scmp

Domain registrar is wrong? You do realize that it was an example as I didn't want to post the fqdn and ports of my pbx, right? If you actually used M9 and snom you would have known that if the registrar was wrong I could have not register the M9 in the first place, nevermind testing and capturing traffic. I think you already know that plug and play would have fixed absolutely nothing for the encryption issue; you are just posting non-sense now. And you don't say, there are buttons on the side of the phone? That must be a miracle. It never crossed my mind to turn the volume up from the keys... Perhaps you want to inform the readers of this forum why vendors call the M9 a "boomerang". I shiver to think of paying for your commercial license and receive this kind of support. Wanna guess how many times I'm going to recommend snom as a business voip solution?

Well, it is enabled as I stated at the beginning of the first post: Identity 1 > Account > Registrar = <pbx ip>:<TLS port>;transport=tls * Outbound Proxy = <pbx ip>:<TLS port>;transport=tls Identity 1 > SIP > RTP Encryption = on I actually got the RMA; it is going back. I bought it for the "security" features but those seem to not go beyond the marketing materials. To top it off, the volume is low and it creates a bad echo when using a headset. M3 didn't have those issues. Perhaps I'll give M10 a try if there will be such a device but in the meantime I'll go the Grandstream-3CX route. Thank you.

Hi Nope, no plug an play. I just configured the phone manually.

Sorry if I'm being dense, but what I saw in my tests is that the M9-PBX stream is not encrypted when talking either with an endpoint that does not support SRTP or through a SIP trunk. This is the part I cannot get my head around. My expectation was to have M9-PBX stream encrypted and PBX-sip trunk unencrypted. Thanks for the link; hopefully ZRTP passthrough will be available in Snom ONE soon. From the comments section of the that blog post I understand that regular builds don't include ZRTP but a custom one could be provided. If that's the case, can I have it? Getting additional M9 endpoints would take care of the encryption issue with key exchange so the ZRTP built would be just for me to toy around with. However, here is my real life situation that keeps me trying for real encryption. One of the endpoints is in an European country that pumps out hackers on an assembly line. On my last visit I had an account for an online service hacked by sniffing the traffic at the demarc. The endpoint there is now a Grandstream that doesn't support TLS/SRTP and my plan was to replace it with an M9. My Snom ONE PBX is on an Amazon EC2 machine. I'm in the US and I have the M9 here (replaced an M3). So, once I ship an M9 overseas, internal calls are safe (key exchange or ZRTP). What concerns me is the call between the non-US M9 and my cell phone. Since the call to my cell phone will go over the sipgate trunk the encryption will be dropped altogether for the entire stream and not only the PBX-sipgate-cell legs.

Thank you for replying. Not sure why you consider the padlock indication a minor problem. We are talking about security. A phone is advertised and sold as supporting TLS/SRTP and the product datasheets tout security and privacy. Yet, the phone shows an encrypted call but it can be decoded with 2 mouse clicks. Nevermind the M3 not supporting TLS/SRTP it is only about M9. If security is dropped because one endpoint doesn't support it then the padlock should stay open on the M9 screen. If I force codec selection on the registration settings, M9 G722 and M3 G711 then the PBX will do transcoding so media is sure to travel M9-PBX-M3. But in this scenario the entire M9-PBX-M3 stream is unencrypted (M9 padlock shows closed) not only PBX-M3. Where is that ticket you mentioned opened? Is it publicly available to read how it is addressed?

