Page tree
Skip to end of metadata
Go to start of metadata

There are a few prerequisites that must be satisfied before setting up your Sangoma Phones to use TLS/SRTP on your FreePBX 14 install:

  • An FQDN must be assigned and resolve properly on your PBX.
  • A commercial certificate must be properly created and installed on your PBX ( see Certificate Management User Guide )
  • These modules have to be at least the version listed here:
Module NameMinimum Version
Asterisk SIP Settings13.0.23.1
Certificate Manager13.0.20
Endpoint Manager13.0.51
System Firewall13.0.29
  • Select which SIP Stack to use TLS with. To do this go to Settings→Asterisk SIP Settings. Then set which stack will be used with the Default TLS Port Assignment option as shown below. Keep in mind Chan_SIP is depreciated and PJSIP should be used for new installations. 

NOTE: The default UDP ports for FreePBX 13 are chan_sip @ 5061, chan_pjsip @ 5060 and I changed these to chan_sip @ 5060 and chan_pjsip to 5062 before starting the PBX setup.  You can leave the defaults alone you do not need to make them match our example below.


TLS/SRTP Using PJSIP 

  • Once the prerequisites above are met then you will start by enabling TLS/SSL/SRTP in Asterisk SIP Settings pjsip
    • Choose the Certificate to use.  Certificates are setup in Certificate Manager module on your PBX.
    • Set SSL Method to use Default
    • Set Verify Client and Verify Server to yes



  • Next the Extension(s) you want to enable TLS ore SRTP for, under the advanced tab of the extension, enable TLS and SRTP as seen in the example below.
    • To enable TLS set the "Transport" to 0.0.0.0-tls to as shown below.    



    • To enable SRTP
    • Set Media Encryption to SRTP via in-SDP (Recommended)
    • Set Allow Non-Encrypted Media to No




TLS/SRTP Using Chan_SIP

  • Once the prerequisites are met then you will start by enabling TLS/SSL/SRTP in Asterisk SIP Settings chan_sip ( pjSIP will be covered next.) 
    •  Set "Enable TLS" to "yes"
    • Choose the Certificate to use.  Certificates are setup in Certificate Manager module on your PBX.
    • Set "SSL Method" to use "sslv2"
    • Set "Don't Verify Server" to "No" ( this seems a bit counterintuitive but it is that we want to verify.)

 

  • Edit the Extension(s) you want to enable TLS / SRTP for, under the advanced tab of the extension, enable TLS and SRTP as seen in the example below.

 

 

If you phone is already setup in EPM go rebuild the config for the extensions you want to use SRTP or TLS based on the settings you changed above and reboot the phones and they will now use SRTP and or TLS based on what you have defined in the extension page for each device.

 


  • No labels