Secure RTP

From FreeSWITCH Wiki

SRTP Configuration(Dialplan.xml)

If SRTP is enabled, only payload type of RTP packets will be secured. No configuration is required for inbound calls,except for outbound calls. In case of inbound call,some endpoint/phone sends INVITE with RTP/AVP + crypto algorithm in SDP of INVITE then FreeSWITCH will reject the call if "sip_secure_media" has been configured for inbound calls.Crypto algorithm should be offered in RTP/SAVP

Example:

(i) To bridge an inbound call to your FXS that is configured on channel 1, for an UA registered as 202@proxy.com

   configure as below
  
  <extension name="incoming-fxs">
    <condition field="destination_number" expression="^(202)$">
      <condition field="${sip_has_crypto}" expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80) $ "break="never"/>
      <action application="set" data="sip_secure_media=true"/>
      <action application="bridge" data="openzap/1/1"/>
    </condition>
  </extension

(ii) To bridge an outbound call,for an endpoint registered as 123@proxy.com configure as below

  <extension name="Outgoing-fxs">
    <condition field="destination_number" expression="^(123)$">
      <condition field="${sip_has_crypto}" expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80) $ "break="never"/>
      <action application="export" data="sip_secure_media=true"/>
      <action application="bridge" data="sofia/gateway/gateway_name/$1@proxy.com"/>
    </condition>
  </extension

Procedures to verify SRTP

1. During an established call, you can verify the SRTP data by sending some DTMF digits over the call. As per the RFC 4733, you can know the payload type for a DTMF digit. But when it is encrypted by SRTP, it will be different from the conventional payload type.