
<div dir="ltr"><div class="gmail_default" style="font-family:'arial narrow',sans-serif"><br></div><div class="gmail_default" style="font-family:'arial narrow',sans-serif"><br></div><div class="gmail_default" style="font-family:'arial narrow',sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 29, 2016 at 2:04 PM, Kevin Long <span dir="ltr"><<a href="mailto:kevin.long@haloprivacy.com" target="_blank">kevin.long@haloprivacy.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><br>

<br>

Greetings.<br>

<br>

<br>

I am using the PJSIP driver with TLS transport, and my endpoints are SIP mobile apps operating in environments that I do not control.<br>

<br>

 I would like Asterisk to default to sending INVITES and all other SIP signals to endpoints via the existing SIP TLS connection which is already established, rather than trying to create a new TLS connection to an endpoint which is likely behind a NAT which will not allow a new inbound TCP/TLS connection.<br>

<br>

<br>

My experience with chan_sip suggest to me that this was the default behavior, or more likely a fallback behavior, because I never had this issue before with endpoints not receiving INVITES so long as they were registered and had an open SIP control connection.<br>

<br>

<br>

I thought that I could avoid these failed outbound connections by commenting out the “transport” option on my endpoint configurations, but tcpdump is showing me that asterisk is still trying to create *new* TLS outbound connections to my endpoints, which are failing.<br>

<br>

<br>

<br></blockquote><div><br></div><div><div class="gmail_default" style="font-family:'arial narrow',sans-serif">This was actually an issue in pjproject which I just fixed last week. :)</div><div class="gmail_default" style="font-family:'arial narrow',sans-serif"><br></div><div class="gmail_default" style="font-family:'arial narrow',sans-serif">It's in pjproject "trunk" so you'll have to download and build it from their subversion repository.</div><div class="gmail_default" style="font-family:'arial narrow',sans-serif"><br></div><div class="gmail_default" style="font-family:'arial narrow',sans-serif">Now whether you use "transport=" or not, pjproject will look for an existing connection to the remote endpoint before attempting to create a new one.</div><div class="gmail_default" style="font-family:'arial narrow',sans-serif"><br></div><div class="gmail_default" style="font-family:'arial narrow',sans-serif">I tested it with the current Asterisk 13 branch and I *think* it'll work with recent Asterisk releases as well.  If it doesn't, let me know.</div></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">

<br>

Thank you for your time<br>

<br>

Kevin<br>

<br>

<br>

-<br>

<br>

<br>

<br>

<br>

My simple pjsip config file:<br>

<br>

<br>

<br>

<br>

<br>

[transport-tls]<br>

type=transport<br>

protocol=tls<br>

bind=<a href="http://0.0.0.0:5061" rel="noreferrer" target="_blank">0.0.0.0:5061</a><br>

local_net=<a href="http://10.50.55.0/24" rel="noreferrer" target="_blank">10.50.55.0/24</a><br>

external_media_address=x.x.x.x<br>

external_signaling_address=x.x.x.x<br>

cert_file=/etc/asterisk/keys/dev1.crt<br>

priv_key_file=/etc/asterisk/keys/dev1.key<br>

ca_list_file=/etc/asterisk/keys/ca.crt<br>

cipher=AES256-SHA<br>

method=tlsv1<br>

<br>

;===============EXTENSION 6001<br>

<br>

[6000]<br>

type=endpoint<br>

context=internal<br>

disallow=all<br>

allow=ulaw<br>

;transport=transport-tls<br>

auth=auth6000<br>

aors=6000<br>

direct_media=no<br>

rewrite_contact=yes  ; necessary if endpoint does not know/register public ip:port<br>

ice_support=no<br>

force_rport=yes<br>

rtp_symmetric=yes<br>

media_encryption=sdes<br>

<br>

<br>

[auth6000]<br>

type=auth<br>

auth_type=userpass<br>

password=6000<br>

username=6000<br>

<br>

[6000]<br>

type=aor<br>

max_contacts=1<br>

remove_existing=yes<br>

<br>

<br>

;===============EXTENSION 6001<br>

<br>

[6001]<br>

type=endpoint<br>

context=internal<br>

disallow=all<br>

allow=ulaw<br>

;transport=transport-tls<br>

auth=auth6001<br>

aors=6001<br>

direct_media=no<br>

rewrite_contact=yes  ; necessary if endpoint does not know/register public ip:port<br>

ice_support=no<br>

force_rport=yes<br>

rtp_symmetric=yes<br>

media_encryption=sdes<br>

<br>

<br>

<br>

[auth6001]<br>

type=auth<br>

auth_type=userpass<br>

password=6001<br>

username=6001<br>

<br>

[6001]<br>

type=aor<br>

max_contacts=1<br>

remove_existing=yes<br>--<br>

_____________________________________________________________________<br>

-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>

New to Asterisk? Join us for a live introductory webinar every Thurs:<br>

               <a href="http://www.asterisk.org/hello" rel="noreferrer" target="_blank">http://www.asterisk.org/hello</a><br>

<br>

asterisk-users mailing list<br>

To UNSUBSCRIBE or update options visit:<br>

   <a href="http://lists.digium.com/mailman/listinfo/asterisk-users" rel="noreferrer" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br></blockquote></div><br></div></div>