Difference between revisions of "Asterisk 11 with TLS and SRTP on Centos 6"
(13 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | '''Installing Asterisk''' | ||
+ | |||
Update our OS: | Update our OS: | ||
− | |||
yum -y update | yum -y update | ||
yum groupinstall core | yum groupinstall core | ||
Line 6: | Line 7: | ||
Install all nesessary packages: | Install all nesessary packages: | ||
− | |||
yum -y install epel-release | yum -y install epel-release | ||
yum install gcc gcc-c++ lynx bison mysql-devel mysql-server libsrtp libsrtp-devel php php-mysql php-pear php-mbstring tftp-server httpd make ncurses- devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel audiofile-devel gtk2-devel subversion kernel- devel git subversion kernel-devel php-process crontabs cronie cronie-anacron sqlite-devel | yum install gcc gcc-c++ lynx bison mysql-devel mysql-server libsrtp libsrtp-devel php php-mysql php-pear php-mbstring tftp-server httpd make ncurses- devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel audiofile-devel gtk2-devel subversion kernel- devel git subversion kernel-devel php-process crontabs cronie cronie-anacron sqlite-devel | ||
Line 22: | Line 22: | ||
Continue installation: | Continue installation: | ||
− | + | make && make install | |
− | make && make install | + | make config |
− | make config | + | make samples |
− | make samples | ||
On this stage Asterisk is installed. Now you need to configure it. | On this stage Asterisk is installed. Now you need to configure it. | ||
Add Asterisk to sturtup: | Add Asterisk to sturtup: | ||
− | chkconfig asterisk on | + | chkconfig asterisk on |
Add Asterisk user: | Add Asterisk user: | ||
− | adduser -M asterisk | + | adduser -M asterisk |
− | + | Set filesystem owner: | |
− | chown -R asterisk:asterisk /etc/asterisk/ | + | chown -R asterisk:asterisk /etc/asterisk/ |
− | chown -R asterisk:asterisk /var/log/asterisk/ | + | chown -R asterisk:asterisk /var/log/asterisk/ |
− | chown -R asterisk:asterisk /var/spool/asterisk/ | + | chown -R asterisk:asterisk /var/spool/asterisk/ |
− | chown -R asterisk:asterisk /var/lib/asterisk/ | + | chown -R asterisk:asterisk /var/lib/asterisk/ |
− | chown -R asterisk:asterisk /usr/lib/asterisk/ | + | chown -R asterisk:asterisk /usr/lib/asterisk/ |
Open /etc/passwd and change: | Open /etc/passwd and change: | ||
− | asterisk:x:500:500::/home/asterisk:/bin/bash | + | asterisk:x:500:500::/home/asterisk:/bin/bash |
− | to | + | to |
− | asterisk:x:500:500::/home/asterisk:/bin/nologin | + | asterisk:x:500:500::/home/asterisk:/bin/nologin |
Open /usr/sbin/safe_asterisk and comment: | Open /usr/sbin/safe_asterisk and comment: | ||
− | #TTY=9 | + | #TTY=9 |
Try to start Asterisk: | Try to start Asterisk: | ||
− | service asterisk start | + | service asterisk start |
For input to console use: | For input to console use: | ||
− | asterisk -rvvv | + | asterisk -rvvv |
Now you need to do some configurations for correct service working. Crete directory and config files: | Now you need to do some configurations for correct service working. Crete directory and config files: | ||
− | cd /etc/asterisk/ | + | cd /etc/asterisk/ |
− | mkdir conf | + | mkdir conf |
− | touch conf/sip_trunk.conf | + | touch conf/sip_trunk.conf |
− | touch conf/sip_register.conf | + | touch conf/sip_register.conf |
− | touch conf/sip_users.conf | + | touch conf/sip_users.conf |
− | touch conf/extensions.conf | + | touch conf/extensions.conf |
Now we need so that the asterisk can read the data from our files. Open /etc/asterisk/extensions.conf and insert in the end of file: | Now we need so that the asterisk can read the data from our files. Open /etc/asterisk/extensions.conf and insert in the end of file: | ||
− | #include conf/extensions.conf | + | #include conf/extensions.conf |
− | |||
− | |||
− | + | Open /etc/asterisk/sip.conf and insert before [general]: | |
− | #include conf/sip_trunk.conf | + | #include conf/sip_trunk.conf |
− | After OUTBOUND SIP REGISTRATIONS | + | After OUTBOUND SIP REGISTRATIONS: |
− | #include conf/sip_register.conf | + | #include conf/sip_register.conf |
