Media encryption mode non-functional / Sems-Yeti Support of SRTP

rabbani · May 1, 2020, 1:38am

Hi Team / Community,

In light of recent testing and discussions, I’m logging the issue of Media Encryption using SRTP DTLS.

It appears to be currently unsupported and we would appreciate it if this feature is supported for future dev work.

In my testing, I’m using Grandstream softphone with SRTP Enabled and I have enabled SRTL DTLS on both Originating and Terminating Gateway. After the SIP Signal (180), the call would Drop immediately due non-availability of the appropriate SRTP profile.

Could you please check and advice?

Thanks

dmitry.s · May 1, 2020, 4:38pm

have you configured srtp in sems.conf ?

rabbani · May 3, 2020, 11:05pm

I guess no coz couldn’t find any srtp config in the documentation nor within the sample config. Could you please let me know the srtp config?

rabbani · May 5, 2020, 6:59am

@dmitry.s any clue as to how to configure srtp, please?

dmitry.s · May 21, 2020, 4:30pm

see configuration examples at https://yeti-switch.org/docs/en/sems/sems.html

rabbani · May 26, 2020, 4:20am

Thanks Dmitry, It looks like zrtp is not supported so when i remove zrtp from the config, it works.

Here are the logs:

/etc/sems# service sems restart
Job for sems.service failed because the control process exited with error code.
See “systemctl status sems.service” and “journalctl -xe” for details.

root@ytrtp-sems:/etc/sems# sems -E -D3
[21303/21303] [core/AmLcConfig.cpp:658] ERROR: /etc/sems/sems.conf:33 [general]: no such option ‘enable_zrtp’
[21303/21303] [core/AmLcConfig.cpp:922] ERROR: failed to parse configuration file: /etc/sems/sems.conf
[21303/21303] [core/sems.cpp:472] ERROR: configuration errors. exiting.

SEMS Config:
enable_srtp = yes
enable_zrtp = yes

/etc/sems# sems -v
SBC 1.8.58-2

dmitry.s · May 26, 2020, 8:55am

upgrade your sems:

ii  libsems1                        1.18.0                        amd64        SIP Express Media Server, shared library
ii  sems                            1.18.0                        amd64        SIP Express Media Server, very fast and flexible SIP media server
ii  sems-modules-base               1.18.0                        amd64        SIP Express Media Server, base applications, plugins and codecs
ii  sems-modules-g729-bcg           0.0.1                         amd64        g729 codec for SEMS project
ii  sems-modules-yeti               1.9.2core18                   amd64        YETI SBC application module for SEMS
ii  sems-sounds                     1.18.0                        amd64        SIP Express Media Server, audio files

rabbani · May 26, 2020, 11:35pm

I have used the repo from https://yeti-switch.org/docs/en/installation-1.10/repositories.html and here is the outcome of it is below :

apt update
    Hit:1 http://security.debian.org/debian-security stretch/updates InRelease
    Hit:2 http://security.debian.org stretch/updates InRelease
    Ign:3 http://ftp.au.debian.org/debian stretch InRelease
    Hit:4 http://ftp.au.debian.org/debian stretch-updates InRelease
    Hit:5 http://ftp.au.debian.org/debian stretch Release
    Hit:8 http://ftp.debian.org/debian stretch-backports InRelease
    Get:9 http://pkg.yeti-switch.org/debian/stretch 1.10 InRelease [7,128 B]
    Hit:10 http://packages.irontec.com/debian stretch InRelease
    Hit:11 http://apt.postgresql.org/pub/repos/apt stretch-pgdg InRelease
    Ign:12 http://ftp.us.debian.org/debian stretch InRelease
    Hit:13 http://ftp.us.debian.org/debian stretch-updates InRelease
    Hit:14 http://ftp.us.debian.org/debian stretch Release
    Fetched 7,128 B in 1s (4,821 B/s)
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    46 packages can be upgraded. Run 'apt list --upgradable' to see them.
    root@ytrtp-sems1:~# apt update && apt-get --only-upgrade  install sems sems-modules-yeti sems-modules-g729-bcg sems-sounds sems-modules-base libsems1
    Hit:1 http://security.debian.org/debian-security stretch/updates InRelease
    Hit:2 http://security.debian.org stretch/updates InRelease
    Ign:3 http://ftp.au.debian.org/debian stretch InRelease
    Hit:4 http://ftp.au.debian.org/debian stretch-updates InRelease
    Hit:5 http://ftp.au.debian.org/debian stretch Release
    Ign:7 http://ftp.us.debian.org/debian stretch InRelease
    Hit:9 http://ftp.debian.org/debian stretch-backports InRelease
    Get:10 http://pkg.yeti-switch.org/debian/stretch 1.10 InRelease [7,128 B]
    Hit:11 http://packages.irontec.com/debian stretch InRelease
    Hit:12 http://apt.postgresql.org/pub/repos/apt stretch-pgdg InRelease
    Hit:13 http://ftp.us.debian.org/debian stretch-updates InRelease
    Hit:14 http://ftp.us.debian.org/debian stretch Release
    Fetched 7,128 B in 1s (4,740 B/s)
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    46 packages can be upgraded. Run 'apt list --upgradable' to see them.
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    libsems1 is already the newest version (1.8.58-2).
    sems is already the newest version (1.8.58-2).
    sems-modules-base is already the newest version (1.8.58-2).
    sems-modules-g729-bcg is already the newest version (0.0.1).
    sems-modules-yeti is already the newest version (1.9.1-9core1.8.58).
    sems-sounds is already the newest version (1.8.58-2).
    0 upgraded, 0 newly installed, 0 to remove and 46 not upgraded.

rabbani · May 28, 2020, 1:32am

@dmitry.s

I have configured SEMS to use SRTP and made an inbound call to SEMS and it did not offer SRTP. Therefore, the call was not established and got dropped.

