The German provider Easybell (https://www.easybell.de/) provides TLS and SRTP encryption via a dedicated gateway - registrar/proxy is secure.sip.easybell.de . When routing calls via this gateway, TLS and SRTP are forced.
Basic TLS/SRTP for FusionPBX/Freeswitch can be found under https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS
Once TLS is working, I had to set up the following to get everything working on FusionPBX 4.5.20 with Freeswitch 1.10.5:
Basic TLS/SRTP for FusionPBX/Freeswitch can be found under https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS
Once TLS is working, I had to set up the following to get everything working on FusionPBX 4.5.20 with Freeswitch 1.10.5:
- Create a dedicated external SIP profile with the option "tls-only" set to true to force all communication via port 5061
- Set up a gateway with proxy "secure.sip.easybell.de" and link it to the profile created above
- Modify/add the following statements to the outbound route used before the bridge statement:
- set rtp_secure_media_outbound=mandatory
- export rtp_secure_media_outbound=mandatory
- set sdp_secure_savp_only=true
- export sdp_secure_savp_only=true
- set rtp_secure_media=true
- export rtp_secure_media=true
- Add/update the following variable in Advanced -> variables -> SIP: rtp_secure_media_inbound with the value "optional"
- Disable late-inbound-negotiation on your sip profiles if any phones/devices on your system are not able to use TLS with SRTP. - otherwise you might see 488 "Not Acceptable Here" responses.