I've been on a quest to secure my voip traffic for some time and it led me to snom ONE; gave up on SRTP on Asterisk. I've been running a snom One pbx on an Amazon AMI for some time with only few issues. Recently I purchased a snom M9 and I started testing the SRTP feature. Below are the test environemnt and results; further below are my comments on how this is not really working as advertised. PBX: PBX Snom One 4.3.0.5020 Amazon Linux AMI release 2011.09 x32 snom M9: Version 9.4.12-a PSTN termination: SIP trunk via sipgate Test setup: Voip phones: M9 and M3 connected to the same snom ONE pbx Cell phone via SIP trunk Wireshark capture ran on the pbx Certificates are the default snom certificates on both M9 and pbx Test Results: *** with encryption set Identity 1 > Account > Registrar = <pbx ip>:<TLS port>;transport=tls * Outbound Proxy = <pbx ip>:<TLS port>;transport=tls Identity 1 > SIP > RTP Encryption = on ~~~logs confirm signaling over TLS (SIP/2.0/TLS) M9 -> Voicemail - padlock = closed - decode outgoing = no - decode incoming = no * call not found in the capture by wireshark VoIP plugin M9 -> Cell - padlock = closed - can hear what I say while ringing (see note 1 for explanation) = yes - decode outgoing = yes - decode incoming = yes M9 -> M3 - padlock = closed - can hear what I say while ringing = no - decode outgoing = yes - decode incoming = yes M3 -> M9 - padlock = closed - can hear what I say while ringing = yes - decode outgoing = yes - decode incoming = yes *** with encryption NOT set Identity 1 > Account > Registrar = <pbx ip>:<SIP port> * Outbound Proxy = <pbx ip>:<SIP port> Identity 1 > SIP > RTP Encryption = off M9 -> Voicemail - padlock = open - decode outgoing = no - decode incoming = no * call found in the capture by wireshark VoIP plugin, decoded but nothing playing M9 -> Cell - padlock = open - can hear what I say while ringing = yes - decode outgoing = yes - decode incoming = yes M9 -> M3 - padlock = open - can hear what I say while ringing = no - decode outgoing = yes - decode incoming = yes M3 -> M9 - padlock = open - can hear what I say while ringing = yes - decode outgoing = yes - decode incoming = yes note 1: "can hear what I say while ringing" means that while playing the capture decoded with wireshark I can hear myself talking while the remote party is still ringing (before picking up). This is on the caller' stream. So media is transmitted before the call is set up. ================================= This is it. It looks like the only really secure call is the M9 - Voicemail call. For the tests with the M3 phone I was expecting that the M9-PBX leg to be encrypted and PBX-M3 not encrypted. Same for the tests with the cell phone (M9-PBX leg to be encrypted). I'm assuming that a call between 2 M9 phones with encryption set would be indeed encrypted end to end. The tests without encryption set are not relevant for this encryption issue; I tested that way to see if the media is sent early as in the first tests. So, what am I missing? The closed padlock is certainly misleading. Am I not understanding correctly how this encryption thingy is supposed to work or did I run into some known bugs with M9?

Hi, I'm using it on CentOS Amazon AMI, x32. Your screenshot is different than mine; is that from the beta you mentioned earlier?

4.3.0.5020 Nope, after I upload them I'm not given those choices in PM.

Thanks for replying. The thing is that after I upload them, they are not given as options when calling PM and pressing 9. Also, there is no confirmation that they are actually uploaded and so far I haven't found them on the file system.

Hello, On Account settings > Mailbox there is a section "Files". What is it for? I can upload files but they don't seem to go anywhere.

That worked! I removed the certificates I had imported (all except snom certificates) and imported the one in the thread you linked to as Trusted Root CA for server authentication. Also, I changed to Account: user@gmail.com (instead of Account: user). Thanks a lot for your help.

Hello, I'm using snom One Version: 2011-4.2.0.3981 (Win64) and I can't figure out how to send voicemails to email using gmail. The email configuration is: from address: user@gmail.com Account: user Password: password SMTP server: smtp.gmail.com:587 Encryption: Automatic And this is what is constantly reported in the log: [4] 2011/05/15 14:14:15: Certificate for Equifax Secure Certificate Authority not available [5] 2011/05/15 14:14:15: SMTP: Connection refused on 209.85.225.109:587 I imported the GeoTrust Global CA and GeoTrust Primary Certification Authority but still no dice. Thanks in advance for any help.

Thank you for the reply and sorry for responding so late. I'll give it a shot. Thanks.

