Jump to content

TLS trunk


hosted
 Share

Recommended Posts

tls trunk require "Explicitly list addresses for inbound traffic" correct?

 

No, TLS trunk don't require that (though it is a good way to further secure the trunk).

 

You might stumble over the certificate problem, where either the PBX does not trust the client certificate from the SIP client or the SIP client does not trust the cert of the server. The log will show this on one of the sides.

Link to comment
Share on other sites

It runs the DNS NAPTR, SRV, AAAA and A resolution and comes up with one IP address. When verifying the domain, the IP address does not matter (unless it is in the domain name or outbound proxy). It checks if what is being presented as certificate matches the domain name, and if yes, it proceeds.

 

Actually when I try, I can connect using TLS (certificate works). DNS resolution did not work out of the box, needed to add transport=tls but then the TLS connection was find.

Link to comment
Share on other sites

Yes and no. From a trunk association point of view, it would allow it. The PBX really does a recursive lookup of the possible IP addresses, unless explicitly specified. However it has no relevance for TCP and TLS, as the registration is always connection oriented (unless the registrar starts opening new TCP connections to the PBX, which is unlikely in case the PBX is behind NAT). The reverse lookup is only interesting for UDP-based trunk registrations.

Link to comment
Share on other sites

I have 2 SIP switches #1 residential #2 business. (yes odd i just have not migrated)

 

switch1) pbx registers to node1. call comes in on node3 it will transfer to node1 and then PBX. *no issues pbx is registered and knows the IP

 

 

switch2) i have 3 nodes, with a central database. pbx registers to node1 but call comes in on node3. node3 seeing the registration IP (from the database) sends the call to the PBX directly.

 

so scenario #2, there is no option that to have all 3 node IP in the explicit list right? because there is no DNS control to recognize tls.io has the 3 IP's as possibilities.

Link to comment
Share on other sites

Again you can put all those three IP in the list of explicit addresses. But it would not solve your problem. With TCP and TLS, the switch must know where the registration is and send it through that TCP and TLS connection. The point is simply, that the PBX is the TCP client and the registrar is the TCP server. This is like a wire between the PBX and the switch. You can put messages only in on the two ends, "injecting" messages is not possible. So if the PBX lets say is regsitered to server #2 and you want to send a message to the PBX, you will have to send it through the connection with that server #2.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...