Re: [asterisk-users] TLS and NAT
On 09.04.23 at 19:55 Steve Matzura wrote: Thanks, Michael. A few questions: Is [transport_name] a reserved word, or am I supposed to replace it with a name of my own, like '[did-transport]'? Yes. You are free. Some of the keywords I haven't seen before. Is ca_list_file supposed to be an aggregate of the public and private key? ca_list_file is the list of all CAs the server should accept as valid (these are public keys - no private keys) like Let's encrypt e.g.. And what are the 'method,' 'tos' and 'cos' keywords, which are commented out in your instructions? Take a look here: https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample Search for "tos=0" Regards, Michael Otherwise, the rest is quite clear. On 4/8/2023 12:35 PM, Michael Maier wrote: Hello Steve, use the following configuration for the transport and bind this transport to the trunk: [transport_name] type=transport protocol=tls bind=192.168.13.24 ; your bind IP ca_list_file=/etc/pki/tls/certs/ca-bundle.crt ; method=tlsv1_2 verify_server=yes allow_reload=no ;tos=0xb8 ;cos=3 external_media_address=your.ext.host.name ; hostname pointing to your ext. IP external_signaling_address=your.ext.host.name ; hostname pointing to your ext. IP local_net=192.168.0.0/24 # your local net Regards Michael On 07.04.23 at 17:25 Steve Matzura wrote: I want to configure communication with my phone provider using TLS for all the obvious reasons. Since I'm behind a firewall, I'll be needing to do it with NAT. There are examples of UDP plus NAT in pjsip.conf, but none for TLS plus NAT. Would it be correct to set up the TLS transport stanza to look like the [transport-udp-nat] stanza example, replacing UDP with TLS in lines like 'transport=tls' and 'protocol=tls', and including the lines for local_net, external_media_address and external_signaling_address? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS and NAT
Thanks, Michael. A few questions: Is [transport_name] a reserved word, or am I supposed to replace it with a name of my own, like '[did-transport]'? Some of the keywords I haven't seen before. Is ca_list_file supposed to be an aggregate of the public and private key? And what are the 'method,' 'tos' and 'cos' keywords, which are commented out in your instructions? Otherwise, the rest is quite clear. On 4/8/2023 12:35 PM, Michael Maier wrote: Hello Steve, use the following configuration for the transport and bind this transport to the trunk: [transport_name] type=transport protocol=tls bind=192.168.13.24 ; your bind IP ca_list_file=/etc/pki/tls/certs/ca-bundle.crt ; method=tlsv1_2 verify_server=yes allow_reload=no ;tos=0xb8 ;cos=3 external_media_address=your.ext.host.name ; hostname pointing to your ext. IP external_signaling_address=your.ext.host.name ; hostname pointing to your ext. IP local_net=192.168.0.0/24 # your local net Regards Michael On 07.04.23 at 17:25 Steve Matzura wrote: I want to configure communication with my phone provider using TLS for all the obvious reasons. Since I'm behind a firewall, I'll be needing to do it with NAT. There are examples of UDP plus NAT in pjsip.conf, but none for TLS plus NAT. Would it be correct to set up the TLS transport stanza to look like the [transport-udp-nat] stanza example, replacing UDP with TLS in lines like 'transport=tls' and 'protocol=tls', and including the lines for local_net, external_media_address and external_signaling_address? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS and NAT
Hello Steve, use the following configuration for the transport and bind this transport to the trunk: [transport_name] type=transport protocol=tls bind=192.168.13.24 ; your bind IP ca_list_file=/etc/pki/tls/certs/ca-bundle.crt ; method=tlsv1_2 verify_server=yes allow_reload=no ;tos=0xb8 ;cos=3 external_media_address=your.ext.host.name ; hostname pointing to your ext. IP external_signaling_address=your.ext.host.name ; hostname pointing to your ext. IP local_net=192.168.0.0/24 # your local net Regards Michael On 07.04.23 at 17:25 Steve Matzura wrote: I want to configure communication with my phone provider using TLS for all the obvious reasons. Since I'm behind a firewall, I'll be needing to do it with NAT. There are examples of UDP plus NAT in pjsip.conf, but none for TLS plus NAT. Would it be correct to set up the TLS transport stanza to look like the [transport-udp-nat] stanza example, replacing UDP with TLS in lines like 'transport=tls' and 'protocol=tls', and including the lines for local_net, external_media_address and external_signaling_address? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] TLS and NAT
I want to configure communication with my phone provider using TLS for all the obvious reasons. Since I'm behind a firewall, I'll be needing to do it with NAT. There are examples of UDP plus NAT in pjsip.conf, but none for TLS plus NAT. Would it be correct to set up the TLS transport stanza to look like the [transport-udp-nat] stanza example, replacing UDP with TLS in lines like 'transport=tls' and 'protocol=tls', and including the lines for local_net, external_media_address and external_signaling_address? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
