction?

Many thanks,
Ricky
0
Comment
Question by:RiCzN
  • 10
  • 4
15 Comments
 

Author Comment

by:RiCzN
ID: 40017766
Hi Experts, I have since recompiled my asterisk server to also include the srtp module. Also moved my test to a Blink softphone instead of the snom phone. I now see the following log outputs in the FreePBX log files.

[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Allocating new SIP dialog for 43686fcc33dd899e0d6b8023278fe685@127.0.1.1:5060 - OPTIONS (No RTP)
[2014-04-24 01:07:06] DEBUG[3259] acl.c: For destination '192.168.0.7', our source address is '192.168.0.222'.
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Setting SIP_TRANSPORT_TLS with address 192.168.0.222:5061
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: SIP call-id changed from '43686fcc33dd899e0d6b8023278fe685@127.0.1.1:5060' to '3ee98f386ec9068770862f154123fc1e@192.168.0.222:5061'
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Initializing initreq for method OPTIONS - callid 3ee98f386ec9068770862f154123fc1e@192.168.0.222:5061
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Header 0 [ 60]: OPTIONS sip:86509241@192.168.0.7:59339;transport=tls SIP/2.0
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Header 1 [ 58]: Via: SIP/2.0/TLS 192.168.0.222:5061;branch=z9hG4bK594748f6
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Header 2 [ 16]: Max-Forwards: 70
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Header 3 [ 58]: From: "Unknown" <sip:Unknown@192.168.0.222>;tag=as4ee5e719
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Header 4 [ 50]: To: <sip:86509241@192.168.0.7:59339;transport=tls>
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Header 5 [ 55]: Contact: <sip:Unknown@192.168.0.222:5061;transport=TLS>
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Header 6 [ 60]: Call-ID: 3ee98f386ec9068770862f154123fc1e@192.168.0.222:5061
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Header 7 [ 17]: CSeq: 102 OPTIONS
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Header 8 [ 31]: User-Agent: FPBX-2.11.0(11.8.1)
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Header 9 [ 35]: Date: Wed, 23 Apr 2014 15:07:06 GMT
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Header 10 [ 81]: Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Header 11 [ 26]: Supported: replaces, timer
[2014-04-24 01:07:06] VERBOSE[3259] chan_sip.c: Reliably Transmitting (no NAT) to 192.168.0.7:59339:
[2014-04-24 01:07:06] DEBUG[3259] chan_sip.c: Trying to put 'OPTIONS sip' onto TLS socket destined for 192.168.0.7:59339
[2014-04-24 01:07:06] WARNING[3259] chan_sip.c: sip_xmit of 0x9131fc8 (len 592) to 192.168.0.7:59339 returned -2: Interrupted system call
[2014-04-24 01:07:10] DEBUG[3259] chan_sip.c: Destroying SIP dialog 3ee98f386ec9068770862f154123fc1e@192.168.0.222:5061
[2014-04-24 01:07:10] VERBOSE[3259] chan_sip.c: Really destroying SIP dialog '3ee98f386ec9068770862f154123fc1e@192.168.0.222:5061' Method: OPTIONS
[2014-04-24 01:07:14] DEBUG[25368] manager.c: Running action 'Login'

Open in new window

0
 
LVL 20

Assisted Solution

by:José Méndez
José Méndez earned 300 total points
ID: 40019185
Hi Ricky, don't see any errors from the Blink call. What are the symptoms when using Blink?
0
 
LVL 15

Assisted Solution

by:Phonebuff
Phonebuff earned 200 total points
ID: 40019195
In your first post I don't see where you set your Codec  Disallow / Allow.

An check

================
0
 

Author Comment

by:RiCzN
ID: 40022239
Sorry experts, for this late reply. We're in the process of moving and my computer gear were unavailable for use in the past couple days. I will post your requested info very shortly.

Thanks for your patience.
Ricky
0
 

Author Comment

by:RiCzN
ID: 40022283
Hi willlywilburwonka, please see attached as requested, Blink's sip trace log file directly after placing an internal call attempt from extension 1002 to 1001.

Hi Phonebuff, please see attached images of audio codecs as requested from my server settings as well as what is set on the Blink softphone. It's pretty much just the default settings.
ScreenHunter-48-Apr.-25-20.42.jpg
ScreenHunter-49-Apr.-25-20.55.jpg
sip-trace.txt
0
 

Author Comment

by:RiCzN
ID: 40026447
Hi Experts, I'm reviewing the asterisk log in FreePBX again and it's showing TLS error:

[2014-04-28 11:52:11] [2014-04-28 12:14:23] DEBUG[3288] chan_sip.c: Trying to put 'OPTIONS sip' onto TLS socket destined for 192.168.0.7:54300
[2014-04-28 12:14:23] VERBOSE[4452] tcptls.c: SSL certificate ok
[2014-04-28 12:14:23] DEBUG[4452] tcptls.c: SSL Common Name compare s1='192.168.0.7' s2='phone2.mydomain.com.au'
[2014-04-28 12:14:23] ERROR[4452] tcptls.c: Certificate common name did not match (192.168.0.7)

Open in new window


It's strange in that, it's not preventing me from calling other extensions. I can call another phone no problems.

I have double checked that the certificate's hostname or CN is pointing to the right IP address.

What I did was use the following command:

openssl x509 -noout -in /etc/asterisk/keys/phone2.pem -subject -issuer -dates

Open in new window


Result:

subject= /CN=phone2.mydomain.com.au/0=mydomain
issuer= /CN=Asterisk Private CA/0=mydomain
notBefore=Apr 22 14.49.05 2014 GMT
notAfter=Apr 22 14.49.05 2014 GMT

Open in new window


When I ping phone2.mydomain.com.au it points to 192.168.0.7. So I'm pretty sure DNS is correctly setup.