Call Flow Diagram

Remote.User --> Remote.Proxy --TLS–> SIP.Proxy —> SEMS.RTP:Port

Here is the sip trace below:

2020/05/28 11:04:02.308331 SIP.Proxy.IP:5060 -> SEMS.RTP.IP:PORT
INVITE sip:+61411111111@customer.realm.fqdn:5061;user=phone;transport=tls SIP/2.0
Allow: INVITE, ACK, CANCEL, BYE, INFO, NOTIFY, PRACK, UPDATE, OPTIONS
Record-Route: <sip:SIP.Proxy.IP;r2=on;lr>
Record-Route: <sip:SIP.Proxy.IP:5061;transport=tls;r2=on;lr>
FROM: admin admin<sip:+DID-Number@remote.fqdn:5061;user=phone>;tag=ab69300c008847d98a4f8b716819ab76
TO: <sip:+61411111111@customer.realm.fqdn:5061;user=phone>
CSEQ: 1 INVITE
CALL-ID: e21999e06ac158ea9870176f09369daf
MAX-FORWARDS: 69
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKeb5e.9db44872f93f8e7a9d1e2635d1284733.0;i=1
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bK606ca2d9
RECORD-ROUTE: <sip:remote.proxy.fqdn:5061;transport=tls;lr>
CONTACT: <sip:remote.proxy2.fqdn:443;x-i=715a105a-ca25-40b2-acc9-6751a940d22d;x-c=e21999e06ac158ea9870176f09369daf/d/8/557a8da3bc5f4ab6827baad8152f3e1f>
CONTENT-LENGTH: 1599
MIN-SE: 300
SUPPORTED: timer
USER-AGENT: Remote.Proxy UA
CONTENT-TYPE: application/sdp
P-ASSERTED-IDENTITY: <tel:+DID-Number>,<sip:admin.admin@domain.net>
PRIVACY: id
SESSION-EXPIRES: 3600

v=0
o=- 49877 0 IN IP4 SIP.Proxy.IP
s=session
c=IN IP4 SIP.Proxy.IP
b=CT:10000000
t=0 0
m=audio 39682 RTP/SAVP 104 117 9 103 111 18 0 8 97 101 13 118
c=IN IP4 SIP.Proxy.IP
a=label:main-audio
a=mid:1
a=rtpmap:104 SILK/16000
a=rtpmap:117 G722/8000/2
a=rtpmap:9 G722/8000
a=rtpmap:103 SILK/8000
a=rtpmap:111 SIREN/16000
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:97 RED/8000
a=rtpmap:101 telephone-event/8000
a=rtpmap:13 CN/8000
a=rtpmap:118 CN/16000
a=fmtp:111 bitrate=16000
a=fmtp:18 annexb=no
a=fmtp:101 0-16
a=sendrecv
a=rtcp:39683
a=rtcp-mux
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:g45vKgaLV09B3uMrV0zp0hl35NJ856SFMmRoLiY/
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:XUVyxvZmfvnph+n3RSKrFaXvkhWLJYPIV/bMJ5QF
a=crypto:3 AES_192_CM_HMAC_SHA1_80 inline:KZ427P1SZd7V3gLEaHsEBMCNB3yQTlcWjrWYRYN0sRtbc6T6x/c
a=crypto:4 AES_192_CM_HMAC_SHA1_32 inline:BxKBvxsyXxOj9caowb2eKDKBIxC8sd0DW/6jhjOycNSvat4Lq24
a=crypto:5 AES_256_CM_HMAC_SHA1_80 inline:6V1KvhdZ8jbhSslzEU0CDq3sNQedhL6Y5rO20/mVWJI3D6DD+UCkwizs56gxcZ
a=crypto:6 AES_256_CM_HMAC_SHA1_32 inline:pZZ7NjonmkGeWnqONDoFlyZ1pUfVKsMT6JHR5buhuouhyhcaEoPQ+bZntblZi4
a=crypto:7 F8_128_HMAC_SHA1_80 inline:rt1o2E+8aHgn0yaTzu9HbUpSUhw5toTv/LOtXDo+
a=crypto:8 F8_128_HMAC_SHA1_32 inline:ckTM+7QcY8STYxX0sEtFlASMJ81qVGk9FLWDy6aa
a=crypto:9 NULL_HMAC_SHA1_80 inline:fwDQdY/3IGG+K9HgFMgeKQIdfdTxTzAliJ/SBSgP
a=crypto:10 NULL_HMAC_SHA1_32 inline:csWxDZYT4QNJX9iHWlow3db7AkvE9s55HsjDgqOn
a=setup:actpass
a=fingerprint:sha-1 48:90:58:16:EE:DD:61:59:6E:8D:2B:D6:01:2E:F8:01:59:5A:95:7D
a=ptime:20

2020/05/28 11:04:02.309320 SEMS.RTP.IP:PORT -> SIP.Proxy.IP:5060
SIP/2.0 100 Connecting
Record-Route: <sip:SIP.Proxy.IP;r2=on;lr>
Record-Route: <sip:SIP.Proxy.IP:5061;transport=tls;r2=on;lr>
FROM: admin admin<sip:+DID-Number@remote.fqdn:5061;user=phone>;tag=ab69300c008847d98a4f8b716819ab76
TO: <sip:+61411111111@customer.realm.fqdn:5061;user=phone>
CSEQ: 1 INVITE
CALL-ID: e21999e06ac158ea9870176f09369daf
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKeb5e.9db44872f93f8e7a9d1e2635d1284733.0;i=1
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bK606ca2d9
RECORD-ROUTE: <sip:remote.proxy.fqdn:5061;transport=tls;lr>
Server: SBC 1.8.58-2
Content-Length: 0


