Connecting RasPBX via SIP Trunk

The previous tutorial has covered RasPBX installation on Raspberry Pi 3 board. At the end of the tutorial we have tested local calls between chan_sip extensions 1010 and 1020 that are registered to RasPBX. This time we will go further and connect RasPBX with another FreePBX VOIP system via PJSIP trunk. The FreePBX is running on VirtualBox and it is in version 14 with Asterisk 13. As the last step of the tutorial, we will test VOIP calls  between RasPBX with FreePBX that are interconnected by PJSIP trunk.

As we have mentioned, a complete RasPBX and Zoiper softphones installation and configuration is covered in a previous tutorial (except the SIP trunk).  Also, the tutorial does not cover installation of FreePBX on VirtualBox VM. So far, our inventory contains RasPBX and FreePBX with the following components.

RasPBX - Asterisk on Raspberry PI board:
- Asterisk 13.22.0
- FreeBPX 14.0.3.13
- Zoiper softphone on Ubuntu 18.0.4, IP 172.17.100.2/16, ext. 1010
- Zoiper softphone on Android 5.1, IP 172.17.100.5/16, ext. 1020

FreePBX - Installed  on VirtualBox VM
- Asterisk 13.19.1
- FreeBPX 14.0.3.13
- X-Lite 2010 softphone on Virtualbox VM with x-64 Windows 7, IP 172.17.100.9/16, extension 2010

Note: Configuration of X-Lite softphone will be covered later in the tutorial

The network topology is depicted on the Picture 1.

Picture 1 - Logical Network Topology with RaspPBX and FreePBX

1. RasPBX Configuration

1.1 PJSIP Trunk Configuration on RasPBX

Although, local calls are working on RasPBX, we have to create SIP trunk to connect to another VOIP system. Therefore, navigate to Connectivity-> Trunks. Click Add Trunk button and select SIP (chan_pjsip) Trunk. Fill the fields in Table General (Picture 2). The trunk name is FreePBX-trunk-RasPBX.

Picture 2 - Configuring PJSIP Trunk on RasPBX to Connect to FreePBX - General Tab

Switch to the table pjsip Settings and fill the fields (Picture 3). The IP address 172.17.100.7/16 is the IP address of FreePBX installed on VirtualBox. The secret is trunk123. It has to match secret configured on pjsip trunk of FreePBX that is pointing back to RaspPBX (172.17.100.50/16).

Picture 3 - PJSIP Settings Configuration on RaspPBX - General Tab

1.2 Outbound Routing Configuration on RasPBX

Outbound routing to the pattern 2xxx is needed to reach remote registered to FreePBX (172.17.100.7/16). The call for the extension 2010 will be send via trunk FreePBX-trunk-RasPBX.

Navigate to Connectivity-> Outbound Routes and click the button Add Outbound Routes. Create the route name FreePBX-internal and select the trunk FreePBX-trunk-RasPBX in the field Trunk Sequence for Matched Routes (Picture 4).

Picture 4 - Outbound Routes Configuration on RaspPBX - Route Settings Tab

Now, switch to the Dial Patterns table and configure the dial pattern 2XXX (Picture 5).

Picture 5 - Outbound Routes Configuration on RaspPBX - Dial Patterns Tab

We have just finished RasPBX configuration. Let's move to the configuration of FreePBX.

2. FreePBX Configuration

Note: Installation of FreePBX on VirtualBox VM is not covered in this tutorial.

2.1 SIP Extension Configuration

Navigate to Applications-> Extensions and click button Add Extension. Select Add New PJSIP Extension. Configure the extension 2010 (Picture 6).

Picture 6 - PJISP Extension 2010 Configuration on FreePBX

2.2 X-Lite Softphone Configuration

As the softphone we will use X-Lite sofphone installed on 64-bit Windows, Another softphone such as Zoiper can be used as well. Picture 7 depicts configuration of SIP account on X-Lite.

Picture 7 - Setting SIP Account on X-Lite

2.3 PJSIP Trunk Configuration on FreePBX

So far, the extensions 1010 and 1020 have been registered to RasPBX and the pattern 2XXX route calls via SIP trunk FreePBX-trunk-RasPBX to FreePBX. X-Lite softphone (ext, 2010) is registered the FreePBX.  As the next step we are going to create PJSIP trunk and outbound routing to the extensions registered to RasPBX (dial pattern 1XXX).

Navigate to Connectivity-> Trunks. Click the button Add Trunk and select SIP (chan_pjsip) Trunk. Fill the fields in Table General (Picture 2).

Switch to the table pjsip Settings and fill the fields (Picture 8). The IP address 172.17.100.50/16 is the IP address of RasPBX. The secret is trunk123. It has to match secret configured on pjsip trunk of RasPBX that is pointing back to FreePBX. (172.17.100.50/16).

Picture 8 - PJSIP Settings Configuration on FreePBX - General Tab

2.4 Outbound Routing Configuration on FreePBX

Outbound routing to the pattern 1xxx is needed to reach remote extensions registered to RasPBX (172.17.100.50/16). The calls to these extensions will be send via trunk FreePBX-trunk-RasPBX. Navigate to Connectivity-> Outbound Routes and click the button Add Outbound Routes. Create the route name FreePBX-internal and select the trunk FreePBX-trunk-RasPBX in the field Trunk Sequence for Matched Routes (Picture 4).

Now, switch to the Dial Pattern Table and configure the pattern 1XXX (Picture 9).

Picture 9 - Outbound Routes Configuration on FreePBX - Dial Patterns Tab

3. Testing Calling Between RasPBX and FreePBX

We will attempt to establish call between the extension 1020 (RasPBX) and 2010 (FreePBX). The FreePBX CDR records (Reports-> CDR records) give us information about these calls (Picture 10).

Picture 10 - FreePBX Call Data Records

The active calls can be found with the command below (Picture 11).

# asterisk -rx 'core show channels'

 

Picture 11 - Call from Extension 1020 to 2010

4. Media Encryption

By default, RTP streams are not encrypted. A hacker having a particular access to underlying network infrastructure can capture RTP streams, eavesdropping conversation between SIP endpoints. The picture 12 depicts truncated SIP messages and voice payload (RTP) captured by wireshark.

Picture 12 - Captured Conversation Between RasPBX and FreePBX During Active Call

Here is the entire RTP.pcap capture. Use Wireshark to open it and navigate to Telephony-> VOIP Calls. Select the stream and click Play Streams button. You can hear the captured conversation when call is placed from extension 1020 to 2010.

Picture 13 - Playing RTP Stream by Wireshark

To use SRTP instead of RTP to encrypt voice payload, navigate to PJSIP table of the trunk FreePBX-trunk-RasPBX and go to Advanced Table. Find the option Media encyption and select SRTP via in-SDP (recommended) (Picture 14). You need to do it for the both ends of the PJSIP trunk.

Picture 14 - Enabling Media Encryption on PJSIP Trunk

The Picture 15 depicts the screenshot from wireshark when media encryption option is enabled on PJSIP trunk. Notice that SRTP is used instead of RTP.

Note: The screenshot is truncated so it does not show the entire SIP messages exchange.

Picture 15 - Secure Real-Time Protocol Enabled on PJSIP Trunk

The spectrum of SRTP stream is depicted on the Picture 16.

Picture 16 -Playing SRTP Stream by Wireshark

The captured conversation SRTP.pcap between extensions 1020 and 2020 contains SIP signalization and SRTP streams. Even an attacker is able to capture the SRTP stream, the voice traffic is encrypted.

End.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.