In the end of file | In the end of file | ||
− | #include conf/sip_users.conf | + | #include conf/sip_users.conf |
Now do: | Now do: | ||
− | asterisk -rvvv | + | asterisk -rvvv |
− | sip reload | + | sip reload |
− | dialplan reload | + | dialplan reload |
Line 88: | Line 85: | ||
Step 1. Create users. For this open file conf/sip_users.conf: | Step 1. Create users. For this open file conf/sip_users.conf: | ||
− | + | [1001] | |
− | [1001] | + | nat=yes |
− | type=friend | + | type=friend |
− | secret= | + | host=dynamic |
− | + | secret=xxxxxxxxx ; put a strong, unique password here instead | |
− | context=out | + | context=out |
− | + | ||
− | + | [1002] | |
− | + | nat=yes | |
− | + | type=friend | |
− | + | host=dynamic | |
− | + | secret=xxxxxxxxx ; put a strong, unique password here instead | |
+ | context=out | ||
+ | |||
Step 2. Connecting external line. Sipnet for example. | Step 2. Connecting external line. Sipnet for example. | ||
Open conf/sip_trunk.conf and insert: | Open conf/sip_trunk.conf and insert: | ||
− | [sipnet] | + | [sipnet] |
− | secret=you_pass | + | secret=you_pass |
− | defaultuser=you_sipnet_id | + | defaultuser=you_sipnet_id |
− | trunkname=sipnet | + | trunkname=sipnet |
− | host=sipnet.net | + | host=sipnet.net |
− | type=friend | + | type=friend |
− | context=income | + | context=income |
− | insecure=invite | + | insecure=invite |
− | fromuser=you_sipnet_id | + | fromuser=you_sipnet_id |
− | fromdomain=sipnet.net | + | fromdomain=sipnet.net |
− | disallow=all | + | disallow=all |
− | allow=alaw | + | allow=alaw |
− | allow=ulaw | + | allow=ulaw |
− | allow=g729 | + | allow=g729 |
− | nat=no | + | nat=no |
− | dtmfmode=rfc2833 | + | dtmfmode=rfc2833 |
Open conf/sip_register.conf and insert: | Open conf/sip_register.conf and insert: | ||
− | register => you_sipnet_id:you_pass@sipnet.net | + | register => you_sipnet_id:you_pass@sipnet.net |
Line 127: | Line 126: | ||
Configure calls within our network | Configure calls within our network | ||
Open conf/extensions.conf and insert: | Open conf/extensions.conf and insert: | ||
− | [out] | + | [out] |
− | exten=>1001,1,Dial(SIP/1001,20) | + | exten=>1001,1,Dial(SIP/1001,20) |
− | exten=>1002,1,Dial(SIP/1002,20) | + | exten=>1002,1,Dial(SIP/1002,20) |
Configure internal and external calls | Configure internal and external calls | ||
Open conf/extensions.conf and insert: | Open conf/extensions.conf and insert: | ||
− | [income] | + | [income] |
− | exten => s,1,Dial(SIP/101,90,mt) | + | exten => s,1,Dial(SIP/101,90,mt) |
− | same => n,Hangup | + | same => n,Hangup |
− | exten => _7X.,1,Dial(SIP/${EXTEN:1}@sipnet,90,mT) | + | exten => _7X.,1,Dial(SIP/${EXTEN:1}@sipnet,90,mT) |
− | same => n,Hangup | + | same => n,Hangup |
After configuring you need to update configuration: | After configuring you need to update configuration: | ||
− | asterisk -rvvv | + | asterisk -rvvv |
− | sip reload | + | sip reload |
− | dialplan reload | + | dialplan reload |
Done! Now you can connect you devices to Asterisk and make calls between you clients, and, if you connect sip provider, to mobile and other numbers. | Done! Now you can connect you devices to Asterisk and make calls between you clients, and, if you connect sip provider, to mobile and other numbers. | ||
− | TLS | + | '''TLS''' |
+ | |||
You should download Asterisk source code and unpack it: | You should download Asterisk source code and unpack it: | ||
− | cd /usr/src/ | + | cd /usr/src/ |
− | wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz | + | wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz |
− | tar xzvf asterisk-11-current.tar.gz | + | tar xzvf asterisk-11-current.tar.gz |
− | cd asterisk-* | + | cd asterisk-* |
Run next command: | Run next command: | ||
− | mkdir /etc/asterisk/keys | + | mkdir /etc/asterisk/keys |
− | contrib/scripts/./ast_tls_cert -C pbx.privatecompany.com -O "privatecompany" –d /etc/asterisk/keys | + | contrib/scripts/./ast_tls_cert -C pbx.privatecompany.com -O "privatecompany" –d /etc/asterisk/keys |
