Asterisk uses the wrong variables from sip.conf

Question

I completed this tutorial in order to make secure calls with asterisk.

Secure Calling Tutorial | Asterisk Project Wiki

I am running asterisk version 13.19.2 on Ubuntu version 16 (debian) and as soon as I added TLS and SRTP I ran into problems.

Only read this if you wish to install asterisk! This are just my notes in case you wish to install asterisk with TLS and SRTP support in order to make secure calls. The actual question is on the very bottom!

---

1. Install asterisk 13.19.2 with libsrtp and SRTP:

{

# (1) make sure everything is up to date again
apt-get update
apt-get upgrade

# (2) Install dependencies that will be needed in order to install asterisk pjproject etc...
apt-get install aptitude -y
aptitude install build-essential -y
aptitude install git -y
aptitude install libssl-dev -y
aptitude install zlib1g-dev -y
aptitude install openssl  -y
aptitude install libxml2-dev -y
aptitude install libncurses5-dev -y
aptitude install uuid-dev -y
aptitude install sqlite3 -y
aptitude install libsqlite3-dev -y
aptitude install pkg-config -y
aptitude install libjansson-dev -y

# (3) make sure everything is up to date again
apt-get update
apt-get upgrade

# (4) Install libsrtp  (library used to encrypt rtp)
cd /root    
wget https://github.com/cisco/libsrtp/archive/v1.6.0.tar.gz
tar -xzf v1.6.0.tar.gz
cd libsrtp-1.6.0

./configure CFLAGS=-fPIC --prefix=/usr
make
make runtest
make install
cd ..

# (5) install pjproject 

git clone https://github.com/asterisk/pjproject pjproject
cd pjproject
 ./configure --prefix=/usr --enable-shared --disable-sound --disable-resample --disable-video --disable-opencore-amr --with-external-srtp
make dep
make

make install
cd ..


# (6) Install Asterisk  WITH SRTP AND PJPROJECT

wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
tar xvf asterisk-13-current.tar.gz
cd  asterisk-13.19.2
./configure --with-pjproject --with-ssl --with-srtp

make
make install
make samples
make config

2. Generate the keys (certificates). You may also purchase this from a certificate authority.

   # GENERATE KEYS

   # make a place for our keys mkdir /etc/asterisk/keys

   cd /root/asterisk-13.19.2/contrib/scripts

   ./ast_tls_cert -C my_company.com -O "my_company" -d /etc/asterisk/keys

   # TODO later generate keys for clients (ip phones). This part is explained on first tutorial link and is not relevant to this question

3. Create sip.conf and extensions.conf

sip.conf:

[general]
  tcpenable=yes
  udpenable=yes
  udpbindaddr=0.0.0.0
  tcpbindaddr=0.0.0.0

  ; allow tls !
  tlsenable=yes
  tlsbindaddr=0.0.0.0:5868 ; <------------------------ note I am changing the default port 6061 to 5868
  tlscertfile=/etc/asterisk/keys/asterisk.pem ; key generated on step 2
  tlscafile=/etc/asterisk/keys/ca.crt ; certificate generated on step 2
  tlscipher=ALL
  tlsclientmethod=tlsv1
  encryption=yes
  tlsdontverifyserver=yes ; trust ublux more than godaddy!

  videosupport=yes
  nat=force_rport,comedia


; shared configuration used for ip phones
[base-config](!)
  type=peer
  ;type=friend
  disallow=all
  allow=ulaw,h264,vp8
  context=common ;<------------------ context used on extensions.conf
  dtmfmode=auto
  insecure=port,invite
  canreinvite=no
  host=dynamic
  directmedia=no
  registertrying=yes
  qualify=yes; monitof peer in order to know if its connected
  transport=tls ; Only allow secure transport!
  encryption=yes
  icesupport=yes
  dtlsenabled=yes
  dtlsverify=no

peers on sip.conf

; peer 1
[101](base-config)
  secret=password123
  setvar=ID=Tono 
  setvar=Foo=test101 

; peer 2
[102](base-config)
  secret=password123
  setvar=ID=Monir
  setvar=Foo=test102 

extensions.conf

[general]
  static=yes
  writeprotect=no

[common]    
  exten => 101,1,NoOp(Calling 101)
  same => n,NoOp(Foo = ${Foo} )
  same => n,Dial(SIP/101)
  same => n,Hangup()

  exten => 102,1,NoOp(Calling 102)
  same => n,NoOp(Foo = ${Foo} )
  same => n,Dial(SIP/102)
  same => n,Hangup()

---

Anyways here is the question:

After performing those steps I am able to make calls, receive calls but something very strange happens! Asterisk uses the incorrect variables. For example when I call from phone 101 to 102 asterisk picks the variables from peer 102! Note this only happens when the two phones have the same ip address because they are behind a NAT.

Here is the proof:

ubuntu*CLI> sip show peers
Name/username             Host                                    Dyn 
Forcerport Comedia    ACL Port     Status      Description
101                   170.55.7.131                             D  Yes        Yes            50178    Unmonitored
102                   170.55.7.131                             D  Yes        Yes            50137    Unmonitored
103                   170.55.7.132                             D  Yes        Yes            50212    Unmonitored

peers 101 and 102 show the same ip address because they are behind the same router. In other words 170.55.7.131 is a public ip. If they where to have a different public ip address this does not happen. In other words this does not happen between extensions 101 and 103 for some weird reason.

When I call from 101 to 102 this is what asterisk log shows: (correct)

Executing [102@common:1] NoOp("SIP/101-00000095", "Calling 102") in new stack
Executing [102@common:2] NoOp("SIP/101-00000095", "Foo = test101 ") in new stack
Executing [102@common:3] Dial("SIP/101-00000095", "SIP/102") in new stack
Using SIP VIDEO CoS mark 6
 ....

When I call from 102 to 101 this is what asterisk log shows!!: (incorrect)

Executing [101@common:1] NoOp("SIP/101-00000097", "Calling 101") in new stack
Executing [101@common:2] NoOp("SIP/101-00000097", "Foo = test101 ") in new stack
Executing [101@common:3] Dial("SIP/101-00000097", "SIP/101") in new stack

why is Foo=test101 it should equal test102!!! also the channel variable 101-00000097 contains 101 it should be 102-00000097 because phone 102 initiated the phone call!

If I restart asterisk service and make the same call from 102 to 101 this is what asterisk shows:

Executing [101@common:1] NoOp("SIP/102-00000002", "Calling 101") in new stack
Executing [101@common:2] NoOp("SIP/102-00000002", "Foo = test102 ") in new stack
Executing [101@common:3] Dial("SIP/102-00000002", "SIP/101") in new stack

Now it is correct. Is asterisk is mapping the variables to the ip address?????

---

Temporary solutions that fixes this problem:

1. For some reason if I place the phone on a different place where it has a different ip address this does not happen. This problem only happens when both two phones are on the same network and have the same public ip address. This makes no sense to me because the NAT will assign different internal ports.

2. If I remove security (tls) and use udp or tcp as transport methods. this problem does not occur any more.

Answer 1

Finally figured out the solution after spending an entire day. This is what happens when you copy the configuration from the internet!

Anyways the problem was that on my sip.conf I had

insecure=port,invite

doing a google search on insecure=port yields:

insecure=port ; Allow matching of peer by IP address without matching port number

That explains why the port was being ignored. So the solution was to make two changes to my sip.conf:

1. Changed insecure=port,invite to insecure=invite

2. Changed type=peer to type=friend