Difference between revisions of "Asterisk 11 with TLS and SRTP on Centos 6"
Line 2: | Line 2: | ||
Update our OS: | Update our OS: | ||
− | |||
yum -y update | yum -y update | ||
yum groupinstall core | yum groupinstall core | ||
Line 8: | Line 7: | ||
Install all nesessary packages: | Install all nesessary packages: | ||
− | |||
yum -y install epel-release | yum -y install epel-release | ||
yum install gcc gcc-c++ lynx bison mysql-devel mysql-server libsrtp libsrtp-devel php php-mysql php-pear php-mbstring tftp-server httpd make ncurses- devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel audiofile-devel gtk2-devel subversion kernel- devel git subversion kernel-devel php-process crontabs cronie cronie-anacron sqlite-devel | yum install gcc gcc-c++ lynx bison mysql-devel mysql-server libsrtp libsrtp-devel php php-mysql php-pear php-mbstring tftp-server httpd make ncurses- devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel audiofile-devel gtk2-devel subversion kernel- devel git subversion kernel-devel php-process crontabs cronie cronie-anacron sqlite-devel | ||
Line 24: | Line 22: | ||
Continue installation: | Continue installation: | ||
− | |||
make && make install | make && make install | ||
make config | make config | ||
Line 65: | Line 62: | ||
#include conf/extensions.conf | #include conf/extensions.conf | ||
− | Open /etc/asterisk/sip.conf and insert | + | Open /etc/asterisk/sip.conf and insert before [general]: |
− | |||
− | |||
#include conf/sip_trunk.conf | #include conf/sip_trunk.conf | ||
− | After OUTBOUND SIP REGISTRATIONS | + | After OUTBOUND SIP REGISTRATIONS: |
#include conf/sip_register.conf | #include conf/sip_register.conf | ||
Line 148: | Line 143: | ||
'''TLS''' | '''TLS''' | ||
+ | |||
You should download Asterisk source code and unpack it: | You should download Asterisk source code and unpack it: | ||
− | cd /usr/src/ | + | cd /usr/src/ |
− | wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz | + | wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz |
− | tar xzvf asterisk-11-current.tar.gz | + | tar xzvf asterisk-11-current.tar.gz |
− | cd asterisk-* | + | cd asterisk-* |
Run next command: | Run next command: | ||
− | mkdir /etc/asterisk/keys | + | mkdir /etc/asterisk/keys |
− | contrib/scripts/./ast_tls_cert -C pbx.privatecompany.com -O "privatecompany" –d /etc/asterisk/keys | + | contrib/scripts/./ast_tls_cert -C pbx.privatecompany.com -O "privatecompany" –d /etc/asterisk/keys |
You'll be asked to enter a pass phrase for /etc/asterisk/keys/ca.key NOTE if you got hostname related error pls make next : http://wiki.vpsget.com/index.php/Set_hostname | You'll be asked to enter a pass phrase for /etc/asterisk/keys/ca.key NOTE if you got hostname related error pls make next : http://wiki.vpsget.com/index.php/Set_hostname | ||
Generate a client certificate for our SIP device: | Generate a client certificate for our SIP device: | ||
− | contrib/scripts/./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C pbx.privatecompany.com -O "privatecompany" -d /etc/asterisk/keys -o sipuser1 | + | contrib/scripts/./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C pbx.privatecompany.com -O "privatecompany" -d /etc/asterisk/keys -o sipuser1 |
− | You also will be prompted to enter passphrase for keys Create cert for users. After check that all key files should be in the key directory | + | You also will be prompted to enter passphrase for keys Create cert for users. After check that all key files should be in the key directory |
/etc/asterisk/keys/ | /etc/asterisk/keys/ | ||
Configure Asterisk to use TLS: add/edit corresponding lines in sip.conf [general]: | Configure Asterisk to use TLS: add/edit corresponding lines in sip.conf [general]: | ||
− | tlsenable=yes | + | tlsenable=yes |
− | tcpenable=yes | + | tcpenable=yes |
− | tlsbindaddr=0.0.0.0 | + | tlsbindaddr=0.0.0.0 |
− | tlscertfile=/etc/asterisk/keys/asterisk.pem | + | tlscertfile=/etc/asterisk/keys/asterisk.pem |
− | tlscafile=/etc/asterisk/keys/ca.crt | + | tlscafile=/etc/asterisk/keys/ca.crt |
− | tlscipher=ALL | + | tlscipher=ALL |
− | tlsclientmethod=tlsv1 | + | tlsclientmethod=tlsv1 |
− | + | You'll need to configure a SIP peer within Asterisk to use TLS as a transport type. Add the line to your user/sip conf (etc/asterisc/conf/sip_users.conf and in sip.conf): | |
− | transport=tls | + | transport=tls |
