Snom phones using SIPS/SRTP encryption with Asterisk 1.8

I’ve been looking forward to the time when Asterisk catches up with the rest of the SIP world and starts working with encrypted SIP and encrypted RTP (SIPS & SRTP respectively). Asterisk has supported it since the recent release of version 1.8 so I had to get it working.

Asterisk only supports a fairly fixed set of encryption options so you’ve got to set the phone up just right for it to work. I’d also say that SIPS & SRTP is very much new functionality in Asterisk so I’d treat it as for testing purposes only right now….although it’s looking promising.

Snom phones have supported both SIPS & SRTP for years (in fact I think they were the first IP phones on the market to do so). So if any phone can get it right it should be them, perfect to test with.

I am using the following to test with:

  • Current Debian Asterisk 1.8 packages maintained by Digium on Debian Squeeze (deb http://packages.asterisk.org/deb squeeze main)

  • My actual Asterisk version at the time of writing is “1.8.4.1-1digium1~squeeze”. Some older ones didn’t work.

  • Snom 300 with 8.4.31 firmware. It will not work with much older versions.

I’m not going to go into the setup of Asterisk itself as there is plenty of information on this out on the Internet, not to mention quite a lot of different ways of doing it. I will just mention that I am using a self-signed SSL certificate, this means you either have to leave server verification turned off on the phone (which it is by default on this firmware version) or import your own CA into the phone. Neither of which are ideal for a real world deployment, you’d buy a server certificate from a recognised CA in that case but for testing….

The important bits in Asterisk

OK so I will mention a couple of things in the Asterisk setup… all in sip.conf

  • tlsenable=yes : in general section

  • domain=ast18.provu.co.uk:5061 : this is needed for it to work

  • transport=tls : used in the general section or in each sip peer/friend to turn on tls for SIPS

  • port=5061 : in general or each sip peer/friend. 5061 is the usual port for SIPS

  • encryption=yes : turns on SRTP, if you have set this then the SIP device(s) MUST use it, it’s either on or off, not optional

There are more settings needed than this, please read the Asterisk documentation.

Snom phone setup

Everything is in identity 1, these are obviously examples only! You’ll need to put your own Registrar in etc…

Login tab:

  • Account: sip username

  • Password: sip password/secret

  • Registrar: ast18.provu.co.uk

  • Outbound Proxy: sips:ast18.provu.co.uk:5061

  • Authentication Username: sip username

SIP tab:

  • Support Broken Registrar: on

RTP tab:

  • RTP Encryption: on (should be default…)

  • SRTP Auth-tag: AES-80

  • RTP/SAVP: mandatory

That should be it. As mentioned the Snom phones do not verify the server certificates by default. If you want to turn this on then go to the “Certificates” page in the phone setup and click “Activate”. But bear in mind you must either use a certificate from a known CA or import your own certificate into each phone manually. Certificates must be in DER format for this.

To confirm it’s working, look for the little lock symbol on the phone screen during calls. It should look closed when the call is secure. For further confirmation you can do a pcap trace on the phone, open this up in Wireshark and then not be able to view the SIP packets or decode the audio to anything but white-noise.

Let me know if anyone thinks it’s worth me putting together a how-to with the full Asterisk config too.

Skyline/Cityline Door Unit connection with Digital Keypad

This blog post explains connecting and configuring of a Digital Keypad

Connections are quite simple. Cityline Keypad comes with two different cables.

1 X 3 pin connector
1 X 5 pin connector

Step 1: Connect the 3 and 5 pin connector to INPUT and OUTPUT connections on the cityline keypad board. Click here for diagram

Step 2: Connect 3 pin connector to connection LT (point 19 on this picture) of the Audio/Video module

Step3: Connect 5 pin connection to EXP connection or connection 18(Please refer to digram in step 2).

Step 4: Finally to be able to dial numbers from keypad,
login to the web interface of the door unit and go to Basic Parameters.

Change the following settings:

1. Keyboard to position : 1
2. Under mode of keyboard choose Direct choice number (phone)

Thats it. Now enter the number and press the A button to dial it.

To unlock the door using keypad, configure unlock codes under Relays section of web gui and save changes. Finally press the B (Bell) button and enter to code to unlock door.

If you don’t want a unit with a keypad and only interested in 1 or 2 button door entry products please look at the our ProTalk range.

IP phone web interface security

Security of IP telephony systems is a hot topic at the moment, it has been for quite some time and is should always be at the forefront of anyone’s mind when setting up such a system.

There are loads of methods and applications for securing PBXs and the like but something I often see overlooked is security of the actual phones themselves.

The usual threat is someone obtaining SIP credentials by looking at the phone’s web interface. In some cases, IP phone devices have the password displayed in plain-text for all to see. Slightly better implemented GUIs have the password obfuscated when you look at the page but still readable by viewing the page source code in your web browser.

If ProVu ever become aware of any products we sell with either of these issues, we push the manufacturer make changes to hide the password at all times.

