Secure Incredible PBX Trunks

Views: 38
0 0
Read Time:6 Minute, 56 Second

Forward

This article focuses on how to secure Incredible PBX Trunks so that the data is transmitted securely between VoIP.ms and Incredible PBX. Note, this may be similar to other providers as well but my focus will be on VoIP.ms as that is my DID provider of choice.
Hey, Do me a solid! If you want to give VoIP.ms a try then here is the link. I get up to $25 from them for referrals. So, if you find this useful sign up! I have no complaints and have been using them for years now!

1. Secure VoIP.ms Side

First, go to VoIP.ms and secure the account and sub accounts so that they can accept secure connections for Incredible PBX Trunks. Note, how this is done is different depending on if it is an account or a sub account. So, I have broken that down into two sections below.

Secure Account

Simple, go to VoIP.ms site. Then, select Main Menu->Account settings. Then select the tab called Advanced. Simply, change the dropdown called Encrypted SIP Traffic to YES. Note examples below. Three, all done with the main account.

First, VoIP.ms Account Settings
Then, Advanced tab

Secure Sub Accounts

So, sub accounts are handled a little different. Yes, it took me a while to figure this out. So, here you go hope it saves you some time!

Select Sub Accounts->Manage Sub Accounts
Click the Edit Action on the row and to the very right of the screen.
Find Advanced Options, Then click on the link that says “Click here”
Find “Encrypted SIP Traffic” dropdown and make it “Yes”
Click the Update Account at the bottom of the page.

2. Setup TLS in Incredible PBX for SIP

Once, done with VoIP.ms. Now, go to Incredible PBX and set it up to allow for secure SIP communication. See, Images below the captions explain the steps.

Click, Setting->Asterisk SIP Settings.
Go to Legacy Settings{chan_sip} tab. Then, Enable TLS to YES…

Again, make sure TLS/SSL SRTP is setup as above

  • Enable TLS = Yes
  • Certificate Manager = default. However, pick the one that makes sense for your config.
  • SSL Method = tlsv1
  • Don’t Verify Server = Yes. This worked for me as it is all locally signed anyway.

3. Secure the Incredible PBX Trunks

Finally, to the last part! Now, setup the Trunks to be secure. Once done, all should be well, but I will give some pointers at the end to look for too.

Create SSL versions of the Trunk

Yes, I tested everything via non-ssl first see that here. So, this takes that post to the next level of security. SSL makes life so much more secure. However, nothing is ever perfect so always be on the lookout for security concerns. In short, do research and look at your logs for concerns.

Trunks Link

So, use Duplicate TrunkDuplicateButton on every trunk! That is on the bottom right of the trunk screen. Once done, open the duplicate and make changes to it. Oh, and disable the original and do not delete right away until you are happy with SSL versions. See, I named my all ending in ssl. Ok, I should have named the others as good too. Well, nobody’s perfect!

All my Incredible PBX Trunks Only the ones with ssl in there are active.

Edit each ssl trunk to VoIP.ms Accounts

For example, I have three accounts in VoIP.ms. So, that is why I have three Trunks in Incredible PBX.

Trunk: General Tab

Only have to modify Trunk Name there so set it to something descriptive but with no spaces or unusual characters. Oh, and maybe setup Outbound CallerID like “”ALLEN PAUNA”<XXXXXXXXXX>”.

Trunk: SIP Settings

Outgoing

Set the following:

  • Trunk Name – Just remove the _Copy_ junk and put a unique descriptive name here. I did original with added ssl on it.
  • PEER Details – This is the real meat and potatoes of the post.
PEER Details Example

Note, from above change all the ones with the ;<XXXX> stuff in there. That is

  • username – ;<VoIP.ms account or sub account XXXXXXXX or XXXXXXXX_XXX>
  • secret – ;<VoIP.ms account or sub account password>
  • host – ;<SET TO SAME AS DID and closest to you.>
  • fromuser – ;<VoIP.ms account or sub account XXXXXXXX or XXXXXXXX_XXX>

Oh, and I had to change allow from this allow=g729&ulaw&gsm to this allow=ulaw&gsm. I will add a post to add g729 codec support once I figure it out. I got all of this info from here.

Finally, make sure to remove all of the :<bla bla bla> from the Peer settings just placed them as comments to help highlight what needs to be changed.

Incoming

Register String
  • account – same as username and fromuser in outbound peer settings
  • password – same as secret in outbound peer settings
  • server – same as host in outbound peer settings

Also, notice the “:” between account and password and after server KEEP THEM THERE and the “@” between password and server KEEP IT THERE. They are required for the correct format of the string

Don’t Forget to Apply Configuration

Yes, I have forgot to do that in Incredible PBX too many times. WIthout it, the changes will not take place to reveal the end result as that is what loads the configuration into the asterix sub system.

4. Set Outbound Routes

Do not forget to update Outbound Routes to match secure trunks!

Finally, do not forget to set Outbound Connections to point to correct Trunks setup above. Also, do not forget to apply configurationApply Config Button when all done. Remember that is at the top right of the Incredible PBX admin web page.

Final Checks

Incredible PBX

Look at log files and confirm the trunks show up in the log like below in blue.

6660	[2022-04-25 16:53:42] NOTICE[17522] chan_sip.c: Peer 'voipms1ssl102' is now Reachable. (230ms / 2000ms)

VoIP.ms

Confirm all are registered and there is a paddle lock by them. Note, the paddle lock helps identify secure channel connection between Trunk and VoIP.ms servers noted below in image.

Note all registered with Green Paddle Lock

Troubleshooting

Below, I will give you some of the common errors I ran into. Well, that I remember anyway. See, I wrote this after getting it fully functional. Oh, I hope you figured this out by now. However; just in case. do not forget to use Asterisk Log Files! Found here: Reports->Asterisk Logfiles as shown in image below.

Very Useful Log file in Incredible PBX!!!

Wrong password error

[2022-04-25 16:45:54] WARNING[17522] chan_sip.c: Forbidden - wrong password on authentication for REGISTER for 'XXXXXX_102' to 'chicago4.voip.ms'

Well, this can be wrong password. However, I have found it when attempting TLS on non-tls account or sub-account. For me, it happened because I forgot to hit the apply in VoIP.ms. Thus, the secure socket was never turned on.

Fix

Alas, easy fix. Check both Trunk and VoIP.ms settings. Yes, also confirm password is correct in both Trunk and VoIP.ms settings.

Dropped or Line Busy Inbound Calls

Wow, many things can cause this. Here are what got me:

  • Bad codec config
  • Server mismatch between DID and Server listed in trunk SIP config AKA host or server above in Trunk Peer settings and Outgoing.
  • Incorrectly or disabled Trunk pointing to “Inbound Connections” in Incredible PBX

Sometimes Reboot Fixes Things

See, this system is complex and sometimes things get a little stuck. So, when all else fails try a reboot. I know, that should not help but sometimes it does.

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Leave a Reply

Your email address will not be published.

Debian 11 And Incredible PBX Part2 Previous post Part 2: Incredible PBX On Debian 11
ATTiny UPDI V 1.0 Serial Adapter Next post 1.0 ATTiny Serial UPDI