You'll be asked to enter a pass phrase for /etc/asterisk/keys/ca.key NOTE if you got hostname related error pls make next : http://wiki.vpsget.com/index.php/Set_hostname | You'll be asked to enter a pass phrase for /etc/asterisk/keys/ca.key NOTE if you got hostname related error pls make next : http://wiki.vpsget.com/index.php/Set_hostname | ||
Generate a client certificate for our SIP device: | Generate a client certificate for our SIP device: | ||
− | contrib/scripts/./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C pbx.privatecompany.com -O "privatecompany" -d /etc/asterisk/keys -o sipuser1 | + | contrib/scripts/./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C pbx.privatecompany.com -O "privatecompany" -d /etc/asterisk/keys -o sipuser1 |
− | You also will be prompted to enter passphrase for keys Create cert for users. After check that all key files should be in the key directory | + | You also will be prompted to enter passphrase for keys Create cert for users. After check that all key files should be in the key directory |
/etc/asterisk/keys/ | /etc/asterisk/keys/ | ||
Configure Asterisk to use TLS: add/edit corresponding lines in sip.conf [general]: | Configure Asterisk to use TLS: add/edit corresponding lines in sip.conf [general]: | ||
− | tlsenable=yes | + | tlsenable=yes |
− | tcpenable=yes | + | tcpenable=yes |
− | tlsbindaddr=0.0.0.0 | + | tlsbindaddr=0.0.0.0 |
− | tlscertfile=/etc/asterisk/keys/asterisk.pem | + | tlscertfile=/etc/asterisk/keys/asterisk.pem |
− | tlscafile=/etc/asterisk/keys/ca.crt | + | tlscafile=/etc/asterisk/keys/ca.crt |
− | tlscipher=ALL | + | tlscipher=ALL |
− | tlsclientmethod=tlsv1 | + | tlsclientmethod=tlsv1 |
− | + | You'll need to configure a SIP peer within Asterisk to use TLS as a transport type. Add the line to your user/sip conf (etc/asterisc/conf/sip_users.conf and in sip.conf): | |
− | transport=tls | + | transport=tls |
− | port=5061 # not neccessary but it will force use tls | + | port=5061 # not neccessary but it will force use tls |
+ | Make sure that nowhere in this files written "transport=udp". | ||
Now you should copy keys from server to your client (pc or phone) | Now you should copy keys from server to your client (pc or phone) | ||
Line 178: | Line 179: | ||
How to make it depends from client you using. | How to make it depends from client you using. | ||
− | SRTP | + | '''SRTP''' |
+ | |||
SRTP support is provided by libsrtp. Libsrtp has to be installed on the machine before Asterisk is compiled. We installed it at first steps in our man, so don't care. | SRTP support is provided by libsrtp. Libsrtp has to be installed on the machine before Asterisk is compiled. We installed it at first steps in our man, so don't care. | ||
Anyway if you got this in "asterisk -r" CLI during trying to make call do the next: install libsrtp (and the development header, and then reinstall Asterisk | Anyway if you got this in "asterisk -r" CLI during trying to make call do the next: install libsrtp (and the development header, and then reinstall Asterisk | ||
Go to you asterisk source code directory and run next commands: | Go to you asterisk source code directory and run next commands: | ||
− | ./configure | + | ./configure |
− | make | + | make |
− | make install | + | make install |
If you're getting errors during ./configure is running make sure you have these packages installed: | If you're getting errors during ./configure is running make sure you have these packages installed: | ||
− | yum install gcc-c++ libtermcap-devel libxml2* sqlite-devel | + | yum install gcc-c++ libtermcap-devel libxml2* sqlite-devel |
Add the next line to your users config (sip.conf [general]): | Add the next line to your users config (sip.conf [general]): | ||
− | encryption=yes | + | encryption=yes |
Also better to force only one codec use: | Also better to force only one codec use: | ||
− | disallow = all | + | disallow = all |
− | allow = gsm | + | allow = gsm |
You can also restart asterisk service for sure. | You can also restart asterisk service for sure. | ||
+ | |||
+ | |||
+ | HOW TO CONFIGURE CLIENT | ||
+ | |||
