TLS/SRTP with Easybell - Germany

TheOperator

Member
Nov 30, 2016
39
13
8
Bavaria, Germany
The German provider Easybell (https://www.easybell.de/) provides TLS and SRTP encryption via a dedicated gateway - registrar/proxy is secure.sip.easybell.de . When routing calls via this gateway, TLS and SRTP are forced.
Basic TLS/SRTP for FusionPBX/Freeswitch can be found under https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS

Once TLS is working, I had to set up the following to get everything working on FusionPBX 4.5.20 with Freeswitch 1.10.5:
  • Create a dedicated external SIP profile with the option "tls-only" set to true to force all communication via port 5061
  • Set up a gateway with proxy "secure.sip.easybell.de" and link it to the profile created above
  • Modify/add the following statements to the outbound route used before the bridge statement:
    • set rtp_secure_media_outbound=mandatory​
    • export rtp_secure_media_outbound=mandatory​
    • set sdp_secure_savp_only=true​
    • export sdp_secure_savp_only=true​
    • set rtp_secure_media=true​
    • export rtp_secure_media=true​
  • Add/update the following variable in Advanced -> variables -> SIP: rtp_secure_media_inbound with the value "optional"
  • Disable late-inbound-negotiation on your sip profiles if any phones/devices on your system are not able to use TLS with SRTP. - otherwise you might see 488 "Not Acceptable Here" responses.
Note: To aid debugging TLS connections look at https://www.pbxforums.com/threads/enable-tls-debugging-with-sngrep.4077/