Difference between revisions of "Asterisk 11 with TLS and SRTP on Centos 6"
(10 intermediate revisions by the same user not shown) | |||
Line 32: | Line 32: | ||
Add Asterisk user: | Add Asterisk user: | ||
adduser -M asterisk | adduser -M asterisk | ||
− | + | Set filesystem owner: | |
chown -R asterisk:asterisk /etc/asterisk/ | chown -R asterisk:asterisk /etc/asterisk/ | ||
chown -R asterisk:asterisk /var/log/asterisk/ | chown -R asterisk:asterisk /var/log/asterisk/ | ||
Line 84: | Line 84: | ||
CALLS ROUTING | CALLS ROUTING | ||
− | Step 1. Create | + | Step 1. Create users. For this open file conf/sip_users.conf: |
[1001] | [1001] | ||
+ | nat=yes | ||
type=friend | type=friend | ||
− | |||
host=dynamic | host=dynamic | ||
+ | secret=xxxxxxxxx ; put a strong, unique password here instead | ||
+ | context=out | ||
+ | |||
+ | [1002] | ||
+ | nat=yes | ||
+ | type=friend | ||
+ | host=dynamic | ||
+ | secret=xxxxxxxxx ; put a strong, unique password here instead | ||
context=out | context=out | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Step 2. Connecting external line. Sipnet for example. | Step 2. Connecting external line. Sipnet for example. | ||
Line 201: | Line 203: | ||
You can also restart asterisk service for sure. | You can also restart asterisk service for sure. | ||
+ | |||
+ | |||
+ | HOW TO CONFIGURE CLIENT | ||
+ | |||
+ | As a client we recommend to use PhonerLite. It's free program, which regulary updates and support TLS and SRTP. Home page: http://www.phonerlite.de/index_en.htm | ||
+ | |||
+ | After downloading and instalation start the program. You will see configuring master. At field Domain/Realm insert IP or Domain of your Asterisk server and press next. At field User name and Authenfication name insert your login, for example 1001. If you are using TLS and SRTP you will get authotisation error. It's normal, just go to Configuration>Network and change Preferred connection type from UDP to TLS and change port to 5061. After this go to Configuration>Codecs adn enable SRTP and SAVP. Also you need go to Configuration>Certificates and choose the path to your client cirtificate. After this save your changes. You'll see, that your authorisation has been succesfull. | ||
+ | |||
+ | Also you can to check TLS working on your server. For this open Asterisk console: | ||
+ | asterisk -r | ||
+ | and enter the following command: | ||
+ | sip show peer 1001 #Of course you must to enter number of your peer | ||
+ | If you see this, TLS work succesfully: | ||
+ | Prim.Transp. : TLS | ||
+ | Allowed.Trsp : TLS | ||
+ | Check port 5061: | ||
+ | netstat -tulpn | ||
+ | Must be: | ||
+ | tcp 0 0 0.0.0.0:5061 0.0.0.0:* LISTEN 869/asterisk | ||
+ | For checking SRTP, just call to some user and during a call enter in console: | ||
+ | module show | ||
+ | If you see: | ||
+ | res_srtp.so Secure RTP (SRTP) 2 | ||
+ | SRTP work succesfully. | ||
+ | [[Category:Linux]] |
Latest revision as of 12:10, 21 May 2015
Installing Asterisk
Update our OS:
yum -y update yum groupinstall core yum groupinstall base
Install all nesessary packages:
yum -y install epel-release yum install gcc gcc-c++ lynx bison mysql-devel mysql-server libsrtp libsrtp-devel php php-mysql php-pear php-mbstring tftp-server httpd make ncurses- devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel audiofile-devel gtk2-devel subversion kernel- devel git subversion kernel-devel php-process crontabs cronie cronie-anacron sqlite-devel
Download and install Asterisk:
cd /usr/src/ wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz tar xzvf asterisk-11-current.tar.gz cd asterisk-* make clean && make distclean ./configure make menuselect
In menu window leave default values and press save&exit.
Continue installation:
make && make install make config make samples
On this stage Asterisk is installed. Now you need to configure it.
Add Asterisk to sturtup:
chkconfig asterisk on
Add Asterisk user:
adduser -M asterisk
Set filesystem owner:
chown -R asterisk:asterisk /etc/asterisk/ chown -R asterisk:asterisk /var/log/asterisk/ chown -R asterisk:asterisk /var/spool/asterisk/ chown -R asterisk:asterisk /var/lib/asterisk/ chown -R asterisk:asterisk /usr/lib/asterisk/
Open /etc/passwd and change:
asterisk:x:500:500::/home/asterisk:/bin/bash to asterisk:x:500:500::/home/asterisk:/bin/nologin
Open /usr/sbin/safe_asterisk and comment:
#TTY=9
Try to start Asterisk:
service asterisk start
For input to console use:
asterisk -rvvv
Now you need to do some configurations for correct service working. Crete directory and config files:
cd /etc/asterisk/ mkdir conf touch conf/sip_trunk.conf touch conf/sip_register.conf touch conf/sip_users.conf touch conf/extensions.conf
Now we need so that the asterisk can read the data from our files. Open /etc/asterisk/extensions.conf and insert in the end of file:
#include conf/extensions.conf
Open /etc/asterisk/sip.conf and insert before [general]:
#include conf/sip_trunk.conf
After OUTBOUND SIP REGISTRATIONS:
#include conf/sip_register.conf
In the end of file
#include conf/sip_users.conf
Now do:
asterisk -rvvv sip reload dialplan reload
Now Asterisk will se our files.
