[voodx]

I have two Linksys SPA-3102 both with certificates generated by Voxilla, my question is: how can I make them work together (direct connection) using TLS as transport for SIP?

I've activated this option on both but nothing happens if I don't select UDP as transport. Everything works fine if using UDP though... SRTP also works fine between the two.

Do I need to use a provider that supports TLS for them to work? I would rather have direct connections.

I would really appreciate if anyone can help me with this.

[sachu_99]

For TLS certificate-based authentication to work, one end has to be a server and the other end has to be a client. (See TLS handshake protocol). The Linksys adapter can work as a TLS client, but not as a server. Consequently, when you enable TLS on both adapters, both are ready to act as TLS clients, but none as a TLS server.

With UDP, we don't have this issue. UDP can be used for SIP to create direct peer-to-peer session.

One of the possible solutions is to use an IP-PBX to act as TLS server. Both adapters will setup TLS with the IP-PBX. Of course, if these two adapters are geographically not co-located, then you will need static IP for the IP-PBX. OpenSER is a good example of free IP-PBX with TLS support.

[jan1972]

If you want to get TLS working you need a server that does TLS. If you want to try open source, check out the latest SER. It comes with a proper TLS support. If you use this one, you will have to negotiate the SRTP keys "through" the proxy - which should be no problem.

If you want to use a PBX, open source seems not to be an option at the moment. So far it seems that only pbxnsip offers TLS support. It works with counterpath, InGate, Polycom and snom and also some others and it uses the SDES key exchange which seems to be the way to go. Not sure if it works with the Linksys TLS, but it is worth a try.