I'm attempting to configure my asterisk pbx to use TLS/SRTP connections to VoIP.ms according to the instructions provided by uid://1786236 in the thread @ https://www.dslreports.com/forum/r32328534- and I'm not having much luck. I am pretty new to both, so I suspect its a simple configuration oversight somewhere. I did have standard SIP registration, inbound, and outbound calling working with my ATA adapters and VoIP.ms before attempting to use TLS/SRTP. This post may be a little long winded, but I am trying to include all the details for anyone else working with asterisk + VoIP.ms.
So, firstly, a little bit of system info:
1) Manjaro Linux 18 KDE
2) Asterisk 16.3.0 from AUR repository
3) Firewall ports should be open ( configured to allow all tcp + udp traffic to/from voip.ms servers using dnsmasq ipset feature )
4) libsrtp2.so is present and loaded and in use by Asterisk as verified by 'lsof /usr/lib/libsrtp2.so'
5) ca-certificates package is up to date ( thanks que_ball )
6) Lets Encrypt root and intermediate certificates are installed ( thanks que_ball )
Starting with my working config, I made the following changes:
1) Created new VoIP.ms sub-account same as working one, selected "Advanced Options" and then set "Encrypted SIP Traffic" to "yes."
2) In asterisk sip.conf [general] section I set "tlsenable=yes" and "tlsdontverifyserver=yes"
3) Created new sip.conf channel section same as working sip, and added "transport=tls" and "encryption=yes"
4) Altered extensions.conf to use encrypted sip channel instead of standard one
5) Made sure hostname uses "{city}1.voip.ms" formatting.
6) Altered register string in sip.conf to "register => tls://subaccount:password@city1.voip.ms:5061"
After making the above changes, I restarted asterisk, and checked the VoIP.ms website and the encrypted sub-account shows as "registered" in green with the green padlock icon.
There is an entry in the /var/log/asterisk/messages file now that was not appearing before:
ERROR[9961] tcptls.c: TLS/SSL error loading cert file. <asterisk.pem>
It is my understanding that the above error is due to not having a client side certificate, and that it isn't required for the VoIP.ms setup ? If I'm incorrect on this point, please correct me.
So, now, when I attempt to make an outbound call to my cell phone, which was previously working correctly using the standard sip configuration, the call does not connect, and I get a "fast busy" signal, and the asterisk debug console shows the following:
X...<--- SIP read from TLS:xxx.xxx.xxx.xxx:5061 --->SIP/2.0 488 Not acceptable here...== Everyone is busy/congested at this time (1:0/0/1)...
When I attempt to make an inbound call from my cell phone to my VoIP.ms number, I get a regular busy signal and I don't see any output in the asterisk console or in the /var/log/asterisk/messages file.
I will add, that my ATA adapters ( SPA3000 and Grandstream HT802 ) are not configured for encryption, and I am assuming that Asterisk will handle that on my internal network, such that they can make unencrypted calls directly to each other on my internal network, and asterisk will handle the encryption to VoIP.ms only.
All suggestions on what might be the problem here welcome, and if I have left out some important info, just ask, as I would really like to get this working. Thanks in advance.
Kevin.
↧
