SOLVED Verizon and SIP and TLS

[unsichtbarre]

Recently in a nerdvittles.com post (http://nerdvittles.com/?tag=security), there was a Verizon issue with SIP mentioned.

I can't find much more information. Could this be why my cellular softphones behave oddly when using Verizon as the carrier, and work perfectly when I am using the same softphone and connected to private networks over wireless?

BTW: I use C Sip Simple on Android and Travelin' Man 3 with DYN Dns.

No problems on a good private wi-fi, calls disconnect after 5 or 10 seconds over Verizon Data.

THX,

-J

Following up on my own post, referencong (http://www.onsip.com/blog/2013/07/02/in-depth-verizon-blocks-sip-traffic-using-alg) I thought I would mention that using the aforementioned methods, my softphone always registers, but as mentioned, calls drop after a few seconds

 

[billsimon]

I concur with the findings of the Onsip post as I have experienced it myself. My solution was to use an alternate port. Verizon's SIP interference appears to be limited to port 5060. 5070 works fine.

 

[unsichtbarre]

Thanks,
I will re-configure for 5070 and follow-up.

 

[unsichtbarre]

Unfortunately, not solved. Sorry it has taken me days to follow-up - weekends are my time for forums!

I set for 5070 and still calls disconnect after about 20 seconds using SIP on Verizon. Let me get on a non 4G WiFi (Hotel, office, home), however, and I can talk for days.

-J

 

[billsimon]

Sorry to hear it didn't work. Do any messages appear in the Asterisk log at the time of the hangup (except for the dialplan steps)? If not, it is probably time to perform a packet capture and analysis.

 

[UGP]

Having the same problem. Switched the port as well in the extension setting and still the same. Does anyone have this working at all including changing the port?

 

[jmcguirl]

Has any found a solution yet? I have managed a work around by sending the sip through a vpn, but there's a lot of admin overhead not user friendly.

 

[billsimon]

You could try setting up TLS. It's easy and now that proper certificates can be had for free, it won't cost anything.

 

[jmcguirl]

Bill can you point me to a howto or something similar?

 

[billsimon]

https://wiki.asterisk.org/wiki/display/AST/SIP+TLS+Transport

You can put the listed "sip.conf options" into "Asterisk SIP Settings" in the custom section at the bottom, or you can put them in the sip_general_custom.conf file.

These are the most important:

tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem <--- set this to the pem file you generate with Let's Encrypt

Then make sure 5061 is open on your iptables firewall.

The hardest part about this is it requires DNS, so you have to have a DNS name for your PBX, one in a domain you control, in order to generate and use the certificate.