From wiki
Jump to: navigation, search

Setting up Asterisk for SRTP

What is SRTP

Normally voice packets cross the internet unencrypted inside RTP packets which can be reconstructed and played back by anyone able to intercept such packets. There is a number of solutions to this problem, however this document will only be covering the SRTP branch of asterisk which sends out encryption hints in the SIP packets when negoiating the RTP connection between parties.

While this solution is far from a perfect, it does solve the problem of casual interception. This means law enforcement agencies actually have to do their jobs and selectively monitor those that actually should be monitored, rather then mass monitoring of every conversation taking place over then internet, which is a huge leap forward in terms of privacy.

So how do I setup Asterisk with SRTP?

At the time of writing there is a SRTP branch of asterisk and so you will need to grab this from the SVN server, but you will need to install libSRTP before trying to build asterisk or you won't get very far.

Building and Installing libSRTP

go to [1] and grab the latest and greatest.

Then on your server decompress it:

tar xzvf srtp-x.y.z.tgz
cd srtp
make install

Building and Installing Asterisk with SRTP

You will need to make sure you have subversion tools installed, how you do this will vary based on your distribution.

svn checkout
cd securertp-trunk
wget "" -O ast_srtp_depend.patch
patch -p0 < ast_srtp_depend.patch
make menuselect

You can navigate the menus by right arrow to enter a submenu, left arrow to go back to the main menu, right arrow or space to select or deselect items and 'x' to quit and save or 'q' to quit without saving.

When you look in "8. Resource Modules" make sure res_srtp is selectable and has an '*' next to it, otherwise you will need to check for errors when you ran ./configure

You can then go through and select or deselect apps and other asterisk modules as you like. Unlike make menuconfig for linux, the config menu for asterisk lacks intermodule sanity checking and it's best to leave most/all res_* modules activated otherwise you can run into issues with other modules that don't seem to have any connections.

Once you finish selecting hit 'x' to quit and save and then run;

make install


Now it's time to setup and test out your shiny new install, if you already have a working asterisk installation you only need to make one small change to your dialplan, for those that are new to this I suggest you now go to:

and follow at least steps 4 to 7, this should give you a working asterisk install with a basic menu you can use for testing.

Dialplan change needed

At this point you need to alter you dial plan, but it's only a minor change. You need to put Set(_SIP_SRTP_SDES=optional) somewhere in your dial plan before you use Dial(), this will allow for opportunistic encryption at least between other Asterisk servers running the SRTP module, but there is also some hard and soft phones that also support SRTP as well.

For more information on this topic, you will need to view the bug report on the topic.

End Result

If you run tethereal to inspect packets you should see something like the following as a result of SRTP being used.

non-encrypted link
0.000000 -> SIP/SDP Request: INVITE sip:s@, with session description
0.110996 -> SIP Status: 100 Trying
1.118002 -> SIP/SDP Status: 200 OK, with session description
1.118230 -> SIP Request: ACK sip:s@
1.147868 -> RTP Payload type=iLBC, SSRC=784617568, Seq=38449, Time=240
1.163311 -> RTP Payload type=iLBC, SSRC=188867920, Seq=55923, Time=106278296
encrypted link
0.000000 -> SIP/SDP Request: INVITE sip:s@, with session description
0.112056 -> SIP Status: 100 Trying
1.114716 -> SIP/SDP Status: 200 OK, with session description
1.114984 -> SIP Request: ACK sip:s@
1.145070 -> UDP Source port: 10076  Destination port: 10070
1.159458 -> UDP Source port: 10070  Destination port: 10076



If you are moving from a 1.2.x version of asterisk to this version there has been some changes to functions, including ENUMLOOKUP. There needs to be an extra comma in any ENUMLOOKUP calls, eg.

If you have this in 1.2: ${ENUMLOOKUP(${EXTEN},sip,1,}
then you need this in 1.4: ${ENUMLOOKUP(${EXTEN},sip,,1,}

Note the extra comma after "sip"...


Incidently, if the parameter c were used, as in:
(from doc/README.enum in the 1.2 branch)

it would become:
in the new syntax.


SRTP is RFC standard 3711


Please be aware that while this is a good start SRTP lacks key exchange, and while there is a number of schemes to overcome this such as MIKEY and S/MIME but neither method seems to be widely in use. For example sipura devices use MIKEY for the key exchange, and SRTP.

Personal tools