Asterisk
Content
About
- an Open Source software development project
- written in the C Programming Language
- running on Linux (or other types of Unix )
- powering Business Telephone Systems
- connecting many different Telephony protocols
- a toolkit for building many things:
- an IP PBX with many powerful features and applications
- VoIP Gateways
- Conferencing systems
- and much, much more
- supporting VoIP Phones as well as PSTN and POTS
- speaking SIP , the most common VoIP protocol, among others
Version 13 certified Asterisk
Tested with
Asterisk | 2N IP Intercom | Registrations | Calls | Secure RTP (SRTP) |
---|---|---|---|---|
13.8-cert4 | 2.18.1.27.8 |
Settings
Asterisk configuration
Configuration of Asterisk SIP can be done through one of two channel chan_sip or chan pjsip.
chan_sip
To have a working Asterisk configuration with chan_sip there should be following in your /etc/asterisk/sip.conf:
[general] bindaddr=0.0.0.0 bindport=5060 context=default
Which will bind IP address of device where Asterisk is installed and bind UDP port 5060 for SIP communication.
Next in your dialplan (/etc/asterisk/extensions.conf) there should be the line that will force asterisk to dial an extension. Because in sip.conf context was set to default the following line should be added to [default] section.
[default] exten => _X., n, Dial(SIP/${EXTEN}) ...
Previous example will trigger action "Dial " with chan_sip when extension _X. is dialed. X means that the dialed number will be at least one digit and . means that the number will one or more digits.
Sip.conf should include accounts for your 2N IP intercoms. In following example 2N IP intercom will have number 6001 with password some_secre_password_for_this_account. Account will not be bind to single IP address but can be set dynamically. And only ulaw (PCMU,G.711 u-law) codec will be enabled.
(somewhere under [general] section) ... [6001] type=friend host=dynamic secret=some_secre_password_for_this_account disallow=all allow=ulaw ...
Asterisk should be then reloaded to properly accept the changes. This can be done by typing following command to Asterisk CLI:
core restart now
Firstly it is needed to allow video through Asterisk, to sip.conf in section [general], write down following:
[general] ... videosupport=yes ...
To enable video from 2N IP intercom it is important to add codecs H.264, H.263 and H.263+ (h264,h263,h263p). To enable these codecs add them to the desired extension in sip.conf, in allow statement behind previously allowed codecs like ulaw and alaw.
[6001] ... allow=ulaw,alaw,g722,h264,h263,h263p ...
Note
When video isn't functioning with Asterisk, possible solution can be to only allow one video codec only, for example h264.
For functionality of SRTP Asterisk requires TLS to be functioning. For this server certificate is needed, this certificate can be self-signed or from trustworthy certification authority. For information how to created certificates for server or 2N IP intercom device visit this FAQ.
In following scenario we expect that the certificate will be in file /etc/asterisk/keys. The following should be added to [general] section in sip.conf.
[general] ... tlsenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt tlscipher=ALL tlsclientmethod=tlsv1 ...
The previous configuration will enable TLS, and bind it to ip address of device with asterisk. Next paths for certificates are given, and at the bottom all TLS ciphers are allowed.
Next in your dialplan (/etc/asterisk/extensions.conf) there should be the line that will force asterisk to dial an extension with SRTP. The following should be above dialing the extension.
... exten => _X., 1, Set(_SIP_SRTP_SDES=1) exten => _X., n, Set(_SIPSRTP=optional) exten => _X., n, Set(_SIPSRTP_CRYPTO=enable) exten => _X., n, Dial(SIP/${EXTEN}) ...
Which will set the SRTP key negotiation method as SDES, next line will set SRTP as optional (which means that it will not be enforced on all calls) and finaly it will enable SRTP for chan_sip calls.
Next it is needed to add TLS & SRTP capability chan_sip accounts in sip.conf.
[6001] ... transport=tls,udp encryption=yes
The line transport will allow TLS and UDP for this account and second will enable SRTP encryption for this account.
