Configure SRTP Port Range?
Hi,
when trying to use SRTP, I can see UDP traffic from phones to the asterisk server being dropped be the firewall on arbitrary ports.
Where do I configure the SRTP port range (like the rtp port range)?
Why aren’t the clients talking to each other directly but apparenty try to send the SRTP traffic to the server?
That the traffic is being blocked by the firewall is probably the reason why I have no audio when using SRTP …
—
11 thoughts on - Configure SRTP Port Range?
There is no separate port range used for SRTP, and Asterisk does not control the port that the phone uses for sending to Asterisk. That’s up to the endpoint.
DIrect media with SRTP is not supported. All media when SRTP goes through Asterisk.
—
Joshua C. Colp Digium – A Sangoma Company | Senior Software Developer
445 Jan Davis Drive NW – Huntsville, AL 35806 – US
Check us out at: http://www.digium.com & http://www.asterisk.org
—
Thanks!
The phones do not have any settings with which I could limit the ports used for SRTP.
Well, how are we supposed to handle this in firewalls? I do not want to open all ports for UDP traffic directed to the server.
—
It’s expected that traffic to the RTP port range that Asterisk is configured to use is let through to Asterisk to ensure audio flow.
—
Joshua C. Colp Digium – A Sangoma Company | Senior Software Developer
445 Jan Davis Drive NW – Huntsville, AL 35806 – US
Check us out at: http://www.digium.com & http://www.asterisk.org
—
The phones don’t seem to be using the RTP port range specified in rtp.conf when they are using SRTP. When they are using RTP, they do not send the RTP traffic via asterisk, though they can do that without the ports for this opened in the firewall (perhaps the router uses a conntrack helper for RTP; I’d have to find out).
When the phones use SRTP, the ports they’re using are all over the place. I’d either have to open all UDP ports for their traffic to go via the server or stick to unencrypted phone calls.
There must be some solution for this. That phone calls are encrypted schould be the default, especially since they are all going over the internet nowadays.
—
The rtp.conf file configures the port range that Asterisk uses for its RTP ports. It does not, and can not, control the remote endpoint. It’s up to the endpoint and if NAT Is involved the router as to what source port is used for media originating from the endpoint.
—
Joshua C. Colp Digium – A Sangoma Company | Senior Software Developer
445 Jan Davis Drive NW – Huntsville, AL 35806 – US
Check us out at: http://www.digium.com & http://www.asterisk.org
—
*DIrect media with SRTP is not supported. All media when SRTP goes through Asterisk.*
So you have to open ports on your firewall and disable directmedia=yes on your configuration.
Only open a range of ports that you really use: for example is you have maximum 10 simultaneous calls, open only 40 ports (4 ports for each call, two for RTP and two for RTCP). Then change rtp.conf configuration reflect the range of ports you using.
Other option is using another PBX/SWITCH that support SRTP flow direct between endpoints.
Regards
–
directmedia is not explicitly enabled; I guess it’s the default.
Joshua basically says there is no way to control which ports are being used for SRTP because that it is “up the endpoint”. Such endpoints, in this case, are mobile phones with software like csipsimple or gs-wave
(or perhaps zoiper), and I see no way in these programs to define which ports to use for SRTP.
Since I have no way to define which ports endpoints use for SRTP, I
would have to open all UDP ports in the firewall, and I don’t want to do that.
Nat is currently not involved yet. I want to get this to work first and then look into nat issues.
So how would I control which ports are being used for SRTP? Some ports being open on the firewall doesn’t mean the phones will automagically use them, does it?
Which one does that? And does that work through foreign firewalls I
have no control over and when NAT becomes involved?
—
I think there’s confusion over ports. In calls there’s two ports and IP addresses in play. There is the IP address and port that Asterisk listens on and sends media from. There is also the IP address and port that the endpoint listens on and sends media from. You can control the Asterisk one as mentioned using rtp.conf. Therefore the firewall rule for where Asterisk is running would be:
Any source to UDP ports X to Y (10000 to 20000 by default) allow.
What you can’t do is limit the rule based on the source of media, except for circumstances where you know for sure the source.
Note that RTP ports in Asterisk aren’t open all the time and only listen when a call is using it, and they also learn the source of media – blocking out other sources.
—
Joshua C. Colp Digium – A Sangoma Company | Senior Software Developer
445 Jan Davis Drive NW – Huntsville, AL 35806 – US
Check us out at: http://www.digium.com & http://www.asterisk.org
—
The confusion probably comes from the canreinvite option which I had been reading decides whether two clients communicate directly with each other or have to go via the asterisk server. Today I found that this is not true — so that documentation must have been wrong.
It has created confusion because both ‘canreinvite=NO’ and
‘canreinvite=yes’ had been working. Today I found that ‘directmedia=no’
did not work regardless whether RTP or SRTP was used. That was to be expected because the firewall didn’t have the RTP ports open, either. I
had already been wondering about this because I thought there would have to be ports open for ‘canreinvite=NO’ to work.
Are you saying that the ports specified in rtp.conf (‘rtpstart’ and
‘rtpend’) specify with ports asterisk uses regardless whether RTP or SRTP is being used? Is that why you speak of “media” (ports)?
(That would have been and would answer my original question: Where to specify the SRTP ports?)
ok
After opening the ports specified in rtp.conf, both RTP and SRTP were working in the test calls I made. But:
How do clients know which media ports to use? Is asterisk telling them that?
I. e., can I (basically) rely on the clients to use the media ports in rtp.conf, or did I just get lucky that by chance the clients happened to use these ports when I made the test calls?
—
Yes.
It’s exchanged as part of call setup using SDP. SDP specifies where media should be sent, the codecs that can be used, and also controls hold/unhold. Each side provides SDP which is parsed, interpreted, negotiated, and used.
—
Joshua C. Colp Digium – A Sangoma Company | Senior Software Developer
445 Jan Davis Drive NW – Huntsville, AL 35806 – US
Check us out at: http://www.digium.com & http://www.asterisk.org
—
Cool 🙂
Maybe a hint like “these ports are used for SRTP as well” in the default rtp.conf would clarify this. (I was actually looking for an srtp.conf to begin with …)
Thank you very much! So I got this to work; next step would be to try it with clients from outside the local network … 🙂
—