CALLS ROUTING
Step 1. Create users. For this open file conf/sip_users.conf:
[1001] nat=yes type=friend host=dynamic secret=xxxxxxxxx ; put a strong, unique password here instead context=out
[1002] nat=yes type=friend host=dynamic secret=xxxxxxxxx ; put a strong, unique password here instead context=out
Step 2. Connecting external line. Sipnet for example.
Open conf/sip_trunk.conf and insert:
[sipnet] secret=you_pass defaultuser=you_sipnet_id trunkname=sipnet host=sipnet.net type=friend context=income insecure=invite fromuser=you_sipnet_id fromdomain=sipnet.net disallow=all allow=alaw allow=ulaw allow=g729 nat=no dtmfmode=rfc2833
Open conf/sip_register.conf and insert:
register => you_sipnet_id:you_pass@sipnet.net
Step3. Extentions (Routing) Configure calls within our network Open conf/extensions.conf and insert:
[out] exten=>1001,1,Dial(SIP/1001,20) exten=>1002,1,Dial(SIP/1002,20)
Configure internal and external calls Open conf/extensions.conf and insert:
[income] exten => s,1,Dial(SIP/101,90,mt) same => n,Hangup exten => _7X.,1,Dial(SIP/${EXTEN:1}@sipnet,90,mT) same => n,Hangup
After configuring you need to update configuration:
asterisk -rvvv sip reload dialplan reload
Done! Now you can connect you devices to Asterisk and make calls between you clients, and, if you connect sip provider, to mobile and other numbers.
TLS
You should download Asterisk source code and unpack it:
cd /usr/src/ wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz tar xzvf asterisk-11-current.tar.gz cd asterisk-*
Run next command:
mkdir /etc/asterisk/keys contrib/scripts/./ast_tls_cert -C pbx.privatecompany.com -O "privatecompany" –d /etc/asterisk/keys
You'll be asked to enter a pass phrase for /etc/asterisk/keys/ca.key NOTE if you got hostname related error pls make next : http://wiki.vpsget.com/index.php/Set_hostname
Generate a client certificate for our SIP device:
contrib/scripts/./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C pbx.privatecompany.com -O "privatecompany" -d /etc/asterisk/keys -o sipuser1
You also will be prompted to enter passphrase for keys Create cert for users. After check that all key files should be in the key directory /etc/asterisk/keys/ Configure Asterisk to use TLS: add/edit corresponding lines in sip.conf [general]:
tlsenable=yes tcpenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt tlscipher=ALL tlsclientmethod=tlsv1
You'll need to configure a SIP peer within Asterisk to use TLS as a transport type. Add the line to your user/sip conf (etc/asterisc/conf/sip_users.conf and in sip.conf):
transport=tls port=5061 # not neccessary but it will force use tls
Make sure that nowhere in this files written "transport=udp".
Now you should copy keys from server to your client (pc or phone) Now you should configure your sip client to use tls via port 5061. How to make it depends from client you using.
SRTP
SRTP support is provided by libsrtp. Libsrtp has to be installed on the machine before Asterisk is compiled. We installed it at first steps in our man, so don't care.
Anyway if you got this in "asterisk -r" CLI during trying to make call do the next: install libsrtp (and the development header, and then reinstall Asterisk Go to you asterisk source code directory and run next commands:
./configure make make install
If you're getting errors during ./configure is running make sure you have these packages installed:
yum install gcc-c++ libtermcap-devel libxml2* sqlite-devel
Add the next line to your users config (sip.conf [general]):
encryption=yes
Also better to force only one codec use:
disallow = all allow = gsm
You can also restart asterisk service for sure.
HOW TO CONFIGURE CLIENT
As a client we recommend to use PhonerLite. It's free program, which regulary updates and support TLS and SRTP. Home page: http://www.phonerlite.de/index_en.htm
After downloading and instalation start the program. You will see configuring master. At field Domain/Realm insert IP or Domain of your Asterisk server and press next. At field User name and Authenfication name insert your login, for example 1001. If you are using TLS and SRTP you will get authotisation error. It's normal, just go to Configuration>Network and change Preferred connection type from UDP to TLS and change port to 5061. After this go to Configuration>Codecs adn enable SRTP and SAVP. Also you need go to Configuration>Certificates and choose the path to your client cirtificate. After this save your changes. You'll see, that your authorisation has been succesfull.
Also you can to check TLS working on your server. For this open Asterisk console:
asterisk -r
and enter the following command:
sip show peer 1001 #Of course you must to enter number of your peer
If you see this, TLS work succesfully:
Prim.Transp. : TLS Allowed.Trsp : TLS
Check port 5061:
netstat -tulpn
Must be:
tcp 0 0 0.0.0.0:5061 0.0.0.0:* LISTEN 869/asterisk
For checking SRTP, just call to some user and during a call enter in console:
module show
If you see:
res_srtp.so Secure RTP (SRTP) 2
SRTP work succesfully.