For further information how to configure TLS & SRTP please refer to Asterisk manual.
chan_pjsip
To have a working Asterisk configuration with chan_pjsip there should be following transport defined in your /etc/asterisk/pjsip.conf:
[transport-udp] type=transport protocol=udp bind=0.0.0.0
Which will bind UDP port 5060 (in default configuration) to ip address of a device with Asterisk installed.
Next in your dialplan (/etc/asterisk/extensions.conf) there should be the line that will force asterisk to dial an extension. Because in pjsip.conf context will be set to default the following line should be added to [default] section.
[default] exten => _X., n, Dial(PJSIP/${EXTEN}) ...
Previous example will trigger action "Dial " with chan_pjsip when extension _X. is dialed. X means that the dialed number will be at least one digit and . means that the number will one or more digits.
To create chan_pjsip account for your 2N IP intercom endpoint should be added first.
[6001] type=endpoint context=default disallow=all allow=ulaw,alaw,g722 auth=6001 aors=6001
This created enpoint with allowed codecs u-law,A-law and G.722 with authenthication that will be defined next under name 6001 nad AoR which will be named 6001. The DialPlan used for this account will be [default].
Next Authentication needs to be added.
[6001] type=auth auth_type=userpass password=my_secret_password username=6001
This will create authentication with password my_secret_password and username 6001.
Finaly it is needed AoR so the device can register with Asterisk.
[6001] type=aor max_contacts=1 remove_existing=yes
This will allow only one device to be registered with Asterisk and new registration will remove previous registration.
To enable video from 2N IP intercom it is important to add codecs H.264, H.263 and H.263+ (h264,h263,h263p). To enable these codecs add them to the desired extension in pjsip.conf, in allow statement behind previously allowed codecs like ulaw and alaw.
[6001] ... allow=ulaw,alaw,g722,h264,h263,h263p ...
Note
When video isn't functioning with Asterisk, possible solution can be to only allow one video codec only, for example h264.
For functionality of SRTP Asterisk requires TLS to be functioning. For this server certificate is needed, this certificate can be self-signed or from trustworthy certification authority. For information how to created certificates for server or 2N IP intercom visit this FAQ.
In following scenario we expect that the certificate will be in file /etc/asterisk/keys. The following will create new transport for TLS SIPS communication in pjsip.conf.
[transport-tls] type=transport protocol=tls bind=0.0.0.0:5061 cert_file=/etc/asterisk/keys/asterisk.crt priv_key_file=/etc/asterisk/keys/asterisk.key method=tlsv1
Which will bind port 5061 for TLS and use certificate and key stored in /etc/asterisk/keys.
Next in your dialplan (/etc/asterisk/extensions.conf) there should be the line that will force asterisk to dial an extension with SRTP. The following should be above dialing the extension.
... exten => _X., 1, Set(_SIP_SRTP_SDES=1) exten => _X., n, Set(_SIPSRTP=optional) exten => _X., n, Set(_SIPSRTP_CRYPTO=enable) exten => _X., n, Dial(PJSIP/${EXTEN}) ...
Which will set the SRTP key negotiation method as SDES, next line will set SRTP as optional (which means that it will not be enforced on all calls) and finaly it will enable SRTP for chan_pjsip calls.
Finaly following line should be added to all accounts that will want to use SRTP:
[6001] type=endpoint ... media_encryption=sdes
The last line will enable media encryption with SDES negotiation method.
For further information how to configure TLS & SRTP please refer to Asterisk manual.
2N IP intercom configuration
Following the settings on Asterisk, username abd password should be filled in on 2N IP intercom, with IP address of Asterisk server in to Domain,Proxy and Registrar fields.
To enable SRTP with Asterisk it is needed to allow TLS. TLS runs on port 5061 so all ports in SIP settings on 2N IP intercom should be changed to this value (Registrar and Proxy port).
Required licenses
- Enhanced Security for SRTP and SIP over TLS
Used Symbols
- Verified with video
- Work with limitation
- Incompatible