+ | As a client we recommend to use PhonerLite. It's free program, which regulary updates and support TLS and SRTP. Home page: http://www.phonerlite.de/index_en.htm | ||
+ | |||
+ | After downloading and instalation start the program. You will see configuring master. At field Domain/Realm insert IP or Domain of your Asterisk server and press next. At field User name and Authenfication name insert your login, for example 1001. If you are using TLS and SRTP you will get authotisation error. It's normal, just go to Configuration>Network and change Preferred connection type from UDP to TLS and change port to 5061. After this go to Configuration>Codecs adn enable SRTP and SAVP. Also you need go to Configuration>Certificates and choose the path to your client cirtificate. After this save your changes. You'll see, that your authorisation has been succesfull. | ||
+ | |||
+ | Also you can to check TLS working on your server. For this open Asterisk console: | ||
+ | asterisk -r | ||
+ | and enter the following command: | ||
+ | sip show peer 1001 #Of course you must to enter number of your peer | ||
+ | If you see this, TLS work succesfully: | ||
+ | Prim.Transp. : TLS | ||
+ | Allowed.Trsp : TLS | ||
+ | Check port 5061: | ||
+ | netstat -tulpn | ||
+ | Must be: | ||
+ | tcp 0 0 0.0.0.0:5061 0.0.0.0:* LISTEN 869/asterisk | ||
+ | For checking SRTP, just call to some user and during a call enter in console: | ||
+ | module show | ||
+ | If you see: | ||
+ | res_srtp.so Secure RTP (SRTP) 2 | ||
+ | SRTP work succesfully. | ||
+ | [[Category:Linux]] |
Latest revision as of 12:10, 21 May 2015
Installing Asterisk
Update our OS:
yum -y update yum groupinstall core yum groupinstall base
Install all nesessary packages:
yum -y install epel-release yum install gcc gcc-c++ lynx bison mysql-devel mysql-server libsrtp libsrtp-devel php php-mysql php-pear php-mbstring tftp-server httpd make ncurses- devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel audiofile-devel gtk2-devel subversion kernel- devel git subversion kernel-devel php-process crontabs cronie cronie-anacron sqlite-devel
Download and install Asterisk:
cd /usr/src/ wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz tar xzvf asterisk-11-current.tar.gz cd asterisk-* make clean && make distclean ./configure make menuselect
In menu window leave default values and press save&exit.
Continue installation:
make && make install make config make samples
On this stage Asterisk is installed. Now you need to configure it.
Add Asterisk to sturtup:
chkconfig asterisk on
Add Asterisk user:
adduser -M asterisk
Set filesystem owner:
chown -R asterisk:asterisk /etc/asterisk/ chown -R asterisk:asterisk /var/log/asterisk/ chown -R asterisk:asterisk /var/spool/asterisk/ chown -R asterisk:asterisk /var/lib/asterisk/ chown -R asterisk:asterisk /usr/lib/asterisk/
Open /etc/passwd and change:
asterisk:x:500:500::/home/asterisk:/bin/bash to asterisk:x:500:500::/home/asterisk:/bin/nologin
Open /usr/sbin/safe_asterisk and comment:
#TTY=9
Try to start Asterisk:
service asterisk start
For input to console use:
asterisk -rvvv
Now you need to do some configurations for correct service working. Crete directory and config files:
cd /etc/asterisk/ mkdir conf touch conf/sip_trunk.conf touch conf/sip_register.conf touch conf/sip_users.conf touch conf/extensions.conf
Now we need so that the asterisk can read the data from our files. Open /etc/asterisk/extensions.conf and insert in the end of file:
#include conf/extensions.conf
Open /etc/asterisk/sip.conf and insert before [general]:
#include conf/sip_trunk.conf
After OUTBOUND SIP REGISTRATIONS:
#include conf/sip_register.conf
In the end of file
#include conf/sip_users.conf
Now do:
asterisk -rvvv sip reload dialplan reload
Now Asterisk will se our files.
CALLS ROUTING
Step 1. Create users. For this open file conf/sip_users.conf:
[1001] nat=yes type=friend host=dynamic secret=xxxxxxxxx ; put a strong, unique password here instead context=out
[1002] nat=yes type=friend host=dynamic secret=xxxxxxxxx ; put a strong, unique password here instead context=out
Step 2. Connecting external line. Sipnet for example.