2020/05/28 11:04:04.252112 SEMS.RTP.IP:PORT -> SIP.Proxy.IP:5060
SIP/2.0 183 Session Progress
Record-Route: <sip:SIP.Proxy.IP;r2=on;lr>
Record-Route: <sip:SIP.Proxy.IP:5061;transport=tls;r2=on;lr>
FROM: admin admin<sip:+DID-Number@remote.fqdn:5061;user=phone>;tag=ab69300c008847d98a4f8b716819ab76
TO: <sip:+61411111111@customer.realm.fqdn:5061;user=phone>;tag=12-45ED1897-5ECF0E020007B93D-7C287700
CSEQ: 1 INVITE
CALL-ID: e21999e06ac158ea9870176f09369daf
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKeb5e.9db44872f93f8e7a9d1e2635d1284733.0;i=1
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bK606ca2d9
RECORD-ROUTE: <sip:remote.proxy.fqdn:5061;transport=tls;lr>
Server: SBC 1.8.58-2
Contact: <sip:SEMS.RTP.IP:PORT;transport=udp>
Content-Type: application/sdp
Content-Length: 315

v=0
o=- 194029192 194029192 IN IP4 SEMS.RTP.IP
s=-
t=0 0
m=audio 16385 RTP/AVP 0 18 101 8
c=IN IP4 SEMS.RTP.IP
a=rtpmap:0 PCMU/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=rtpmap:8 PCMA/8000
a=ptime:20
a=sendrecv
a=setup:actpass
a=maxptime:40

2020/05/28 11:04:15.191778 SEMS.RTP.IP:PORT -> SIP.Proxy.IP:5060
SIP/2.0 200 OK
Record-Route: <sip:SIP.Proxy.IP;r2=on;lr>
Record-Route: <sip:SIP.Proxy.IP:5061;transport=tls;r2=on;lr>
FROM: admin admin<sip:+DID-Number@remote.fqdn:5061;user=phone>;tag=ab69300c008847d98a4f8b716819ab76
TO: <sip:+61411111111@customer.realm.fqdn:5061;user=phone>;tag=12-45ED1897-5ECF0E020007B93D-7C287700
CSEQ: 1 INVITE
CALL-ID: e21999e06ac158ea9870176f09369daf
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKeb5e.9db44872f93f8e7a9d1e2635d1284733.0;i=1
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bK606ca2d9
RECORD-ROUTE: <sip:remote.proxy.fqdn:5061;transport=tls;lr>
Server: SBC 1.8.58-2
Contact: <sip:SEMS.RTP.IP:PORT;transport=udp>
Content-Type: application/sdp
Content-Length: 315

v=0
o=- 194029192 194029192 IN IP4 SEMS.RTP.IP
s=-
t=0 0
m=audio 16385 RTP/AVP 0 18 101 8
c=IN IP4 SEMS.RTP.IP
a=rtpmap:0 PCMU/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=rtpmap:8 PCMA/8000
a=ptime:20
a=sendrecv
a=setup:actpass
a=maxptime:40

2020/05/28 11:04:15.282113 SIP.Proxy.IP:5060 -> SEMS.RTP.IP:PORT
ACK sip:SEMS.RTP.IP:PORT;transport=udp SIP/2.0
Allow: INVITE, ACK, CANCEL, BYE, INFO, NOTIFY, PRACK, UPDATE, OPTIONS
FROM: admin admin<sip:+DID-Number@remote.fqdn:5061;user=phone>;tag=ab69300c008847d98a4f8b716819ab76
TO: <sip:+61411111111@customer.realm.fqdn:5061>;user=phone;tag=12-45ED1897-5ECF0E020007B93D-7C287700
CSEQ: 1 ACK
CALL-ID: e21999e06ac158ea9870176f09369daf
MAX-FORWARDS: 69
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKeb5e.20fd044e215a20d1b17f453c4b4e1fd6.0;i=1
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bK67319981
CONTACT: <sip:remote.proxy2.fqdn:443;x-i=715a105a-ca25-40b2-acc9-6751a940d22d;x-c=e21999e06ac158ea9870176f09369daf/d/8/557a8da3bc5f4ab6827baad8152f3e1f>
CONTENT-LENGTH: 0
USER-AGENT: Remote.Proxy UA


2020/05/28 11:04:15.491097 SIP.Proxy.IP:5060 -> SEMS.RTP.IP:PORT
BYE sip:SEMS.RTP.IP:PORT;transport=udp SIP/2.0
Allow: INVITE, ACK, CANCEL, BYE, INFO, NOTIFY, PRACK, UPDATE, OPTIONS
FROM: admin admin<sip:+DID-Number@remote.fqdn:5061;user=phone>;tag=ab69300c008847d98a4f8b716819ab76
TO: <sip:+61411111111@customer.realm.fqdn:5061>;user=phone;tag=12-45ED1897-5ECF0E020007B93D-7C287700
CSEQ: 2 BYE
CALL-ID: e21999e06ac158ea9870176f09369daf
MAX-FORWARDS: 69
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKbb5e.8dacef0dfd312760b02d4df9bd54ba72.0;i=1
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bKb77d6d0
REASON: Q.850;cause=79;text="715a105a-ca25-40b2-acc9-6751a940d22d;InternalDiagCode: SrtpEncryptionRequired, InternalErrorPhrase: Remote did not offer required SRTP"
CONTACT: <sip:remote.proxy2.fqdn:443;x-i=715a105a-ca25-40b2-acc9-6751a940d22d;x-c=e21999e06ac158ea9870176f09369daf/d/8/557a8da3bc5f4ab6827baad8152f3e1f>
CONTENT-LENGTH: 0
USER-AGENT: Remote.Proxy UA
P-ASSERTED-IDENTITY: <tel:+DID-Number>,<sip:admin.admin@domain.net>
PRIVACY: id


