Kamailio SecureSIP gateway with rtpengine
In previous posts we have already discussed about rtpengine and how to use it with Kamailio to manage NAT or voice transcoding. In this article we’ll see how to use Kamailio with the TLS module and rtpengine to create a TLS/SRTP proxy, which on the first call leg uses secure SIP with TLS and SRTP and on the second leg uses UDP and RTP. In this way we will have the possibility to add Secure SIP support to existing media servers that only support UDP transport with RTP, adding security. The SRTP (Secure RTP) protocol is used with SIP over TLS and transmits voice in encrypted IP packets, avoiding the interception and decoding of audio packets.
Configuring Kamailio
The prerequisite for such scenarios is to have Kamailio installed and configured with the TLS module and rtpengine installed.
On the Kamailio configuration file we must activate rtpengine and use the rtpengine_manage() function with the appropriate flags.
Let’s activate the rtpengine module.
// Enable debug
#!define WITH_DEBUG
// Enable TLS
#!define WITH_TLS
// Enable NAT
##!define WITH_NAT
// Enable RTPENGINE
#!define WITH_RTPENGINE
// Enable call dispatching
##!define WITH_DISPATCHER
#!ifdef WITH_RTPENGINE
loadmodule "rtpengine.so"
#!endif
#!ifdef WITH_RTPENGINE
# ----- rtpengine params -----
modparam("rtpengine", "rtpengine_sock", "udp:127.0.0.1:2223")
#!endif
We use the rtpengine_manage() function to manage the offer to the SIP/UDP media server and the response to the TLS/SRTP client.
if (has_body("application/sdp")) {
rtpengine_manage("SIP-source-address replace-origin replace-session-connection RTP");
}
...
...
t_relay_to_udp("MS_IPADDR","MS_PORT");
...
...
exit;
onreply_route[MANAGE_REPLY] {
...
...
if (has_body("application/sdp")) {
rtpengine_manage("SIP-source-address replace-origin replace-session-connection");
}
...
}
With these configurations we are telling Kamailio to use rtpengine to modify the body of the INVITE received over TLS and forward it to the media server over UDP, changing the stream from SRTP to RTP. In response, rtpengine handles the reverse conversion from RTP to SRTP toward the caller.
Analyzing the behavior of Kamailio upon arrival of a call on TLS with SRTP, we see that the received INVITE uses TLS as a transport protocol and in the SDP contains the RTP/SAVP information as Media Description and the crypto Media Attribute with the crypto- suite in use.
The outgoing INVITE to the media server uses UDP as a transport protocol, and contains in the SDP the information that the stream will use RTP and will be activated between the media server and rtpengine.
In the opposite direction the response messages, in particular the 200OK, use SIP/UDP in the media server => Kamailio direction and TLS/SRTP in the Kamailio => Calls direction.
The analysis of the complete call flow shows the behavior of the system, with the two legs of the call distinct with RTP audio flows on one end and encrypted SRTP on the other end.
