Hi all,
New Fusion/Freeswitch user here, coming from years of asterisk/FreePBX.
I am trying to setup my instance so that my endpoints register with TLS and are forced to use RTP media encryption. After reading some posts, I set the following Switch Variables for ONLY the 'SIP Profile: Internal' internal_ssl_enable = true and rtp_secure_media = mandatory. (both using the 'set' command)
Using a SIP client I verified that i can only place a call with media encryption enabled on my SIP client. Unencrypted calls are declined with a Not Acceptable here. So far so good.
Next I added a basic outbound route, and the call goes thru, BUT i noticed via the CLI and sngrep the SDP sent from my box to my provider has a crypto line! I am definitely not registering TLS with my provider, but they seem to accept RTP/SAVP on an outbound call. Weird but OK. The real problem is i can not call into my PBX. The CLI shows 'Crypto not negotiated but required'
It seems to me that the rtp_secure_media = mandatory is propigating up/down the call path even though i only have it set on the 'Internal' Profile. I've verified my gateway is set to the 'external' profile.
I have read that some people put stuff in the dialplan, but after a few days of looking at this, i am still not sure what or where i would put something in dialplan without affecting other functions or impacting security.
My ask is: What missing from the internal/external concepts thats making not work as i would expect? that is, TLS/SRTP ONLY on the internal side of the call leg? Is there a documented way to implement this that i am just missing?
This is on a fresh Debian 12 install of the latest FusionPBX install script. I am using LetsEncrypt for TLS. I am happy to provide any screenshots or logs. Thanks all!
New Fusion/Freeswitch user here, coming from years of asterisk/FreePBX.
I am trying to setup my instance so that my endpoints register with TLS and are forced to use RTP media encryption. After reading some posts, I set the following Switch Variables for ONLY the 'SIP Profile: Internal' internal_ssl_enable = true and rtp_secure_media = mandatory. (both using the 'set' command)
Using a SIP client I verified that i can only place a call with media encryption enabled on my SIP client. Unencrypted calls are declined with a Not Acceptable here. So far so good.
Next I added a basic outbound route, and the call goes thru, BUT i noticed via the CLI and sngrep the SDP sent from my box to my provider has a crypto line! I am definitely not registering TLS with my provider, but they seem to accept RTP/SAVP on an outbound call. Weird but OK. The real problem is i can not call into my PBX. The CLI shows 'Crypto not negotiated but required'
It seems to me that the rtp_secure_media = mandatory is propigating up/down the call path even though i only have it set on the 'Internal' Profile. I've verified my gateway is set to the 'external' profile.
I have read that some people put stuff in the dialplan, but after a few days of looking at this, i am still not sure what or where i would put something in dialplan without affecting other functions or impacting security.
My ask is: What missing from the internal/external concepts thats making not work as i would expect? that is, TLS/SRTP ONLY on the internal side of the call leg? Is there a documented way to implement this that i am just missing?
This is on a fresh Debian 12 install of the latest FusionPBX install script. I am using LetsEncrypt for TLS. I am happy to provide any screenshots or logs. Thanks all!