2020/05/28 11:04:15.528918 SEMS.RTP.IP:PORT -> SIP.Proxy.IP:5060
SIP/2.0 200 OK
FROM: admin admin<sip:+DID-Number@remote.fqdn:5061;user=phone>;tag=ab69300c008847d98a4f8b716819ab76
TO: <sip:+61411111111@customer.realm.fqdn:5061>;user=phone;tag=12-45ED1897-5ECF0E020007B93D-7C287700
CSEQ: 2 BYE
CALL-ID: e21999e06ac158ea9870176f09369daf
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKbb5e.8dacef0dfd312760b02d4df9bd54ba72.0;i=1
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bKb77d6d0
Server: SBC 1.8.58-2
Content-Length: 0

dmitry.s · May 28, 2020, 7:21am

you still running old SEMS - 1.8.58-2. Install 1.18.1 from deb http://pkg.yeti-switch.org/debian/buster 1.10 main

rabbani · May 28, 2020, 12:03pm

I tried using the repo but I’m getting further errors, refer below: Any suggestion, how to fix the dependencies?

Fetched 834 kB in 5s (153 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
51 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree
Reading state information... Done
sems-modules-g729-bcg is already the newest version (0.0.1).
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 libsems1 : Depends: libbzrtp0 (>= 1.0.4) but 1.0.2-1.2 is to be installed
            Depends: libevent-2.1-6 (>= 2.1.8-stable) but it is not installable
            Depends: libevent-pthreads-2.1-6 (>= 2.1.8-stable) but it is not installable
            Depends: libmp3lame0 (>= 3.100) but 3.99.5+repack1-9+b2 is to be installed
            Depends: libstdc++6 (>= 7) but 6.3.0-18+deb9u1 is to be installed
 sems : Depends: libevent-2.1-6 (>= 2.1.8-stable) but it is not installable
        Depends: libevent-pthreads-2.1-6 (>= 2.1.8-stable) but it is not installable
        Depends: libmp3lame0 (>= 3.100) but 3.99.5+repack1-9+b2 is to be installed
 sems-modules-base : Depends: libcurl4 (>= 7.56.1) but it is not installable
                     Depends: libevent-2.1-6 (>= 2.1.8-stable) but it is not installable
                     Depends: libgsm1 (>= 1.0.18) but 1.0.13-4+b2 is to be installed
                     Depends: libmp3lame0 (>= 3.100) but 3.99.5+repack1-9+b2 is to be installed
E: Unable to correct problems, you have held broken packages.

dmitry.s · May 28, 2020, 12:17pm

repo deb http://pkg.yeti-switch.org/debian/buster 1.10 main should be used on debian 10(buster) system

rabbani · May 29, 2020, 2:23am

ahh right, I thought of asking you the same before but anyway, I was using Debian stretch, with this repo deb http://pkg.yeti-switch.org/debian/stretch 1.10 main which did not work either. I ended up doing a full upgrade of the system to Debian Buster and the SRTP issue still exists. It is not sending out STRP upon request and dropping calls.

SEMS Versions

libsems1 is already the newest version (1.18.1).
sems is already the newest version (1.18.1).
sems-modules-base is already the newest version (1.18.1).
sems-modules-g729-bcg is already the newest version (0.0.1).
sems-modules-yeti is already the newest version (1.9.2core18).
sems-sounds is already the newest version (1.18.1).

Here is my media interface config and sip trace

media-interfaces {
interface public {
        ip4 {
            rtp {
                address = SEMS.RTP.IP
                low-port = 16383
                high-port = 32767
                dscp = 46
                use-raw-sockets = off
                srtp {
                     enable_srtp=yes
                     sdes {
                         profiles = { AES_256_CM_HMAC_SHA1_80, AES_256_CM_HMAC_SHA1_32, AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32 }
                     }
                     dtls {
                         client {
                             protocols =  { DTLSv1, DTLSv1.2 }
                             certificate = /etc/sems/ssl/crt.pem
                             certificate_key = /etc/sems/ssl/key.pem
                             ca_list = /etc/sems/ssl/ca_list.pem
                             profiles = { AES_256_CM_HMAC_SHA1_80, AES_256_CM_HMAC_SHA1_32, AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32 }
                             verify_certificate_chain = false
                             verify_certificate_cn = false
                         }
                         server {
                             protocols =  { DTLSv1, DTLSv1.2 }
                             certificate = /etc/sems/ssl/crt.pem
                             certificate_key = /etc/sems/ssl/key.pem
                             ca_list = /etc/sems/ssl/ca_list.pem
                             profiles = { AES_256_CM_HMAC_SHA1_80, AES_256_CM_HMAC_SHA1_32, AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32 }
                             ciphers = {ChaCha20Poly1305, AES-256/GCM, AES-128/GCM, AES-256/CCM, AES-128/CCM, AES-256, AES-128}
                             macs = {AEAD, SHA-256, SHA-384, SHA-1}
                             verify_client_certificate = false
                             require_client_certificate = false
                         }
                     }
                }
            }
        }
    }
}

