https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial
First I needed to grab the ast_tls_cert script from the Asterisk SVN.
wget http://svnview.digium.com/svn/asterisk/branches/11/contrib/scripts/ast_tls_cert
chmod +x ast_tls_cert
mkdir /etc/asterisk/keys
./ast_tls_cert -C voip.iprouteth0.org -O "iprouteth0 VoIP" -d /etc/asterisk/keys
./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C voip.iprouteth0.org -O "iprouteth0 VoIP" -d /etc/asterisk/keys -o 504
add these directives to your sip.conf [general] section
tlsenable=yes
tlsbindaddr=192.168.0.30
tlscertfile=/etc/asterisk/keys/asterisk.crt
tlsprivatekey=/etc/asterisk/keys/asterisk.key
tlscafile=/etc/asterisk/keys/ca.crt
tlscadir=/etc/asterisk/keys/
tlscipher=ALL
tlsclientmethod=tlsv1
And here is my peer configured for TLS transport and encryption
[504]
username=504
secret=yourpasswordhere
type=friend
nat=force_rport,comedia
callerid="Mesmerize<504>"
host=dynamic
context=outbound-srtp
outgoinglimit=3
incominglimit=3
canreinvite=yes
transport=tls
encryption=yes
disallow=all
allow=ulaw
allow=alaw
allow=g722
allow=gsm
dtmfmode=inband
mailbox=504@default
and the incoming dial plan. I am using chan_motif and google voice so this is in context [incoming-motif]
exten => iprouteth0, 1, NoOp(Callerid ${CALLERID(name)})
exten => iprouteth0, n, Set(CALLERID(num)=${SHIFT(CALLERID(name),@)})
exten => iprouteth0, n, Set(CALLERID(name)=${DB(cidname/${CALLERID(num)})})
exten => iprouteth0, n, Set(_SIP_SRTP_SDES=1)
exten => iprouteth0, n, Set(_SIPSRTP=1)
exten => iprouteth0, n, Set(_SIPSRTP_CRYPTO=enable)
exten => iprouteth0, n, Dial(SIP/504, 180, D(:1))
exten => iprouteth0, n, Wait(3)
exten => iprouteth0, n, SendDTMF(1)
exten => iprouteth0, n(bridged),Bridge(${DB_DELETE(gv_dialout/channel)}, p)
and here is the outgoing dialplan. This is in context [talk-numeric-outbound-srtp]
[talk-numeric-outbound-srtp]
exten => _1NXXNXXXXXX,1,Set(_SIP_SRTP_SDES=1)
exten => _1NXXNXXXXXX,n,Set(_SIPSRTP=1)
exten => _1NXXNXXXXXX,n,Set(_SIPSRTP_CRYPTO=enable)
exten => _1NXXNXXXXXX,n,Dial(Motif/iprouteth0/${EXTEN}@voice.google.com,,r)
exten => _+1NXXNXXXXXX,1,Set(_SIP_SRTP_SDES=1)
exten => _+1NXXNXXXXXX,n,Set(_SIPSRTP=1)
exten => _+1NXXNXXXXXX,n,Set(_SIPSRTP_CRYPTO=enable)
exten => _+1NXXNXXXXXX,n,Dial(Motif/iprouteth0/${EXTEN}@voice.google.com,,r)
finally the master context for this group of phones.
[outbound-srtp]
include => seven-digit
include => local-devices
include => default
include => incoming-motif
include => talk-numeric-outbound-srtp
then comes the setup of CSipSimple. Setup your account. I used expert mode. To make it easier you can create the account with the basic wizard and switch the wizard once you've saved the account.
In CSipSimple's settings hit the menu button and enable expert mode. Then go into the network section. Find the Secure Transport menu.
Once you're in the Secure Transport sub-menu, you'll need to add your certificate files. I grabbed them with AndFTP directly off of my openwrt router. Bear in mine you'll need openssh-sftp-server installed. Ignore the big 1 in the picture, it's from my screen shot capturing software.
For CA file I used /sdcard/keys/ca.crt
TLS Certificate I used /sdcard/keys/504.pem
TLS Private key was left blank since we're using a PEM file
TLS Password is the password used during key creation.
Also make sure to set sRTP mode to mandatory and disable zRTP.
I checked both for verify server and client certificate, and have not noticed any trouble.
I am not even fully certain I am using the correct keys, however I have found that sipcrack is unable to detect login credentials from the TLS packet capture versus my normal sip packet capture having success decrypting using sipdump and sipcrack.