Open conf/sip_trunk.conf and insert:
[sipnet] secret=you_pass defaultuser=you_sipnet_id trunkname=sipnet host=sipnet.net type=friend context=income insecure=invite fromuser=you_sipnet_id fromdomain=sipnet.net disallow=all allow=alaw allow=ulaw allow=g729 nat=no dtmfmode=rfc2833
Open conf/sip_register.conf and insert:
register => you_sipnet_id:you_pass@sipnet.net
Step3. Extentions (Routing) Configure calls within our network Open conf/extensions.conf and insert:
[out] exten=>1001,1,Dial(SIP/1001,20) exten=>1002,1,Dial(SIP/1002,20)
Configure internal and external calls Open conf/extensions.conf and insert:
[income] exten => s,1,Dial(SIP/101,90,mt) same => n,Hangup exten => _7X.,1,Dial(SIP/${EXTEN:1}@sipnet,90,mT) same => n,Hangup
After configuring you need to update configuration:
asterisk -rvvv sip reload dialplan reload
Done! Now you can connect you devices to Asterisk and make calls between you clients, and, if you connect sip provider, to mobile and other numbers.
TLS
You should download Asterisk source code and unpack it:
cd /usr/src/ wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz tar xzvf asterisk-11-current.tar.gz cd asterisk-*
Run next command:
mkdir /etc/asterisk/keys contrib/scripts/./ast_tls_cert -C pbx.privatecompany.com -O "privatecompany" –d /etc/asterisk/keys
You'll be asked to enter a pass phrase for /etc/asterisk/keys/ca.key NOTE if you got hostname related error pls make next : http://wiki.vpsget.com/index.php/Set_hostname
Generate a client certificate for our SIP device:
contrib/scripts/./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C pbx.privatecompany.com -O "privatecompany" -d /etc/asterisk/keys -o sipuser1
You also will be prompted to enter passphrase for keys Create cert for users. After check that all key files should be in the key directory /etc/asterisk/keys/ Configure Asterisk to use TLS: add/edit corresponding lines in sip.conf [general]:
tlsenable=yes tcpenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt tlscipher=ALL tlsclientmethod=tlsv1
You'll need to configure a SIP peer within Asterisk to use TLS as a transport type. Add the line to your user/sip conf (etc/asterisc/conf/sip_users.conf and in sip.conf):
transport=tls port=5061 # not neccessary but it will force use tls
Make sure that nowhere in this files written "transport=udp".
Now you should copy keys from server to your client (pc or phone) Now you should configure your sip client to use tls via port 5061. How to make it depends from client you using.
SRTP
SRTP support is provided by libsrtp. Libsrtp has to be installed on the machine before Asterisk is compiled. We installed it at first steps in our man, so don't care.
Anyway if you got this in "asterisk -r" CLI during trying to make call do the next: install libsrtp (and the development header, and then reinstall Asterisk Go to you asterisk source code directory and run next commands:
./configure make make install
If you're getting errors during ./configure is running make sure you have these packages installed:
yum install gcc-c++ libtermcap-devel libxml2* sqlite-devel
Add the next line to your users config (sip.conf [general]):
encryption=yes
Also better to force only one codec use:
disallow = all allow = gsm
You can also restart asterisk service for sure.
HOW TO CONFIGURE CLIENT
As a client we recommend to use PhonerLite. It's free program, which regulary updates and support TLS and SRTP. Home page: http://www.phonerlite.de/index_en.htm
After downloading and instalation start the program. You will see configuring master. At field Domain/Realm insert IP or Domain of your Asterisk server and press next. At field User name and Authenfication name insert your login, for example 1001. If you are using TLS and SRTP you will get authotisation error. It's normal, just go to Configuration>Network and change Preferred connection type from UDP to TLS and change port to 5061. After this go to Configuration>Codecs adn enable SRTP and SAVP. Also you need go to Configuration>Certificates and choose the path to your client cirtificate. After this save your changes. You'll see, that your authorisation has been succesfull.
Also you can to check TLS working on your server. For this open Asterisk console:
asterisk -r
and enter the following command:
sip show peer 1001 #Of course you must to enter number of your peer
If you see this, TLS work succesfully:
Prim.Transp. : TLS Allowed.Trsp : TLS
Check port 5061:
netstat -tulpn
Must be:
tcp 0 0 0.0.0.0:5061 0.0.0.0:* LISTEN 869/asterisk
For checking SRTP, just call to some user and during a call enter in console:
module show
If you see:
res_srtp.so Secure RTP (SRTP) 2
SRTP work succesfully.