SOLVED SRTP

[wouam31]

Hi all !

I need help.

I configured TLS on my fusionpbx, it works correctly.

Now I would like to secure the RTP.

On my Yealink, in: RTP Encryption (SRTP) I put: Compulsory.

When I call from this extension, I have encryption and fusionpbx does the bridge to the unencrypted extension. (cool)



But when I try to call my Yealink extension, I go directly to their voicemail. As if the post was not registered.

Should I add variables?

Is: rtp_sdes_suites=AEAD_AES_256_GCM_8|AEAD_AES_256_GCM|AEAD_AES_128_GCM_8|AEAD_AES_128_GCM|AES_256_CM_HMAC_SHA1_80|AES_192_CM_HMAC_SHA1_80|AES_CM_128_HMAC_SHA1 _80|AES_256_CM_HMAC_SHA1_32|AES_192_CM_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_32|AES_CM_128_NULL_AUTH

Could do the job?

Thanks a lot for your help.

 

[wouam31]

Hi all!

I managed to make calls from TLS to SRTP to non-SRTP extensions!
On the other hand, when I try to make an external call (using the gateway) it is refused by my provider because in the SDP prompt there is RTP/SAVP.

t=0 0
m=audio 17732 RTP/SAVP 8 9 0 101 13
a=rtpmap:8 PCMA/8000
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=rtpmap:13 CN/8000
a=crypto:7 AES_CM_128_HMAC_SHA1_80 inline:w/XM3iQSJ4IFeNaFgik4NnPgOvWeJT0dC4uhh3jZ
a=ptime:20
m=audio 17732 RTP/AVP 8 9 0 101 13
a=rtpmap:8 PCMA/8000
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=rtpmap:13 CN/8000
a=ptime:20

I managed to remove it by adding in outbound routes

<action application="set" data="rtp_secure_media_outbound=false"/>
<action application="export" data="rtp_secure_media_outbound=false"/>

t=0 0
m=audio 26380 RTP/AVP 9 0 8 101
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=silenceSuppff - - - -
a=ptime:20

is there a simpler way in fusionpbx so that it only sends RTP/AVP for records 5060 and 5080 and sends RTP/SAVP for records 5061 and 5081?

Thanks everyone!

 

[wouam31]

Hi,
I can't send that:

v=0
o=FreeSWITCH 1705975402 1705975403 IN IP4 141.XX.XX.XX
s=FreeSWITCH
c=IN IP4 141.XX.XX.XX
t=0 0
m=audio 26650 RTP/AVP 9 0 8 101
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=silenceSuppff - - - -
a=ptime:20

When I make a call I get in the prompt:

v=0
o=FreeSWITCH 1705975402 1705975403 IN IP4 141.XX.XX.XX
s=FreeSWITCH
c=IN IP4 141.XX.XX.XX
t=0 0
m=audio 26650 RTP/SAVP 9 0 8 101
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=crypto:7 AES_CM_128_HMAC_SHA1_80 inline:LNrG9NXaQVUYrFtoeqDDBcF5UXan4p7sGmiU3pqL
a=silenceSuppff - - - -
a=ptime:20
m=audio 26650 RTP/AVP 9 0 8 101
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=silenceSuppff - - - -
a=ptime:20

My provider refuses me since there is RTP/SAVP.

I tried to add
outbound-bypass-media:false
in external profile

I need help
Thank you so much .

 

[Adrian Fretwell]

is there a simpler way in fusionpbx so that it only sends RTP/AVP for records 5060 and 5080 and sends RTP/SAVP for records 5061 and 5081?

I don't think there is.
We need to think of SSL/TLS and SRTP as two completely separate things.

You can enable SRTP with or without TLS by adding the following to your dialplan:

<action application="set" data="sip_secure_media=true"/>

You generally do this in each leg of the call to be fully secure, but as you have found out, there are still many SIP providers that don't support or accept SRTP. So I think that maybe it should not be set globally but only on the internal call legs unless the SIP provider supports it.

Then we can argue that if we are not encrypting the RTP end to end, what is the point of encrypting it at all?

Another point worth mentioning, is that although you can use SRTP without TLS, in other words without encrypting the SIP packet, the problem is that the encryption keys for the SRTP will be transmitted as plain text.

Like yourself, I have ended up ensuring SRTP is turned off for the outbound routes:

{rtp_secure_media=false}sofia/gateway/c9a32655-6520-4d96-bc07-500c542e2a5f/$1

You can test if RTP is secure by reading the "sip_secure_media_confirmed" channel variable. FusionPBX provides this test in a dialplan entry called "is_secure" but also adds a test for the "sip_via_protocol" being tls, so the "is_secure" dialplan will evaluate to "not_secure" if there is no TLS, even if the RTP is encrypted.

I know this probably does not help you very much, but it is about all I know on the subject.

Kind regards,
Adrian.

 

[wouam31]

Hi Adrian,

This really helped me!
Now I can make calls from extensions registered in TLS/SRTP to my provider without sending SAVP in invite.


I will continue my tests.

thanks again