SIP Trace

2020/05/28 11:04:02.308331 SIP.Proxy.IP:5060 -> SEMS.RTP.IP:PORT
INVITE sip:+61411111111@customer.realm.fqdn:5061;user=phone;transport=tls SIP/2.0
Allow: INVITE, ACK, CANCEL, BYE, INFO, NOTIFY, PRACK, UPDATE, OPTIONS
Record-Route: <sip:SIP.Proxy.IP;r2=on;lr>
Record-Route: <sip:SIP.Proxy.IP:5061;transport=tls;r2=on;lr>
FROM: admin admin<sip:+DID-Number@remote.fqdn:5061;user=phone>;tag=ab69300c008847d98a4f8b716819ab76
TO: <sip:+61411111111@customer.realm.fqdn:5061;user=phone>
CSEQ: 1 INVITE
CALL-ID: e21999e06ac158ea9870176f09369daf
MAX-FORWARDS: 69
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKeb5e.9db44872f93f8e7a9d1e2635d1284733.0;i=1
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bK606ca2d9
RECORD-ROUTE: <sip:remote.proxy.fqdn:5061;transport=tls;lr>
CONTACT: <sip:remote.proxy2.fqdn:443;x-i=715a105a-ca25-40b2-acc9-6751a940d22d;x-c=e21999e06ac158ea9870176f09369daf/d/8/557a8da3bc5f4ab6827baad8152f3e1f>
CONTENT-LENGTH: 1599
MIN-SE: 300
SUPPORTED: timer
USER-AGENT: Remote.Proxy UA
CONTENT-TYPE: application/sdp
P-ASSERTED-IDENTITY: <tel:+DID-Number>,<sip:admin.admin@domain.net>
PRIVACY: id
SESSION-EXPIRES: 3600

v=0
o=- 49877 0 IN IP4 SIP.Proxy.IP
s=session
c=IN IP4 SIP.Proxy.IP
b=CT:10000000
t=0 0
m=audio 39682 RTP/SAVP 104 117 9 103 111 18 0 8 97 101 13 118
c=IN IP4 SIP.Proxy.IP
a=label:main-audio
a=mid:1
a=rtpmap:104 SILK/16000
a=rtpmap:117 G722/8000/2
a=rtpmap:9 G722/8000
a=rtpmap:103 SILK/8000
a=rtpmap:111 SIREN/16000
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:97 RED/8000
a=rtpmap:101 telephone-event/8000
a=rtpmap:13 CN/8000
a=rtpmap:118 CN/16000
a=fmtp:111 bitrate=16000
a=fmtp:18 annexb=no
a=fmtp:101 0-16
a=sendrecv
a=rtcp:39683
a=rtcp-mux
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:g45vKgaLV09B3uMrV0zp0hl35NJ856SFMmRoLiY/
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:XUVyxvZmfvnph+n3RSKrFaXvkhWLJYPIV/bMJ5QF
a=crypto:3 AES_192_CM_HMAC_SHA1_80 inline:KZ427P1SZd7V3gLEaHsEBMCNB3yQTlcWjrWYRYN0sRtbc6T6x/c
a=crypto:4 AES_192_CM_HMAC_SHA1_32 inline:BxKBvxsyXxOj9caowb2eKDKBIxC8sd0DW/6jhjOycNSvat4Lq24
a=crypto:5 AES_256_CM_HMAC_SHA1_80 inline:6V1KvhdZ8jbhSslzEU0CDq3sNQedhL6Y5rO20/mVWJI3D6DD+UCkwizs56gxcZ
a=crypto:6 AES_256_CM_HMAC_SHA1_32 inline:pZZ7NjonmkGeWnqONDoFlyZ1pUfVKsMT6JHR5buhuouhyhcaEoPQ+bZntblZi4
a=crypto:7 F8_128_HMAC_SHA1_80 inline:rt1o2E+8aHgn0yaTzu9HbUpSUhw5toTv/LOtXDo+
a=crypto:8 F8_128_HMAC_SHA1_32 inline:ckTM+7QcY8STYxX0sEtFlASMJ81qVGk9FLWDy6aa
a=crypto:9 NULL_HMAC_SHA1_80 inline:fwDQdY/3IGG+K9HgFMgeKQIdfdTxTzAliJ/SBSgP
a=crypto:10 NULL_HMAC_SHA1_32 inline:csWxDZYT4QNJX9iHWlow3db7AkvE9s55HsjDgqOn
a=setup:actpass
a=fingerprint:sha-1 48:90:58:16:EE:DD:61:59:6E:8D:2B:D6:01:2E:F8:01:59:5A:95:7D
a=ptime:20

2020/05/28 11:04:02.309320 SEMS.RTP.IP:PORT -> SIP.Proxy.IP:5060
SIP/2.0 100 Connecting
Record-Route: <sip:SIP.Proxy.IP;r2=on;lr>
Record-Route: <sip:SIP.Proxy.IP:5061;transport=tls;r2=on;lr>
FROM: admin admin<sip:+DID-Number@remote.fqdn:5061;user=phone>;tag=ab69300c008847d98a4f8b716819ab76
TO: <sip:+61411111111@customer.realm.fqdn:5061;user=phone>
CSEQ: 1 INVITE
CALL-ID: e21999e06ac158ea9870176f09369daf
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKeb5e.9db44872f93f8e7a9d1e2635d1284733.0;i=1
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bK606ca2d9
RECORD-ROUTE: <sip:remote.proxy.fqdn:5061;transport=tls;lr>
Server: SBC 1.8.58-2
Content-Length: 0


