System information

ManualsBrandsATech Machine ManualsComputer equipmentLIBRA-02 M

181

182

183

184

185

186

187

188

189

190

Next, you will need to create a peer entry in sip.conf for your service provider. Here is

a sample peer entry:

[myprovider]

type = peer

host = your.provider.tld

username = username

secret = password

; Most providers won't authenticate when they send calls to you,

; so you need this line to just accept their calls.

insecure = invite

dtmfmode = rfc2833

disallow = all

allow = ulaw

Now that the account has been defined, you must add some extensions in the dialplan

to allow you to send calls to your service provider:

exten => _1NXXNXXXXXX,1,Dial(SIP/${EXTEN}@myprovider)

Asterisk supports TLS for encryption of the SIP signaling and SRTP

for encryption of the media streams of a phone call. In this section we will set up calls

using SIP TLS and SRTP between two Asterisk severs. The first step is to ensure the

proper dependencies have been installed. Ensure that you have both OpenSSL and

LibSRTP installed. If either one of these was not installed, reinstall Asterisk after in-

stalling these dependencies to ensure that support for TLS and SRTP are included. Once

complete, make sure that the res_srtp module was compiled and installed. To install

OpenSSL, the package is openssl-devel on CentOS and libssl-dev on Ubuntu. To

install LibSRTP, the package is libsrtp-devel on CentOS and libsrtp0-dev on Ubuntu.

Next we will configure SIP TLS. You must enable TLS using the global tlsenable option

in the [general] section of /etc/asterisk/sip.conf on both servers. You can optionally

specify an address to bind to if you would like to limit listening for TLS connections to

a single IP address on the system. In this example, we have the IPv6 wildcard address

specified to allow TLS connections on all IPv4 and IPv6 addresses on the system:

[general]

tlsenable = yes

tlsbindaddr = ::

The next step is to get certificates in place. For the purposes of demonstrating the

configuration and functionality, we are going to generate self-signed certificates using

a helper script distributed with Asterisk. If you were setting this up in a production

environment, you might not want to use self-signed certificates. However, if you do,

there are a number of applications out there that help make it easier to manage your

own certificate authority (CA), such as TinyCA.

The script that we are going to use is ast_tls_cert, which is in the contrib/scripts/ direc-

tory of the Asterisk source tree. We need to generate a CA certificate and two server

Encrypting SIP calls.

150 | Chapter 7: Outside Connectivity