− | port=5061 # not neccessary but it will force use tls | + | port=5061 # not neccessary but it will force use tls |
+ | Make sure that nowhere in this files written "transport=udp". | ||
Now you should copy keys from server to your client (pc or phone) | Now you should copy keys from server to your client (pc or phone) | ||
Line 180: | Line 177: | ||
How to make it depends from client you using. | How to make it depends from client you using. | ||
− | SRTP | + | '''SRTP''' |
+ | |||
SRTP support is provided by libsrtp. Libsrtp has to be installed on the machine before Asterisk is compiled. We installed it at first steps in our man, so don't care. | SRTP support is provided by libsrtp. Libsrtp has to be installed on the machine before Asterisk is compiled. We installed it at first steps in our man, so don't care. | ||
Anyway if you got this in "asterisk -r" CLI during trying to make call do the next: install libsrtp (and the development header, and then reinstall Asterisk | Anyway if you got this in "asterisk -r" CLI during trying to make call do the next: install libsrtp (and the development header, and then reinstall Asterisk | ||
Go to you asterisk source code directory and run next commands: | Go to you asterisk source code directory and run next commands: | ||
− | ./configure | + | ./configure |
− | make | + | make |
− | make install | + | make install |
If you're getting errors during ./configure is running make sure you have these packages installed: | If you're getting errors during ./configure is running make sure you have these packages installed: | ||
− | yum install gcc-c++ libtermcap-devel libxml2* sqlite-devel | + | yum install gcc-c++ libtermcap-devel libxml2* sqlite-devel |
Add the next line to your users config (sip.conf [general]): | Add the next line to your users config (sip.conf [general]): | ||
− | encryption=yes | + | encryption=yes |
Also better to force only one codec use: | Also better to force only one codec use: | ||
− | disallow = all | + | disallow = all |
− | allow = gsm | + | allow = gsm |
You can also restart asterisk service for sure. | You can also restart asterisk service for sure. |
Revision as of 15:04, 20 May 2015
Installing Asterisk
Update our OS:
yum -y update yum groupinstall core yum groupinstall base
Install all nesessary packages:
yum -y install epel-release yum install gcc gcc-c++ lynx bison mysql-devel mysql-server libsrtp libsrtp-devel php php-mysql php-pear php-mbstring tftp-server httpd make ncurses- devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel audiofile-devel gtk2-devel subversion kernel- devel git subversion kernel-devel php-process crontabs cronie cronie-anacron sqlite-devel
Download and install Asterisk:
cd /usr/src/ wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz tar xzvf asterisk-11-current.tar.gz cd asterisk-* make clean && make distclean ./configure make menuselect
In menu window leave default values and press save&exit.
Continue installation:
make && make install make config make samples
On this stage Asterisk is installed. Now you need to configure it.
Add Asterisk to sturtup:
chkconfig asterisk on
Add Asterisk user:
adduser -M asterisk
Edit rules:
chown -R asterisk:asterisk /etc/asterisk/ chown -R asterisk:asterisk /var/log/asterisk/ chown -R asterisk:asterisk /var/spool/asterisk/ chown -R asterisk:asterisk /var/lib/asterisk/ chown -R asterisk:asterisk /usr/lib/asterisk/
Open /etc/passwd and change:
asterisk:x:500:500::/home/asterisk:/bin/bash to asterisk:x:500:500::/home/asterisk:/bin/nologin
Open /usr/sbin/safe_asterisk and comment:
#TTY=9
Try to start Asterisk:
service asterisk start
For input to console use:
asterisk -rvvv
Now you need to do some configurations for correct service working. Crete directory and config files:
cd /etc/asterisk/ mkdir conf touch conf/sip_trunk.conf touch conf/sip_register.conf touch conf/sip_users.conf touch conf/extensions.conf
Now we need so that the asterisk can read the data from our files. Open /etc/asterisk/extensions.conf and insert in the end of file:
#include conf/extensions.conf
Open /etc/asterisk/sip.conf and insert before [general]:
#include conf/sip_trunk.conf
After OUTBOUND SIP REGISTRATIONS:
#include conf/sip_register.conf
In the end of file
#include conf/sip_users.conf
Now do:
asterisk -rvvv sip reload dialplan reload
Now Asterisk will se our files.