2020/05/28 11:04:04.252112 SEMS.RTP.IP:PORT -> SIP.Proxy.IP:5060
SIP/2.0 183 Session Progress
Record-Route: <sip:SIP.Proxy.IP;r2=on;lr>
Record-Route: <sip:SIP.Proxy.IP:5061;transport=tls;r2=on;lr>
FROM: admin admin<sip:+DID-Number@remote.fqdn:5061;user=phone>;tag=ab69300c008847d98a4f8b716819ab76
TO: <sip:+61411111111@customer.realm.fqdn:5061;user=phone>;tag=12-45ED1897-5ECF0E020007B93D-7C287700
CSEQ: 1 INVITE
CALL-ID: e21999e06ac158ea9870176f09369daf
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKeb5e.9db44872f93f8e7a9d1e2635d1284733.0;i=1
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bK606ca2d9
RECORD-ROUTE: <sip:remote.proxy.fqdn:5061;transport=tls;lr>
Server: SBC 1.8.58-2
Contact: <sip:SEMS.RTP.IP:PORT;transport=udp>
Content-Type: application/sdp
Content-Length: 315

v=0
o=- 194029192 194029192 IN IP4 SEMS.RTP.IP
s=-
t=0 0
m=audio 16385 RTP/AVP 0 18 101 8
c=IN IP4 SEMS.RTP.IP
a=rtpmap:0 PCMU/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=rtpmap:8 PCMA/8000
a=ptime:20
a=sendrecv
a=setup:actpass
a=maxptime:40

2020/05/28 11:04:15.191778 SEMS.RTP.IP:PORT -> SIP.Proxy.IP:5060
SIP/2.0 200 OK
Record-Route: <sip:SIP.Proxy.IP;r2=on;lr>
Record-Route: <sip:SIP.Proxy.IP:5061;transport=tls;r2=on;lr>
FROM: admin admin<sip:+DID-Number@remote.fqdn:5061;user=phone>;tag=ab69300c008847d98a4f8b716819ab76
TO: <sip:+61411111111@customer.realm.fqdn:5061;user=phone>;tag=12-45ED1897-5ECF0E020007B93D-7C287700
CSEQ: 1 INVITE
CALL-ID: e21999e06ac158ea9870176f09369daf
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKeb5e.9db44872f93f8e7a9d1e2635d1284733.0;i=1
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bK606ca2d9
RECORD-ROUTE: <sip:remote.proxy.fqdn:5061;transport=tls;lr>
Server: SBC 1.8.58-2
Contact: <sip:SEMS.RTP.IP:PORT;transport=udp>
Content-Type: application/sdp
Content-Length: 315

v=0
o=- 194029192 194029192 IN IP4 SEMS.RTP.IP
s=-
t=0 0
m=audio 16385 RTP/AVP 0 18 101 8
c=IN IP4 SEMS.RTP.IP
a=rtpmap:0 PCMU/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=rtpmap:8 PCMA/8000
a=ptime:20
a=sendrecv
a=setup:actpass
a=maxptime:40

2020/05/28 11:04:15.282113 SIP.Proxy.IP:5060 -> SEMS.RTP.IP:PORT
ACK sip:SEMS.RTP.IP:PORT;transport=udp SIP/2.0
Allow: INVITE, ACK, CANCEL, BYE, INFO, NOTIFY, PRACK, UPDATE, OPTIONS
FROM: admin admin<sip:+DID-Number@remote.fqdn:5061;user=phone>;tag=ab69300c008847d98a4f8b716819ab76
TO: <sip:+61411111111@customer.realm.fqdn:5061>;user=phone;tag=12-45ED1897-5ECF0E020007B93D-7C287700
CSEQ: 1 ACK
CALL-ID: e21999e06ac158ea9870176f09369daf
MAX-FORWARDS: 69
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKeb5e.20fd044e215a20d1b17f453c4b4e1fd6.0;i=1
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bK67319981
CONTACT: <sip:remote.proxy2.fqdn:443;x-i=715a105a-ca25-40b2-acc9-6751a940d22d;x-c=e21999e06ac158ea9870176f09369daf/d/8/557a8da3bc5f4ab6827baad8152f3e1f>
CONTENT-LENGTH: 0
USER-AGENT: Remote.Proxy UA


2020/05/28 11:04:15.491097 SIP.Proxy.IP:5060 -> SEMS.RTP.IP:PORT
BYE sip:SEMS.RTP.IP:PORT;transport=udp SIP/2.0
Allow: INVITE, ACK, CANCEL, BYE, INFO, NOTIFY, PRACK, UPDATE, OPTIONS
FROM: admin admin<sip:+DID-Number@remote.fqdn:5061;user=phone>;tag=ab69300c008847d98a4f8b716819ab76
TO: <sip:+61411111111@customer.realm.fqdn:5061>;user=phone;tag=12-45ED1897-5ECF0E020007B93D-7C287700
CSEQ: 2 BYE
CALL-ID: e21999e06ac158ea9870176f09369daf
MAX-FORWARDS: 69
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKbb5e.8dacef0dfd312760b02d4df9bd54ba72.0;i=1
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bKb77d6d0
REASON: Q.850;cause=79;text="715a105a-ca25-40b2-acc9-6751a940d22d;InternalDiagCode: SrtpEncryptionRequired, InternalErrorPhrase: Remote did not offer required SRTP"
CONTACT: <sip:remote.proxy2.fqdn:443;x-i=715a105a-ca25-40b2-acc9-6751a940d22d;x-c=e21999e06ac158ea9870176f09369daf/d/8/557a8da3bc5f4ab6827baad8152f3e1f>
CONTENT-LENGTH: 0
USER-AGENT: Remote.Proxy UA
P-ASSERTED-IDENTITY: <tel:+DID-Number>,<sip:admin.admin@domain.net>
PRIVACY: id