Hello, While setting up a sip trunk with sipgate, it registers successfully initially but a few minutes later it shows "400 Bad Request (Registration failed, retry after 60 seconds)". Setting keepalive to different values (30, 60 ,180) didn't seem to make a difference. This is a screenshot of the trunk status: capture And the logs below. I noticed P-Registrar-Error: Invalid CSeq number at the end. Does that point to a bad SIP implementation. If it does, which one, snom ONE or sipgate? REGISTER sip:sipgate.com SIP/2.0 Via: SIP/2.0/UDP yy.yy.yy.yy:5060;branch=z9hG4bK-99919a0008f368a0dc31dd56a884570c;rport From: "****" <sip:****@sipgate.com>;tag=22009 To: "****" <sip:****@sipgate.com> Call-ID: 1til7rhv@pbx CSeq: 4891 REGISTER Max-Forwards: 70 Contact: <sip:****@yy.yy.yy.yy:5060;transport=udp;line=e4da3b7f>;+sip.instance="<urn:uuid:c8d3c441-6829-4e9b-86d0-e12afdabc4f2>" User-Agent: snom-PBX/4.2.0.3950 Supported: outbound Expires: 3600 Content-Length: 0 [9] 2010/11/21 11:33:03: SIP Rx udp:204.155.28.10:5060: SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP yy.yy.yy.yy:5060;received=yy.yy.yy.yy;branch=z9hG4bK-99919a0008f368a0dc31dd56a884570c;rport=5060 From: "****" <sip:****@sipgate.com>;tag=22009 To: "****" <sip:****@sipgate.com>;tag=ebea40332804c9eac6fca132b3193bcb.cbcb Call-ID: 1til7rhv@pbx CSeq: 4891 REGISTER WWW-Authenticate: Digest realm="sipgate.com", nonce="4ce958fb03a273b0f769047ecc57d71969169e9d" Content-Length: 0 [8] 2010/11/21 11:33:03: Answer challenge with username **** [9] 2010/11/21 11:33:03: Resolve 126: udp 204.155.28.10 5060 udp:1 [9] 2010/11/21 11:33:03: SIP Tx udp:204.155.28.10:5060: REGISTER sip:sipgate.com SIP/2.0 Via: SIP/2.0/UDP yy.yy.yy.yy:5060;branch=z9hG4bK-94e04b8c0caa173656b5a21dec574eae;rport From: "****" <sip:****@sipgate.com>;tag=22009 To: "****" <sip:****@sipgate.com> Call-ID: 1til7rhv@pbx CSeq: 45315 REGISTER Max-Forwards: 70 Contact: <sip:****@yy.yy.yy.yy:5060;transport=udp;line=e4da3b7f>;+sip.instance="<urn:uuid:c8d3c441-6829-4e9b-86d0-e12afdabc4f2>" User-Agent: snom-PBX/4.2.0.3950 Supported: outbound Authorization: Digest realm="sipgate.com",nonce="4ce958fb03a273b0f769047ecc57d71969169e9d",response="c73a9c2d7128fb559ac15d008323121a",username="****",uri="sip:sipgate.com",algorithm=MD5 Expires: 3600 Content-Length: 0 [9] 2010/11/21 11:33:03: Message repetition, packet dropped [9] 2010/11/21 11:33:04: SIP Rx udp:204.155.28.10:5060: SIP/2.0 400 Bad Request Via: SIP/2.0/UDP yy.yy.yy.yy:5060;received=yy.yy.yy.yy;branch=z9hG4bK-94e04b8c0caa173656b5a21dec574eae;rport=5060 From: "****" <sip:****@sipgate.com>;tag=22009 To: "****" <sip:****@sipgate.com>;tag=ebea40332804c9eac6fca132b3193bcb.1ba3 Call-ID: 1til7rhv@pbx CSeq: 45315 REGISTER Contact: <sip:****@yy.yy.yy.yy:5060;transport=udp;line=e4da3b7f>;expires=419 P-Registrar-Error: Invalid CSeq number Content-Length: 0 [5] 2010/11/21 11:33:04: Registration on trunk 5 (SIPGate) failed. Retry in 60 seconds