Could this be the reason why SRTP isn't working?
0
 
LVL 20

Assisted Solution

by:José Méndez
José Méndez earned 300 total points
ID: 40026471
"Certificate common name did not match"

I think the certs are not matching:

s1='192.168.0.7' s2='phone2.mydomain.com.au'

the IP is not the same as phone2.mydomain.com.au, although one resolves to the other, they do not match as text strings
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:RiCzN
ID: 40026474
I don't recall entering any IP addresses when generating openssl keys. Would you know where asterisk would have tried to source that information?
0
 

Author Comment

by:RiCzN
ID: 40026502
Hi willlywilburwonka, I have regenerated the keys and TLS is no longer an issue but SRTP still isn't working. Asterisk Full log is now showing:

[2014-04-28 13:13:50] ERROR[3354][C-00000017] chan_sip.c: No SRTP module loaded, can't setup SRTP session.

Open in new window


But when checking menuconfig, I can see it's enabled as per below image:

srtp enabled on menuconfig
I've not clue now. I've attached a larger snippet of asterisk's log file for your review. Possibly you're able to extrapolate something from it?
asterisk-full-log.txt
0
 
LVL 20

Accepted Solution

by:
José Méndez earned 300 total points
ID: 40026569
Lets see these outputs:

ldd /usr/sbin/asterisk | egrep 'ssl|srtp'
ls -l /usr/lib64/asterisk/modules/res_srtp.so

module show like srtp
module load res_srtp.so
module show like srtp

Are you following the Wiki?

https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial#SecureCallingTutorial-Part2%28SRTP%29
0
 

Author Comment

by:RiCzN
ID: 40026603
Oh cool, yep I'm following the exact same Wiki.       

ldd /usr/sbin/asterisk | egrep 'ssl|srtp' produces:

libasteriskssl.so.1 => /usr/lib/libasteriskssl.so.1 (0xb7725000)
libssl.so.1.0.0 => /usr/lib/i386-linux-gnu/i686/cmov/libssl.so.1.0.0 (0xb7363000)

Open in new window


ls -l /usr/lib64/asterisk/modules/res_srtp.so produces:
No such file or directory

Open in new window


module show like srtp produces:
0 modules loaded 

Open in new window


module load res_srtp.so produces:
[2014-04-28 15:45:56] WARNING[3544] loader.c: Error loading module 'res_srtp.so': /usr/lib/asterisk/modules/res_srtp.so: cannot open shared object file: No such file or directory
[2014-04-28 15:45:56] WARNING[3544] loader.c: Module 'res_srtp.so' could not be loaded.
[2014-04-28 15:46:07] ERROR[3541] tcptls.c: Unable to connect SIP socket to 192.168.0.7:54300: Connection timed out

Open in new window


module show like srtp produces:
0 modules loaded

Open in new window


So I'm guessing it means the srtp module weren't loaded correctly?
0
 

Author Comment

by:RiCzN
ID: 40026611
When compiling srtp module, I was using the following howtos:

http://remiphilippe.fr/asterisk-srtp-installation-and-configuration/

http://remiphilippe.fr/asterisk-srtp-with-1-8/


I'm up to the part where it instructs me to checkout the repository. The full command is
svn checkout http://svn.asterisk.org/svn/asterisk/team/group/srtp_reboot

Open in new window


That repository longer exist. So I tried the following:
svn checkout http://svn.asterisk.org/svn/asterisk/tags/11.8.1/res/res_srtp.c

Open in new window


Debian tells me:
svn: URL 'http://svn.asterisk.org/svn/asterisk/tags/11.8.1/res/res_srtp.c' refers to a file and not a directory.

Open in new window


I found this website here where he uses:

http://svnview.digium.com/svn/asterisk/tags/1.8.20.1/res/res_srtp.c?revision=379878&content-type=text%2Fplain

Open in new window


What does this last part to his command ?revision=379878&content-type=text%2Fplain mean? Would you know what I should add to my command?
0
 

Author Comment

by:RiCzN
ID: 40027065
Hi  willlywilburwonka, I just discovered that my srtp module isn't compatible with my current version of Asterisk as per attached image.
ScreenHunter-51-Apr.-28-22.41.jpg
0
 

Author Comment

by:RiCzN
ID: 40028726
Hi willlywilburwonka and Phonebuff, I gave up on Debian and moved to CentOS by installing a FreePBX distro. It's probably better this way as I can purchase some commercial modules now. I don't mind paying for the good work put in by all these great developers.

I had to follow a different tutorial here to generate the required keys and then continued following the rest of the wiki tutorial that you referred to above. TLS and SRTP works perfectly first time.

Thanks for your guidance,
Ricky
0
 
LVL 20

Expert Comment

by:José Méndez
ID: 40028761
Awesome!! I see you are getting closer to the dark side of the force!!! I have never liked debian based servers, CentOS and Scientific Linux rock instead!!!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

The point of this post is to give you a copy/paste installation solution to setting up Asterisk 1.6 on Ubuntu 9.04 (or similar) server. # Setup the system apt-get install subversion apt-get install make apt-get install linux-source kernel-p…
Hey there Heard about jingle, the add on for XMPP that enables point to point audio between two XMPP clients. No server config necessary. Actually quite a cool feature. However, how good is it if you can not use those voice capabilities to do a P…
This video discusses moving either the default database or any database to a new volume.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now