Difference between revisions of "Asterisk 11 with TLS and SRTP on Centos 6"

Installing Asterisk

Update our OS:

yum -y update
yum  groupinstall core
yum  groupinstall base 

Install all nesessary packages:

yum -y install epel-release
yum install gcc gcc-c++ lynx bison mysql-devel mysql-server libsrtp libsrtp-devel php php-mysql php-pear php-mbstring tftp-server httpd make ncurses- devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel audiofile-devel gtk2-devel subversion kernel- devel git subversion kernel-devel php-process crontabs cronie cronie-anacron sqlite-devel

Download and install Asterisk:

cd /usr/src/
wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz
tar xzvf asterisk-11-current.tar.gz
cd asterisk-*
make clean && make distclean
./configure
make menuselect

In menu window leave default values and press save&exit.

Continue installation:

make && make install
make config
make samples

On this stage Asterisk is installed. Now you need to configure it.

Add Asterisk to sturtup:

chkconfig asterisk on

Add Asterisk user:

adduser -M asterisk

Edit rules:

chown -R asterisk:asterisk /etc/asterisk/
chown -R asterisk:asterisk /var/log/asterisk/
chown -R asterisk:asterisk /var/spool/asterisk/
chown -R asterisk:asterisk /var/lib/asterisk/
chown -R asterisk:asterisk /usr/lib/asterisk/

Open /etc/passwd and change:

asterisk:x:500:500::/home/asterisk:/bin/bash
to
asterisk:x:500:500::/home/asterisk:/bin/nologin

Open /usr/sbin/safe_asterisk and comment:

#TTY=9

Try to start Asterisk:

service asterisk start

For input to console use:

asterisk -rvvv

Now you need to do some configurations for correct service working. Crete directory and config files:

cd /etc/asterisk/
mkdir conf
touch conf/sip_trunk.conf
touch conf/sip_register.conf
touch conf/sip_users.conf
touch conf/extensions.conf

Now we need so that the asterisk can read the data from our files. Open /etc/asterisk/extensions.conf and insert in the end of file:

#include conf/extensions.conf

Open /etc/asterisk/sip.conf and insert before [general]:

#include conf/sip_trunk.conf

After OUTBOUND SIP REGISTRATIONS:

#include conf/sip_register.conf

In the end of file

#include conf/sip_users.conf

Now do:

asterisk -rvvv
sip reload
dialplan reload

Now Asterisk will se our files.

CALLS ROUTING

Step 1. Create users. For this open file conf/sip_users.conf: User 1

[1001]
type=friend
secret=xxxxxxxxxx ; put a strong password
host=dynamic
context=out
dtmfmode=RFC2833
disallow=all
allow=gsm
nat=comedia
qualify=yes

Etc User 2, 3... Step 2. Connecting external line. Sipnet for example.

Open conf/sip_trunk.conf and insert:

[sipnet]
secret=you_pass
defaultuser=you_sipnet_id
trunkname=sipnet
host=sipnet.net
type=friend
context=income
insecure=invite
fromuser=you_sipnet_id
fromdomain=sipnet.net
disallow=all
allow=alaw
allow=ulaw
allow=g729
nat=no
dtmfmode=rfc2833

Open conf/sip_register.conf and insert:

register => you_sipnet_id:you_pass@sipnet.net

Step3. Extentions (Routing) Configure calls within our network Open conf/extensions.conf and insert:

[out]
exten=>1001,1,Dial(SIP/1001,20)
exten=>1002,1,Dial(SIP/1002,20)

Configure internal and external calls Open conf/extensions.conf and insert:

[income]
exten => s,1,Dial(SIP/101,90,mt) 
same => n,Hangup
exten => _7X.,1,Dial(SIP/${EXTEN:1}@sipnet,90,mT)
same => n,Hangup

After configuring you need to update configuration:

asterisk -rvvv
sip reload
dialplan reload

Done! Now you can connect you devices to Asterisk and make calls between you clients, and, if you connect sip provider, to mobile and other numbers.

TLS

You should download Asterisk source code and unpack it:

cd /usr/src/
wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz
tar xzvf asterisk-11-current.tar.gz
cd asterisk-*

Run next command:

mkdir /etc/asterisk/keys
contrib/scripts/./ast_tls_cert -C pbx.privatecompany.com -O "privatecompany" –d /etc/asterisk/keys

You'll be asked to enter a pass phrase for /etc/asterisk/keys/ca.key NOTE if you got hostname related error pls make next : http://wiki.vpsget.com/index.php/Set_hostname

Generate a client certificate for our SIP device:

contrib/scripts/./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C pbx.privatecompany.com -O "privatecompany" -d  /etc/asterisk/keys -o sipuser1

You also will be prompted to enter passphrase for keys Create cert for users. After check that all key files should be in the key directory /etc/asterisk/keys/ Configure Asterisk to use TLS: add/edit corresponding lines in sip.conf [general]:

tlsenable=yes
tcpenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1

You'll need to configure a SIP peer within Asterisk to use TLS as a transport type. Add the line to your user/sip conf (etc/asterisc/conf/sip_users.conf and in sip.conf):

transport=tls
port=5061 # not neccessary but it will force use tls

Make sure that nowhere in this files written "transport=udp".

Now you should copy keys from server to your client (pc or phone) Now you should configure your sip client to use tls via port 5061. How to make it depends from client you using.

SRTP

SRTP support is provided by libsrtp. Libsrtp has to be installed on the machine before Asterisk is compiled. We installed it at first steps in our man, so don't care.

Anyway if you got this in "asterisk -r" CLI during trying to make call do the next: install libsrtp (and the development header, and then reinstall Asterisk Go to you asterisk source code directory and run next commands:

./configure
make
make install

If you're getting errors during ./configure is running make sure you have these packages installed:

yum install gcc-c++ libtermcap-devel libxml2* sqlite-devel

Add the next line to your users config (sip.conf [general]):

encryption=yes

Also better to force only one codec use:

disallow = all
allow = gsm

You can also restart asterisk service for sure.