Upgrade 3CX to v18 and get it hosted free!
Home | RTP | Asterisk SRTP

Asterisk SRTP

Author image
Posted by , on February 13, 2007

General info about SRTP can be found here

Asterisk 1.8 has native support for SRTP !

Ref. http://bugs.digium.com/view.php?id=5413
Review board http://reviewboard.digium.com/r/191/, http://lists.digium.com/pipermail/asterisk-dev/2009-January/036029.html

You MUST secure signaling because SRTP keys are exchanged in plaintext with SDES. Use TLS – Asterisk TLS

Phones Compatibility

Phone1(CALLER) FIRMWARE ASTERISK VERSION Phone2(CALLED) FIRMWARE works? notes
Aastra 57i 2.5.0.82 SRTP branch Grandstream 1.1.6.44 ? example
Aastra 55i 3.2.0 1.8.3 echo application n/a yes
Eyebeam 1.5.20.2 n/a 1.8.3 echo application n/a yes
Eyebeam 1.5.20.2 1.5.20.2 1.8.3 Aastra 55i 3.2.0 yes srtp forced on both devices
Grandstream GXP2000 1.1.6.37 1.8.3 echo application n/a yes
Linksys SPA-941 5.1.8 SRTP branch echo application n/a no SDES not supported
Polycom SoundPoint 450 4.1.0 1.8.15 echo application n/a yes
Siemens gigaset A580 021840000000 / 043.00 SRTP branch echo application n/a no SRTP not supported
Snom 360 7.3.14 SRTP branch echo application n/a no res_srtp.c:301 res_srtp_unprotect: SRTP unprotect: authentication failure
QuteCom 2.2 SRTP branch echo application n/a no SDES not supported but in roadmap
Twinkle 1.4.2 SRTP branch echo application n/a no srtp not announced
Kapanga SRTP branch echo application n/a ?
phonerlite SRTP branch echo application n/a ?

wireshark dump

must look like (for G711 alaw codec)
15.963537 x.x.x.x -> y.y.y.y SRTP PT=ITU-T G.711 PCMA, SSRC=0x52B6274E, Seq=14198, Time=214264558
15.968667 y.y.y.y -> x.x.x.x SRTP PT=ITU-T G.711 PCMA, SSRC=0x3AAC8277, Seq=3195, Time=78560

media attribute in INVITE (aastra 6355i)
Media Attribute (a): crypto:1 AES_CM_128_HMAC_SHA1_80 inline:Iksnam5WQHk7aEpHZTsrTng1TyRfdXlsV2g+Oyti
Media Attribute Fieldname: crypto
Media Attribute Value: 1 AES_CM_128_HMAC_SHA1_80 inline:Iksnam5WQHk7aEpHZTsrTng1TyRfdXlsV2g+Oyti

media attribute in INVITE (eyebeam 1.5.20.2)
Media Attribute (a): crypto:1 AES_CM_128_HMAC_SHA1_80 inline:DzDLO3NIM3c8znjs7uX9/xTseIelRxtreCv5OplY
Media Attribute Fieldname: crypto
Media Attribute Value: 1 AES_CM_128_HMAC_SHA1_80 inline:DzDLO3NIM3c8znjs7uX9/xTseIelRxtreCv5OplY
Media Attribute (a): crypto:2 AES_CM_128_HMAC_SHA1_32 inline:Qxp7++428EZce1tFQw1sE8tUkb6wHAlh1ALcF/oo
Media Attribute Fieldname: crypto
Media Attribute Value: 2 AES_CM_128_HMAC_SHA1_32 inline:Qxp7++428EZce1tFQw1sE8tUkb6wHAlh1ALcF/oo

Install Guide

Requirements

(centos5, fedora 10)
yum -y install gcc gcc-c++ pkgconfig zlib-devel openssl-devel ncurses-devel
yum -y install autoconf automake libtool

LIBSRTP

yum install libsrtp (on fedora)
OR
download http://srtp.sourceforge.net/download.html
tar -xzf srtp-tarball
./configure –prefix=/usr
make
make runtest
make install

Asterisk

go to http://www.asterisk.org/downloads
wget asterisk-1.8….
tar -xzf asterisk-1.8.x.y
cd
./configure
make menuselect (check res_srtp in “resource modules”)
make
make install

In case your build fails with ‘relocation R_X86_64_32 against `a local symbol’ can not be used when making a shared object; recompile with -fPIC’ go back to libsrtp compilation and call configure again like ‘CFLAGS=”-Wall -O4 -fexpensive-optimizations -funroll-loops -fPIC” ./configure –prefix=/usr’. After make and make install try to compile asterisk-srtp again.

