Asterisk 11 with TLS and SRTP on Centos 6

From vpsget wiki
Revision as of 14:52, 20 May 2015 by Max (talk | contribs) (Created page with "Update our OS: yum -y update yum groupinstall core yum groupinstall base Install all nesessary packages: yum -y install epel-release yum install gcc gcc-c++ lynx bison...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Update our OS:

yum -y update
yum  groupinstall core
yum  groupinstall base 

Install all nesessary packages: yum -y install epel-release yum install gcc gcc-c++ lynx bison mysql-devel mysql-server libsrtp libsrtp-devel php php-mysql php-pear php-mbstring tftp-server httpd make ncurses-devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel audiofile-devel gtk2-devel subversion kernel-devel git subversion kernel-devel php-process crontabs cronie cronie-anacron sqlite-devel Download and install Asterisk: cd /usr/src/ wget tar xzvf asterisk-11-current.tar.gz cd asterisk-* make clean && make distclean ./configure make menuselect

In menu window leave default values and press save&exit.

Continue installation:

make && make install make config make samples

On this stage Asterisk is installed. Now you need to configure it.

Add Asterisk to sturtup: chkconfig asterisk on Add Asterisk user: adduser -M asterisk Edit rules: chown -R asterisk:asterisk /etc/asterisk/ chown -R asterisk:asterisk /var/log/asterisk/ chown -R asterisk:asterisk /var/spool/asterisk/ chown -R asterisk:asterisk /var/lib/asterisk/ chown -R asterisk:asterisk /usr/lib/asterisk/

Open /etc/passwd and change:

asterisk:x:500:500::/home/asterisk:/bin/bash to asterisk:x:500:500::/home/asterisk:/bin/nologin Open /usr/sbin/safe_asterisk and comment:

  1. TTY=9

Try to start Asterisk: service asterisk start For input to console use: asterisk -rvvv Now you need to do some configurations for correct service working. Crete directory and config files: cd /etc/asterisk/ mkdir conf touch conf/sip_trunk.conf touch conf/sip_register.conf touch conf/sip_users.conf touch conf/extensions.conf

Now we need so that the asterisk can read the data from our files. Open /etc/asterisk/extensions.conf and insert in the end of file:

  1. include conf/extensions.conf

Open /etc/asterisk/sip.conf and insert:

Before [general]

  1. include conf/sip_trunk.conf


  1. include conf/sip_register.conf

In the end of file

  1. include conf/sip_users.conf

Now do: asterisk -rvvv sip reload dialplan reload

Now Asterisk will se our files.


Step 1. Create users. For this open file conf/sip_users.conf: User 1 [1001] type=friend secret=xxxxxxxxxx ; put a strong password host=dynamic context=out dtmfmode=RFC2833 disallow=all allow=gsm nat=comedia qualify=yes Etc User 2, 3... Step 2. Connecting external line. Sipnet for example.

Open conf/sip_trunk.conf and insert: [sipnet] secret=you_pass defaultuser=you_sipnet_id trunkname=sipnet type=friend context=income insecure=invite fromuser=you_sipnet_id disallow=all allow=alaw allow=ulaw allow=g729 nat=no dtmfmode=rfc2833 Open conf/sip_register.conf and insert: register =>

Step3. Extentions (Routing) Configure calls within our network Open conf/extensions.conf and insert: [out] exten=>1001,1,Dial(SIP/1001,20) exten=>1002,1,Dial(SIP/1002,20)

Configure internal and external calls Open conf/extensions.conf and insert: [income] exten => s,1,Dial(SIP/101,90,mt) same => n,Hangup exten => _7X.,1,Dial(SIP/${EXTEN:1}@sipnet,90,mT) same => n,Hangup After configuring you need to update configuration: asterisk -rvvv sip reload dialplan reload

Done! Now you can connect you devices to Asterisk and make calls between you clients, and, if you connect sip provider, to mobile and other numbers.

TLS You should download Asterisk source code and unpack it: cd /usr/src/ wget tar xzvf asterisk-11-current.tar.gz cd asterisk-*

Run next command: mkdir /etc/asterisk/keys contrib/scripts/./ast_tls_cert -C -O "privatecompany" –d /etc/asterisk/keys You'll be asked to enter a pass phrase for /etc/asterisk/keys/ca.key NOTE if you got hostname related error pls make next :

Generate a client certificate for our SIP device: contrib/scripts/./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C -O "privatecompany" -d /etc/asterisk/keys -o sipuser1 You also will be prompted to enter passphrase for keys Create cert for users. After check that all key files should be in the key directory: /etc/asterisk/keys/ Configure Asterisk to use TLS: add/edit corresponding lines in sip.conf [general]: tlsenable=yes tcpenable=yes tlsbindaddr= tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt tlscipher=ALL tlsclientmethod=tlsv1 you'll need to configure a SIP peer within Asterisk to use TLS as a transport type. Add the line to your user/sip conf (etc/asterisc/conf/sip_users.conf): transport=tls port=5061 # not neccessary but it will force use tls

Now you should copy keys from server to your client (pc or phone) Now you should configure your sip client to use tls via port 5061. How to make it depends from client you using.

SRTP SRTP support is provided by libsrtp. Libsrtp has to be installed on the machine before Asterisk is compiled. We installed it at first steps in our man, so don't care.

Anyway if you got this in "asterisk -r" CLI during trying to make call do the next: install libsrtp (and the development header, and then reinstall Asterisk Go to you asterisk source code directory and run next commands: ./configure make make install

If you're getting errors during ./configure is running make sure you have these packages installed:

yum install gcc-c++ libtermcap-devel libxml2* sqlite-devel

Add the next line to your users config (sip.conf [general]):


Also better to force only one codec use:

disallow = all allow = gsm

You can also restart asterisk service for sure.