2020/05/28 11:04:15.528918 SEMS.RTP.IP:PORT -> SIP.Proxy.IP:5060
SIP/2.0 200 OK
FROM: admin admin<sip:+DID-Number@remote.fqdn:5061;user=phone>;tag=ab69300c008847d98a4f8b716819ab76
TO: <sip:+61411111111@customer.realm.fqdn:5061>;user=phone;tag=12-45ED1897-5ECF0E020007B93D-7C287700
CSEQ: 2 BYE
CALL-ID: e21999e06ac158ea9870176f09369daf
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKbb5e.8dacef0dfd312760b02d4df9bd54ba72.0;i=1
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bKb77d6d0
Server: SBC 1.8.58-2
Content-Length: 0

rabbani · June 3, 2020, 5:13am

@dmitry.s any other way we could test STRP with Yeti-sems? Please suggest

dmitry.s · June 3, 2020, 7:54am

I have enabled SRTL DTLS on both Originating and Terminating Gateway.

m=audio 39682 RTP/SAVP 104 117 9 103 111 18 0 8 97 101 13 118
c=IN IP4 SIP.Proxy.IP
a=label:main-audio
a=mid:1
a=rtpmap:104 SILK/16000
a=rtpmap:117 G722/8000/2
a=rtpmap:9 G722/8000
a=rtpmap:103 SILK/8000
a=rtpmap:111 SIREN/16000
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:97 RED/8000
a=rtpmap:101 telephone-event/8000
a=rtpmap:13 CN/8000
a=rtpmap:118 CN/16000
a=fmtp:111 bitrate=16000
a=fmtp:18 annexb=no
a=fmtp:101 0-16
a=sendrecv
a=rtcp:39683
a=rtcp-mux
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:g45vKgaLV09B3uMrV0zp0hl35NJ856SFMmRoLiY/
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:XUVyxvZmfvnph+n3RSKrFaXvkhWLJYPIV/bMJ5QF
a=crypto:3 AES_192_CM_HMAC_SHA1_80 inline:KZ427P1SZd7V3gLEaHsEBMCNB3yQTlcWjrWYRYN0sRtbc6T6x/c
a=crypto:4 AES_192_CM_HMAC_SHA1_32 inline:BxKBvxsyXxOj9caowb2eKDKBIxC8sd0DW/6jhjOycNSvat4Lq24
a=crypto:5 AES_256_CM_HMAC_SHA1_80 inline:6V1KvhdZ8jbhSslzEU0CDq3sNQedhL6Y5rO20/mVWJI3D6DD+UCkwizs56gxcZ
a=crypto:6 AES_256_CM_HMAC_SHA1_32 inline:pZZ7NjonmkGeWnqONDoFlyZ1pUfVKsMT6JHR5buhuouhyhcaEoPQ+bZntblZi4
a=crypto:7 F8_128_HMAC_SHA1_80 inline:rt1o2E+8aHgn0yaTzu9HbUpSUhw5toTv/LOtXDo+
a=crypto:8 F8_128_HMAC_SHA1_32 inline:ckTM+7QcY8STYxX0sEtFlASMJ81qVGk9FLWDy6aa
a=crypto:9 NULL_HMAC_SHA1_80 inline:fwDQdY/3IGG+K9HgFMgeKQIdfdTxTzAliJ/SBSgP
a=crypto:10 NULL_HMAC_SHA1_32 inline:csWxDZYT4QNJX9iHWlow3db7AkvE9s55HsjDgqOn
a=setup:actpass
a=fingerprint:sha-1 48:90:58:16:EE:DD:61:59:6E:8D:2B:D6:01:2E:F8:01:59:5A:95:7D
a=ptime:20

this is SRTP SDES negotiation, not DTLS. Upgrade your sems and switch encryption mode to SDES

rabbani · June 5, 2020, 5:51am

Not sure if SRTP SDES would be supported by the remote proxy server, but will test soon but is DTLS supported by yeti-sems?

dmitry.s · June 5, 2020, 9:00am

Not sure if SRTP SDES would be supported by the remote proxy server

Your trace contains INVITE with SDES key negotiation.

is DTLS supported by yeti-sems?

yeti supports SDES, DTLS, ZRTP negotiation protocols

rabbani · June 19, 2020, 6:33am

@dmitry.s So I have finally upgraded our from stretch to buster and yeti 1.9 to yeti 1.10, after doing that, I have tried to make a test and it is returning 500 Server Internal Error. Any advice would be appreciated as to why I’m receiving this error?

SEMS Version:

sems -v
1.22.0

Here are SIP trace below

2020/06/19 16:14:38.216183 SIP.Proxy.IP:5060 -> SEMS.IP:PORT
INVITE sip:+6141111111@customer.realm.fqdn:5061;user=phone;transport=tls SIP/2.0
FROM: admin admin<sip:+61388888888@remote.proxy.fqdn:5061;user=phone>;tag=e2d866a888854e1ba651d7b969e3ddee
TO: <sip:+6141111111@customer.realm.fqdn:5061;user=phone>
CSEQ: 1 INVITE
CALL-ID: 20713fd9ad6d5b67b3b1945eca2a9938
MAX-FORWARDS: 69
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKda49.36e35c6456ebcacfd17007b4538e2597.0;i=6
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bKb7234749
RECORD-ROUTE: <sip:remote.proxy1.fqdn:5061;transport=tls;lr>
CONTACT: <sip:remote.proxy2.fqdn:443;x-i=e061ddcb-57ce-477e-accc-5a1f5d01b128;x-c=20713fd9ad6d5b67b3b1945eca2a9938/d/8/4041270fd9454d02acd4d6fc84181caf>
CONTENT-LENGTH: 1123
MIN-SE: 300
SUPPORTED: timer
USER-AGENT: Remote.Proxy UA
CONTENT-TYPE: application/sdp
ALLOW: INVITE,ACK,OPTIONS,CANCEL,BYE,NOTIFY
P-ASSERTED-IDENTITY: <tel:+61388888888>,<sip:admin@domain.com>
PRIVACY: id
SESSION-EXPIRES: 3600

