Asterisk

Content

About

Version 13 certified Asterisk

Used Symbols

About

  • an Open Source software development project
  • written in the C Programming Language  
  • running on Linux (or other types of Unix )
  • powering Business Telephone Systems  
  • connecting many different Telephony protocols
  • a toolkit for building many things:
    • an IP PBX with many powerful features and applications
    • VoIP Gateways
    • Conferencing systems
    • and much, much more
  • supporting VoIP Phones as well as PSTN and POTS  
  • speaking SIP , the most common VoIP protocol, among others

Version 13 certified Asterisk

Tested with

Asterisk2N IP IntercomRegistrationsCallsSecure RTP (SRTP)
13.8-cert4  2.18.1.27.8(tikot)(tikot)(tikot)

Settings

Asterisk configuration

Configuration of Asterisk SIP can be done through one of two channel chan_sip or chan pjsip.

chan_sip

To have a working Asterisk configuration with chan_sip there should be following in your /etc/asterisk/sip.conf:

[general]
bindaddr=0.0.0.0
bindport=5060
context=default

Which will bind IP address of device where Asterisk is installed and bind UDP port 5060 for SIP communication.

Next in your dialplan (/etc/asterisk/extensions.conf) there should be the line that will force asterisk to dial an extension. Because in sip.conf context was set to default the following line should be added to [default] section.

[default]
exten => _X., n, Dial(SIP/${EXTEN})
...

Previous example will trigger action "Dial " with chan_sip when extension _X. is dialed. X means that the dialed number will be at least one digit and . means that the number will one or more digits.

Sip.conf should include accounts for your 2N IP intercoms. In following example 2N IP intercom will have number 6001 with password some_secre_password_for_this_account. Account will not be bind to single IP address but can be set dynamically. And only ulaw (PCMU,G.711 u-law) codec will be enabled.

(somewhere under [general] section)
...
[6001]
type=friend
host=dynamic
secret=some_secre_password_for_this_account
disallow=all
allow=ulaw
...

Asterisk should be then reloaded to properly accept the changes. This can be done by typing following command to Asterisk CLI:

core restart now

Firstly it is needed to allow video through Asterisk, to sip.conf in section [general], write down following:

[general]
...
videosupport=yes
...

To enable video from 2N IP intercom it is important to add codecs H.264, H.263 and H.263+ (h264,h263,h263p). To enable these codecs add them to the desired extension in sip.conf, in allow statement behind previously allowed codecs like ulaw and alaw.

[6001]
...
allow=ulaw,alaw,g722,h264,h263,h263p
...

Note

When video isn't  functioning with Asterisk, possible solution can be to only allow one video codec only, for example h264.

For functionality of SRTP Asterisk requires TLS to be functioning. For this server certificate is needed, this certificate can be self-signed or from trustworthy certification authority. For information how to created certificates for server or 2N IP intercom device visit this FAQ.

In following scenario we expect that the certificate will be in file /etc/asterisk/keys. The following should be added to [general] section in sip.conf.

[general]
...
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1
...

The previous configuration will enable TLS, and bind it to ip address of device with asterisk. Next paths for certificates are given, and at the bottom all TLS ciphers are allowed.

Next in your dialplan (/etc/asterisk/extensions.conf) there should be the line that will force asterisk to dial an extension with SRTP. The following should be above dialing the extension.

...
exten => _X., 1, Set(_SIP_SRTP_SDES=1) 
exten => _X., n, Set(_SIPSRTP=optional) 
exten => _X., n, Set(_SIPSRTP_CRYPTO=enable)
exten => _X., n, Dial(SIP/${EXTEN})
...

Which will set the SRTP key negotiation method as SDES, next line will set SRTP as optional (which means that it will not be enforced on all calls) and finaly it will enable SRTP for chan_sip calls.

Next it is needed to add TLS & SRTP capability chan_sip accounts in sip.conf.

[6001]
...
transport=tls,udp
encryption=yes

The line transport will allow TLS and UDP for this account and second will enable SRTP encryption for this account.