Further to this though, anyone installing IP phones should really set strong web interface usernames and passwords. I see phones put on public IP addresses or sometimes with port forwards (often for support purposes) that have no passwords set! This is like leaving the front door to your house wide open while you go out to work all day. Please remember to set a username and password. If a phone comes with a default username and password then do not leave this set as you can be certain the people who want to break into your phone will know default passwords for various phones.

ProVu can set usernames and passwords for phones using our provisioning services:

ProVu fulfilment services

cheers,
Paul.

Draytek 2820 known issue with current firmware

Over the last few weeks we have been taking lots of support calls from people with NAT issues with phones using Draytek routers.

The 2820 seems to be the main router affected but it could be others.

The problem manifests itself with SIP phones losing Registration to the SIP server with 408 time-out messages. In most cases it is weird in that some phones on the network will work fine and others wont.

The fix (which is confirmed by Draytek themselves to a couple of my customers) is to downgrade to firmware version “333”.

This problem occurs even if you have the SIP ALG turned off. Please ensure the ALG is off as this can cause even more problems, it is usually off by default these days.

As a side note, please make sure you are not using a Draytek router with “voip” ports, the model number will usually have a “v” in it. These are not suitable for use with stand-alone SIP phones connected to the network, they are only use if you are ONLY using the built-in VoIP ports. There is no fix other than swapping the router out as far as I’m aware.

cheers,
Paul.

End of an Era – last Snom360

Today ProVu shipped the last black Snom 360.

<%ThickBox(http://www.provu.co.uk/products/snom/PVSnom360/PVSnom360-medium.jpg|)%>

We first shipped this product in March 2005, giving a product life of 6 years.

Snom360 was probably the first really good VoIP phone, with a decent DSP and handset to match. It has lived through 6 major versions of Snom firmware.

The product has been on notice of withdrawal for around a year. It has still sold strongly, but we have finally run out. The range is a little crowded with snom320 just below and snom370 just above.

If you do still want a Snom360, we have 5 white units still in stock – first come first served.

For alternatives, then buy a Snom320 or a Snom370

SnomONE and Voipfone

I’ve just diagnosed an issue a customer had getting a Voipfone SIP trunk Registered on a SnomONE PBX.

The trick to getting this to work is:

    • Turn on long SIP headers. Go to the admin, general settings page and set “Use Short SIP Headers” to “long”

 

    • If you are using IP access control then you need to enable the IP range 195.189.172.1 – 195.189.173.254 to ensure Voipfone will work

 

SnomOne more info

SARK meets PIKA

Article published by Maarten Kronenburg from Pika technologies. View the original article

“Sometimes I enter the office of a customer and just FEEL it – something’s brewing. A few weeks ago I was in the office of Provu in Northern England (www.provu.co.uk), and “that atmosphere” was in the air. Laptop computers were installed when I came in, the PIKA WARP Appliance fired up – it wasn’t going to be a meeting around a table with a firm agenda.

Provu sells software called SARK. The people from Provu had a demo ready for me of their SARK software running on the PIKA WARP Appliance. The Provu people have spent a fair bit of time on the subject which explains why they were excited. Their software is available in various configurations of course and the smallest one is now almost converted to the PIKA WAR Appliance. And I was blown away; the feature set of their software is very, very broad, the software is responsive, the screens look good, wow, very, very professional.

But what I liked best is the remote management facility that the SARK PBX offers. The unit can be accessed by a control room for a sanity check, performance measurement and more. But you can also click through to every IP device connected to the PBX and do the same thing. This is what I call “Controlled Devices”!

So if ever you don’t want to spend the (wo)man-years on developing software at this level of sophistication you’re in good hands at Provu.”

Find out more about the SARK 500

Call Wait Times

ProVu have setup some call handling statistics on our own PBX. We’ve helped resellers install many such systems, but not actually pointed the technology at ourselves before.

The results are that the average waiting time to talk to a human at ProVu is 5.1 Seconds.

And the Longest anybody has waited to talk to a human is 9 seconds.

So, ring 01484 840048 and you can be sure you will be talking to a real human within 9 seconds, even in the worst case.

We think our call answering times are just another of the ProVu special advantages.

Recommended replacement products

Recently we have added lots of new items to our product portfolio but have also had to say goodbye to some old ones too.

A lot of the items do not have a direct replacement from the manufacturers, so here is a guide to our recommended replacements:

Discontinued products Recommended replacements
Gigaset C47 Gigaset C59H
Gigaset C475IP Gigaset C59H and Gigaset N300 AIP
Gigaset S68 Gigaset S79H
Gigaset S685IP Gigaset S79H and Gigaset N300 AIP
Gigaset HC450 ProTalk SIP doorphones
Cisco SPA-901 Cisco SPA-301G
Cisco SPA-921 Cisco SPA-303G
Cisco SPA-922 Cisco SPA-502G
Cisco SPA-941 Cisco SPA-303G
Cisco SPA-942 Cisco SPA-504G
Cisco SPA-962 Cisco SPA-525G2
Cisco SPA-525G Cisco SPA-525G2
snom M3 snom M9*

As these are not direct replacements some of the features may vary. Please check out the product information pages to make sure the items have all the features you need.

* Please note the snom M9 handset is not fully compatible with the snom M3 base and vice versa