1. Brekeke Product Name and Version: Brekeke PBX
2. Java version:Latest version
3. OS type and the version: Windows 10 Pro
4. UA (phone), gateway or other hardware/software involved: various SIP devices (Aastra, Grandstream etc)
5. Your problem: Problems getting SIP over TLS to work on inbound DID calls.
I am having a general issue getting inbound DID calls to complete via the Brekeke PBX when using SIP over TLS.
Below is my setup
SIP trunk to Voip Provider -----Brekeke PBX -----SIP device
Between my VOIP provider and the Brekeke PBX, I am using UDP.
Between the Brekeke PBX and the SIP device, I am using TLS.
When I place an inbound call to my DID 1212XXXXXXX, I am getting a SIP 603 Declined response back from the Brekeke PBX.
Below is my inbound rule
Matching Patterns
$request=^INVITE
To = sip:(1212XXXXXXX)@
$transport =^UDP
Deploy Pattern
$transport = TLS
To = sip:%1@216.xxx.xxx.xxx (my Brekeke Server)
$target - 216.xxx.xxx.xxx (my SIP device)
I have TLS-handling enabled on the Brekeke SIP server and the Request Client Certificate is set to OFF.
I have the JKS file type uploaded to the Brekeke server. TLS is enabled on my SIP device. Under Status / SIP server, I see TLS in the transport field.
My outbound SIP over TLS calls complete well with no issues (confirmed using Wireshark).
My inbound calls just fail to SIP 603 Declined.
If I change the transport to UDP instead on the Brekeke server and on the SIP device, the inbound DID calls complete with no issues.
Any suggestions on how to get inbound TLS calls would be appreciated.
SIP over TLS failing on inbound calls
Moderator: Brekeke Support Team
> $target = 216.xxx.xxx.xxx
If your SIP device doesn't have own TLS certificate, $target= will not work with TLS because the SIP Server can not authenticate the SIP device. It is what TLS standard is designed.
If your SIP device is already registered in Brekeke SIP Server over TLS, you can use the same TLS connection to reach back to the SIP device.
Modify DialPlan rule's Deploy Patterns like this.
[Deploy Patterns]
To = sip:%1@
With the above Deploy Patterns, the SIP Server forwards an INVITE to the SIP device over the same transport connection what SIP device used for REGISTER.
If your SIP device doesn't have own TLS certificate, $target= will not work with TLS because the SIP Server can not authenticate the SIP device. It is what TLS standard is designed.
If your SIP device is already registered in Brekeke SIP Server over TLS, you can use the same TLS connection to reach back to the SIP device.
Modify DialPlan rule's Deploy Patterns like this.
[Deploy Patterns]
To = sip:%1@
With the above Deploy Patterns, the SIP Server forwards an INVITE to the SIP device over the same transport connection what SIP device used for REGISTER.