On 01/14/2013 04:05 PM, Klaus Darilion wrote: > First, you should test TLS with RTP (first make sure that TLS works, then > enable SRTP).
I was able to partially fix the TLS problem, now I can do at least openssl s_client -connect kamailio_ip:5061 -tls1 and get the corresponding answer. I had to add the listen=tcp: line and adjust the iptables accordingly listen=udp:10.50.X.X:5060 advertise kamailio_ip:5060 listen=tcp:10.50.X.X:5060 advertise kamailio_ip:5060 listen=tls:10.50.X.X:5061 advertise kamailio_ip:5061 > Seconds, it seems like an Asterisk problem, thus may get better answers on > the Asterisk mailing lists. I'll try to ask them > > regards > Klaus > > On 14.01.2013 11:23, Roberto Fichera wrote: >> Hi All, >> >> I would setup a configuration where Kamailio authenticate asterisk SIP trunk >> using TLS and SRTP. >> At moment I was able to configure everything, including RTTProxy since most >> of the asterisks v1.8.19.1 >> are behind NAT. So far so good it works pretty good using standard >> authentication and the call goes straight >> between asterisks. But as soon as I move my configuration for both kamailio >> & asterisk to TLS+SRTP I'm >> not able to authenticate asterisk SIP trunks. Especially asterisk seems >> insisting to use the port 5060 even if >> I requested the TLS on 5061. >> >> kamailio v3.3.3 tls.cfg is configured as: >> >> [server:default] >> method = TLSv1 >> verify_certificate = no >> require_certificate = no >> private_key = /etc/pki/tls/private/server.key >> certificate = /etc/pki/tls/certs/server.pem >> ca_list = /etc/pki/tls/certs/ca-bundle.crt >> #crl = //etc/kamailio/crl.pem >> >> # This is the default client domain, settings >> # in this domain will be used for all outgoing >> # TLS connections that do not match any other >> # client domain in this configuration file. >> # We require that servers present valid certificate. >> # >> [client:default] >> verify_certificate = no >> require_certificate = no >> >> >> So my asterisk conf is the following: >> >> [general] >> >> tlsenable=yes >> tlsbindaddr=0.0.0.0 >> tlscertfile=/etc/asterisk/5002.pem >> tlscafile=/etc/asterisk/ca-bundle.crt >> tlscipher=ALL >> tlsclientmethod=tlsv1 >> tlsdontverifyserver=yes >> transport=tls,udp >> .... >> ..... >> >> and the SIP trunk is configured as >> >> [kamailio] >> type=peer >> insecure=invite,port >> nat=yes >> disallow=all >> allow=ulaw >> host=kamailio_ip >> outboundproxy=tls://kamailio_ip >> port=5061 >> defaultuser=5002 >> fromuser = 5002 >> fromdomain =mydomain >> secret=5002 >> qualify=yes >> dtmfmode=rfc2833 >> context=default >> callbackextension=5002 >> directmedia=nonat >> sendrpid=yes >> >> transport=tls >> encryption=yes >> >> register => tls://5002:5002@kamailio_ip:5061/5002 >> >> I still get error like: >> >> Jan 14 10:45:12] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' >> is not a valid transport for 'dicenet'. we >> only use 'TLS'! ending call. >> [Jan 14 10:45:12] WARNING[5244]: chan_sip.c:13722 transmit_register: >> Probably a DNS error for registration to >> 5002@kamailio_ip, trying REGISTER again (after 20 seconds) >> [Jan 14 10:45:32] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' >> is not a valid transport for 'dicenet'. we >> only use 'TLS'! ending call. >> [Jan 14 10:45:32] WARNING[5244]: chan_sip.c:13722 transmit_register: >> Probably a DNS error for registration to >> 5002@kamailio_ip, trying REGISTER again (after 20 seconds) >> [Jan 14 10:45:52] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' >> is not a valid transport for 'dicenet'. we >> only use 'TLS'! ending call. >> [Jan 14 10:45:52] WARNING[5244]: chan_sip.c:13722 transmit_register: >> Probably a DNS error for registration to >> 5002@kamailio_ip, trying REGISTER again (after 20 seconds) >> [Jan 14 10:46:07] ERROR[7041]: tcptls.c:444 ast_tcptls_client_start: Unable >> to connect SIP socket to kamailio_ip:5060: >> Connection timed out >> >> Does anyone can suggest me something to read, try, check? >> >> Best regards. >> Roberto Fichera. >> >> _______________________________________________ >> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list >> sr-users@lists.sip-router.org >> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users >> > _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
