Overview

This page contains some keys about the configuration of the b2bua server and how to set the proxy to communicate with it. If you don't know what the b2bua server is useful for, you should visit the feature page concerning the b2bua server before going further.

Launching the b2bua server

Using SystemD

Simply use the following command to start the service:

Don't forget to enable the service if you want it to start on system boot:

Invoking Flexisip directly

Configuration

The b2bua server configuration is divided in subsections for each specific application. The global configuration resides in the b2bua-server section

Trenscrypter application

Leg A media encryption mode is selected by the endpoint placing the outgoing call (leg A), b2bua accepts any of: unencrypted call, SDES, DTLS-SRTP, ZRTP.

The configuration of the encryption bridge is found in a dedicated subsection: b2bua-server::trenscrypter, it allows to select the media encryption mode on the leg B call based on the recipient sip:URI (or GRUU is the call recipient is a GRUU) or the SRTP crypto suite if SDES mode is selected.

Leg B media encryption modes

Valid encryption modes are:

• zrtp
• dtls-srtp
• sdes
• none.

This configuration is a formatted list of :
mode1 regex1 mode2 regex2 ... moden regexn
regex use POSIX syntax, any invalid one is skipped with its associated mode

Each regex is applied, in the given order, on the call recipient sip:URI(including parameters if any, so it can be a GRUU). The first match found determines the encryption mode.

If no regex matches the recipient sip:URI, the leg A media encryption mode is used.
 

In the above example, the recipient sip:URI is matched in order with

• .*@sip\.secure-example\.org so any call directed to an address on domain sip.secure-example-org uses zrtp encryption mode
• .*dtls@sip\.example\.org any call on sip.example.org to a username ending with dtls uses dtls-srtp encryption mode
• .*zrtp@sip\.example\.org any call on sip.example.org to a username ending with zrtp uses zrtp encryption mode

If the recipient address includes parameters, the previous regex will not match as the parameters are concatenated after the domain. Ex: alice@sip.secure-example.org;;gr=urn:uuid:f81d4fae

In order to completely ignore sip:URI pamaters, use (;.*)? at the end of the regex. Example:

SRTP crypto suite selection when leg B media encryption mode is SDES

When the selected media encryption mode is SDES, it is also possible to select an ordered the list of SRTP crypto suite  proposed in the outgoing SDP INVITE.

Available SRTP crypto suites are:

• AES_CM_128_HMAC_SHA1_80
• AES_CM_128_HMAC_SHA1_32
• AES_256_CM_HMAC_SHA1_80
• AES_256_CM_HMAC_SHA1_32

The configuration is a formatted list of:
cryptoSuiteList1 regex1 cryptoSuiteList2 regex2 ... crytoSuiteListn regexn
with cryptoSuiteList being a ; separated list of SRTP crypto suites.

Each regex is applied, in the given order, on the call recipient sip:URI(including parameters if any, so it can be a GRUU). The first match found determines the crypto suite list used.

If no regex matches, default to AES_CM_128_HMAC_SHA1_80;AES_CM_128_HMAC_SHA1_32;AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32

In the above example, the recipient sip:URI is matched in order with:

• .*@sip\.secure-example\.org so any call directed to an address on domain sip.secure-example-org uses AES_256_CM_HMAC_SHA1_80;AES_256_CM_HMAC_SHA1_32 suites (in that order)
• .*@sip\.example\.org any call directed to an address on domain sip.example.org use AES_CM_128_HMAC_SHA1_80 suite

As described in the previous section, you may want to add (;.*)? at the end of the regex to ignore sip:URI parameters

 Configure the proxy server to route calls to a b2bua server

Sip-bridge application

This section has been split into a dedicated page.