For further information how to configure TLS & SRTP please refer to Asterisk manual.

chan_pjsip

To have a working Asterisk configuration with chan_pjsip there should be following transport defined in your /etc/asterisk/pjsip.conf:

[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0

Which will bind UDP port 5060 (in default configuration) to ip address of a device with Asterisk installed.

Next in your dialplan (/etc/asterisk/extensions.conf) there should be the line that will force asterisk to dial an extension. Because in pjsip.conf context will be set to default the following line should be added to [default] section.

[default]
exten => _X., n, Dial(PJSIP/${EXTEN})
...

Previous example will trigger action "Dial " with chan_pjsip when extension _X. is dialed. X means that the dialed number will be at least one digit and . means that the number will one or more digits.

To create chan_pjsip account for your 2N IP intercom endpoint should be added first.

[6001]
type=endpoint
context=default
disallow=all
allow=ulaw,alaw,g722
auth=6001
aors=6001

This created enpoint with allowed codecs u-law,A-law and G.722 with authenthication that will be defined next under name 6001 nad AoR which will be named 6001. The DialPlan used for this account will be [default].

Next Authentication needs to be added.

[6001]
type=auth
auth_type=userpass
password=my_secret_password
username=6001

This will create authentication with password my_secret_password and username 6001.

Finaly it is needed AoR so the device can register with Asterisk.

[6001]
type=aor
max_contacts=1
remove_existing=yes

This will allow only one device to be registered with Asterisk and new registration will remove previous registration.

To enable video from 2N IP intercom it is important to add codecs H.264, H.263 and H.263+ (h264,h263,h263p). To enable these codecs add them to the desired extension in pjsip.conf, in allow statement behind previously allowed codecs like ulaw and alaw.

[6001]
...
allow=ulaw,alaw,g722,h264,h263,h263p
...

Note

When video isn't  functioning with Asterisk, possible solution can be to only allow one video codec only, for example h264.

For functionality of SRTP Asterisk requires TLS to be functioning. For this server certificate is needed, this certificate can be self-signed or from trustworthy certification authority. For information how to created certificates for server or 2N IP intercom visit this FAQ.

In following scenario we expect that the certificate will be in file /etc/asterisk/keys. The following will create new transport for TLS SIPS communication in pjsip.conf.

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1

Which will bind port 5061 for TLS and use certificate and key stored in /etc/asterisk/keys.

Next in your dialplan (/etc/asterisk/extensions.conf) there should be the line that will force asterisk to dial an extension with SRTP. The following should be above dialing the extension.

...
exten => _X., 1, Set(_SIP_SRTP_SDES=1) 
exten => _X., n, Set(_SIPSRTP=optional) 
exten => _X., n, Set(_SIPSRTP_CRYPTO=enable)
exten => _X., n, Dial(PJSIP/${EXTEN})
...

Which will set the SRTP key negotiation method as SDES, next line will set SRTP as optional (which means that it will not be enforced on all calls) and finaly it will enable SRTP for chan_pjsip calls.

Finaly following line should be added to all accounts that will want to use SRTP:

[6001]
type=endpoint
...
media_encryption=sdes

The last line will enable media encryption with SDES negotiation method.

For further information how to configure TLS & SRTP please refer to Asterisk manual.

2N IP intercom configuration

 Following the settings on Asterisk, username abd password should be filled in on 2N IP intercom, with IP address of Asterisk server in to Domain,Proxy and Registrar fields.

To enable SRTP with Asterisk it is needed to allow TLS. TLS runs on port 5061 so all ports in SIP settings on 2N IP intercom should be changed to this value (Registrar and Proxy port).

Next in Advanced Settings it is needed to set SIP Transport Protocol to TLS and enable Recieving and Transmitting SRTP calls.
For functionality of SRTP Asterisk requires TLS to be functioning. For this server certificate is needed, this certificate can be self-signed or from trustworthy certification authority. For information how to created certificates for server or 2N IP intercom visit this FAQ.

Required licenses

  • Enhanced Security for SRTP and SIP over TLS

Used Symbols

(tikot) - Verified with video

(varování) - Work with limitation

(chyba) - Incompatible