Config

sip.conf
 encryption=no                  ; Whether to offer SRTP encrypted media (and only SRTP encrypted media)
                                       ; on outgoing calls to a peer. Calls will fail with HANGUPCAUSE=58 if
                                       ; the peer does not support SRTP. Defaults to no.


An quick/short example of how to offer SRTP only to devices that are capable would be something like:
 exten => 123,1,GotoIf("$[${CHANNEL(secure_signaling)}" = ""]?fail)
 exten => 123,n,GotoIf("$[${CHANNEL(secure_media)}" = ""]?fail)
 exten => 123,n,Dial(SIP/123)
 exten => 123,n,Hangup
 exten => 123,n(fail),Playback(vm-goodbye)
 exten => 123,n,Hangup


extensions.conf
 [[main]
 exten => 600,1,Playback(demo-echotest)  ; Let them know what's going on
 exten => 600,n,Echo                     ; Do the echo test
 exten => 600,n,Playback(demo-echodone)  ; Let them know it's over
 exten => 600,n,hangup


sip.conf
 [700]
 type=friend
 context=main
 host=dynamic            
 secret=700
 nat=yes                     
 encryption=yes

 [701]
 type=friend
 context=main
 host=dynamic            
 secret=701
 nat=yes                     
 encryption=yes

call to 600
look at ethereal dump at asterisk box i.e tethereal host <phone ip>

Known issues

  • The callee can’t force encryption or select method.
  • The caller need to hangup if it requires encryption and it isn’t available.

See also

Related Posts:

Asterisk MulticastRTP channels
September 17, 2011
MulticastRTP Asterisk 1.8: A new RTP engine and channel driver have been added which supports Multicast RTP. The channel driver can be used with the Page applic...
ZRTP
May 4, 2009
ZRTP is key exchange protocol designed to enable VoIP devices to agree keys for encrypting media streams (voice or video) using SRTP. ZRTP is defined in an Inte...
RTP Silence Suppression
September 27, 2004
Endpoints sending audio as an RTP stream are not required to send packets during silent periods. The capability to stop sending RTP packets during silent period...
About RTPproxy
June 5, 2007
The RTPproxy is a high-performance software proxy for RTP streams that can work together with SIP Express Router or OpenSER. Originally created for handling NAT...
RTP
December 30, 2004
RTP opens two ports for communication. One for the media stream (an even port number) and one for control (QoS feedback and media control) – RTCP. The por...
Asterisk sip directrtpsetup
September 13, 2008
Version Introduced in Asterisk 1.4 Description directrtpsetup=yes is similar to directmedia=, except the audio is redirected in the initial INVITEs rather than ...
RTP Ports
August 31, 2005
Realtime Transport Protocol. RTP in general is described in RFC 3550. This range is not registered (it never could be, being so broad) but it seems to be somewh...
RTP Symmetric
July 8, 2004
Symmetric RTP means that the UA uses the same socket/port for sending and receiving the RTP stream. How to set it up is defined in the SDP part of a SIP Invite....
SRTP
February 2, 2005
SRTP is a security profile for RTP that adds confidentiality, message authentication, and replay protection to that protocol. It is an action item in the IETF A...
Kamailio 1.5.x and RTPProxy
February 15, 2009
This is a basic configuration file for Kamailio (OpenSER) v1.5.x to do VoIP NAT traversal using RTPProxy. valid for Kamailio (OpenSER) 1.5.x   # # sample c...
Get 3CX - Absolutely Free!
Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.