v=0
o=- 374029 0 IN IP4 127.0.0.1
s=session
c=IN IP4 Remote.RTP.IP
b=CT:10000000
t=0 0
m=audio 52996 RTP/SAVP 104 117 9 103 111 18 0 8 97 101 13 118
c=IN IP4 Remote.RTP.IP
a=rtcp:52997
a=ice-ufrag:aazS
a=ice-pwd:sdGZRPfevPFL5SLyCk3bicsz
a=rtcp-mux
a=candidate:1 1 UDP 2130706431 Remote.RTP.IP 52996 typ srflx raddr 10.0.32.20 rport 52996
a=candidate:1 2 UDP 2130705918 Remote.RTP.IP 52997 typ srflx raddr 10.0.32.20 rport 52997
a=candidate:2 1 tcp-act 2121006078 Remote.RTP.IP 49152 typ srflx raddr 10.0.32.20 rport 49152
a=candidate:2 2 tcp-act 2121006078 Remote.RTP.IP 49152 typ srflx raddr 10.0.32.20 rport 49152
a=label:main-audio
a=mid:1
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:5R4qZZQXleYi2qg4i7lPGhh38fG9haU7HIoBsP+b|2^31
a=sendrecv
a=rtpmap:104 SILK/16000
a=rtpmap:117 G722/8000/2
a=rtpmap:9 G722/8000
a=rtpmap:103 SILK/8000
a=rtpmap:111 SIREN/16000
a=fmtp:111 bitrate=16000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:97 RED/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=rtpmap:13 CN/8000
a=rtpmap:118 CN/16000
a=ptime:20

2020/06/19 16:14:38.217127 SEMS.IP:PORT -> SIP.Proxy.IP:5060
SIP/2.0 100 Connecting
FROM: admin admin<sip:+61388888888@remote.proxy.fqdn:5061;user=phone>;tag=e2d866a888854e1ba651d7b969e3ddee
TO: <sip:+6141111111@customer.realm.fqdn:5061;user=phone>
CSEQ: 1 INVITE
CALL-ID: 20713fd9ad6d5b67b3b1945eca2a9938
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKda49.36e35c6456ebcacfd17007b4538e2597.0;i=6
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bKb7234749
RECORD-ROUTE: <sip:remote.proxy1.fqdn:5061;transport=tls;lr>
Server: yeti-switch 1.9.8
Content-Length: 0


2020/06/19 16:14:38.376625 SEMS.IP:PORT -> SIP.Proxy.IP:5060
SIP/2.0 500 Server Internal Error
FROM: admin admin<sip:+61388888888@remote.proxy.fqdn:5061;user=phone>;tag=e2d866a888854e1ba651d7b969e3ddee
TO: <sip:+6141111111@customer.realm.fqdn:5061;user=phone>;tag=12-49C40CCF-5EEC57CE00054AD8-C8165700
CSEQ: 1 INVITE
CALL-ID: 20713fd9ad6d5b67b3b1945eca2a9938
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKda49.36e35c6456ebcacfd17007b4538e2597.0;i=6
VIA: SIP/2.0/TLS Remote.Proxy.IP:5061;branch=z9hG4bKb7234749
RECORD-ROUTE: <sip:remote.proxy1.fqdn:5061;transport=tls;lr>
Server: yeti-switch 1.9.8
Content-Length: 0


2020/06/19 16:14:38.377351 SIP.Proxy.IP:5060 -> SEMS.IP:PORT
ACK sip:+6141111111@customer.realm.fqdn:5061;user=phone;transport=tls SIP/2.0
FROM: admin admin<sip:+61388888888@remote.proxy.fqdn:5061;user=phone>;tag=e2d866a888854e1ba651d7b969e3ddee
TO: <sip:+6141111111@customer.realm.fqdn:5061;user=phone>;tag=12-49C40CCF-5EEC57CE00054AD8-C8165700
CSEQ: 1 ACK
CALL-ID: 20713fd9ad6d5b67b3b1945eca2a9938
MAX-FORWARDS: 69
Via: SIP/2.0/UDP SIP.Proxy.IP;branch=z9hG4bKda49.36e35c6456ebcacfd17007b4538e2597.0;i=6
CONTENT-LENGTH: 0

I have also configured SEMS with UDP, TCP and TLS as per the document, please advise what am I missing here?

rabbani · June 19, 2020, 7:35am

@dmitry.s I think there is an issue with routing and number translation

as per the sip trace log above, my destination number is +61411111111

TO: <sip:+6141111111@customer.realm.fqdn:5061;user=phone>

I have the following number list assign in the dst number list under customer Auth

and it returns 500 Server Internal Error

Could you please let me know if there is an issue with the number translation?

I using the following version:

FYI: This setup is working in 1.9 version of yeti

dmitry.s · June 19, 2020, 7:59am

I can’t answer your question, because there is no any details. Could you show CDR?

Also number translation should not cause any issues like 500 Server Internal Error.