CALLS ROUTING
Step 1. Create users. For this open file conf/sip_users.conf: User 1
[1001] type=friend secret=xxxxxxxxxx ; put a strong password host=dynamic context=out dtmfmode=RFC2833 disallow=all allow=gsm nat=comedia qualify=yes
Etc User 2, 3... Step 2. Connecting external line. Sipnet for example.
Open conf/sip_trunk.conf and insert:
[sipnet] secret=you_pass defaultuser=you_sipnet_id trunkname=sipnet host=sipnet.net type=friend context=income insecure=invite fromuser=you_sipnet_id fromdomain=sipnet.net disallow=all allow=alaw allow=ulaw allow=g729 nat=no dtmfmode=rfc2833
Open conf/sip_register.conf and insert:
register => you_sipnet_id:you_pass@sipnet.net
Step3. Extentions (Routing) Configure calls within our network Open conf/extensions.conf and insert:
[out] exten=>1001,1,Dial(SIP/1001,20) exten=>1002,1,Dial(SIP/1002,20)
Configure internal and external calls Open conf/extensions.conf and insert:
[income] exten => s,1,Dial(SIP/101,90,mt) same => n,Hangup exten => _7X.,1,Dial(SIP/${EXTEN:1}@sipnet,90,mT) same => n,Hangup
After configuring you need to update configuration:
asterisk -rvvv sip reload dialplan reload
Done! Now you can connect you devices to Asterisk and make calls between you clients, and, if you connect sip provider, to mobile and other numbers.
TLS
You should download Asterisk source code and unpack it:
cd /usr/src/ wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-11-current.tar.gz tar xzvf asterisk-11-current.tar.gz cd asterisk-*
Run next command:
mkdir /etc/asterisk/keys contrib/scripts/./ast_tls_cert -C pbx.privatecompany.com -O "privatecompany" –d /etc/asterisk/keys
You'll be asked to enter a pass phrase for /etc/asterisk/keys/ca.key NOTE if you got hostname related error pls make next : http://wiki.vpsget.com/index.php/Set_hostname
Generate a client certificate for our SIP device:
contrib/scripts/./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C pbx.privatecompany.com -O "privatecompany" -d /etc/asterisk/keys -o sipuser1
You also will be prompted to enter passphrase for keys Create cert for users. After check that all key files should be in the key directory /etc/asterisk/keys/ Configure Asterisk to use TLS: add/edit corresponding lines in sip.conf [general]:
tlsenable=yes tcpenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt tlscipher=ALL tlsclientmethod=tlsv1
You'll need to configure a SIP peer within Asterisk to use TLS as a transport type. Add the line to your user/sip conf (etc/asterisc/conf/sip_users.conf and in sip.conf):
transport=tls port=5061 # not neccessary but it will force use tls
Make sure that nowhere in this files written "transport=udp".
Now you should copy keys from server to your client (pc or phone) Now you should configure your sip client to use tls via port 5061. How to make it depends from client you using.
SRTP
SRTP support is provided by libsrtp. Libsrtp has to be installed on the machine before Asterisk is compiled. We installed it at first steps in our man, so don't care.
Anyway if you got this in "asterisk -r" CLI during trying to make call do the next: install libsrtp (and the development header, and then reinstall Asterisk Go to you asterisk source code directory and run next commands:
./configure make make install
If you're getting errors during ./configure is running make sure you have these packages installed:
yum install gcc-c++ libtermcap-devel libxml2* sqlite-devel
Add the next line to your users config (sip.conf [general]):
encryption=yes
Also better to force only one codec use:
disallow = all allow = gsm
You can also restart asterisk service for sure.