Background

The Secure Real-time Transport Protocol (sRTP) can be enabled to provide encryption and replay attack protection to the media sent to and from an analog extension (typically originating from either a phone or a fax) on the FXS16 and the UCX. This configuration would typically be used when deploying FXS16s at remote sites to provide secure communication across direct internet connections.

Note that this configuration the sRTP secures the media on the leg of a call between the FXS16 and the UCX only. 

Deploying sRTP requires configuration at both the UCX and the FXS16. To ensure that the basic configuration of the UCX and FXS16 extensions si correct to and facilitate easier troubleshooting, refer to FXS 16-port Card - Configuring Extensions and complete the configuration without sRTP. After this is complete, it is easy to configure the use of sRTP for these extensions.

Configuring the UCX for sRTP

Additional parameters need to configured for the SIP Settings and each of the SIP extensions used to connect to the FXS16. Completing the UCX configuration first will prevent the UCX IP Block List functionality from blocking login requests from the subnet of the FXS16 because of a series of unexpected login requests.until the SIP credentials are set on the UCX.

1. Open a Web-based Configuration Utility session with the UCX
2. Navigate to the PBX / Settings /SIP Settings page
3. Add the following values to the Other SIP Settings section at the bottom of the page:
   • tlsenable = yes
   • tlsbindaddr = 0.0.0.0 (if using an Galaxy appliance) OR tlsbindaddr = 0.0.0.0:5961 (if using UCX Cloud)
   • tlscertfile = /var/lib/asterisk/keys/ucx.pem
   • tlscafile = /var/lib/asterisk/keys/ca.crt

Configure each of the UCX SIP Extension(s)

For each SIP extension that requires sRTP::

1. Create the SIP Extension (refer to Adding a SIP Extension)
2. In the Device options of the Extension configuration page, set the following values:
   • Transport = All - TLS Primary
   • Enable Encryption = Yes (SRTP only)
3. Apply your changes

Configure the FXS16 for sRTP

Additional parameters need to configured for each of the SIP extensions used to connect to the UCX.

​Modify each SIP Endpoint

1. Open the FXS16 Configuration interface and navigate to SIP / SIP Endpoints and click on one of the configured endpoints requiring sRTP
2. Click on the Edit (pencil) icon to edit the SIP parameters for that extension
3. In the Main Endpoint Settings section, change the Transport field to TLS
4. In the  Advanced Registration Options section, ensure that:
   • tlsverify is set to No
   • tlssetup is set to Incoming and Outcoming
   • tlsprivatekey is empty
   • encryption is set to Yes (SRTP only)
5. Click Save
6. Repeat for all required extensions.

Verify the connection is secure

First, verify that the calls can be placed from both directions and that both ends of the call can hear each other. This assumes that an analog phone is connected at the FXS16. If a Fax machine is being used and it has a mechanism for placing a voice call, the voice call option should be used for verification.

To verify that encryption is occurring, i.e. that the connection is using sRTP to transport the media:

1. Open the Web-based Configuration Utility and navigate to Support / Packet Capture
2. Refer to Packet Capture and select the interface that connects to the FXS16
3. Start the packet capture
4. Make a call from the FXS16 device to the UCX, answer it, listen for speech in both directions, then hang up
5. Make a call from the UCX to the FXS16 device, answer it, listen for speech in both directions, then hang up
6. Stop the packet capture and download the file by clicking on it.
7. Open the file using Wireshark and select SIP Flows from the Telephony menu
8. Find the first call place from the FXS16 to the UCX and click Flow Sequence
9. The flow sequence should have an entry for sRTP for each direction of the call flow
   
10. Click the Play Streams button and you should see a randomized waveform such as below