Kamailio + Rtpengine Webrtc->Kamailio->Asterisk no Audio

[Fernando Lopes]

Hello everyone,
I'm having an issue and could use some help:
[srtp] SRTP output wanted, but no crypto suite was negotiated
My setup is: WebRTC → WSS → Kamailio → UDP → Asterisk

Here’s the Kamailio configuration I’m using:
`route[SET_RTP_DIRECTION] {
$var(dst_a)=$du;
(var(dst_a){s.replace,sip:,});
(var(dst_b){s.replace,:5080,});
if (!is_ip_rfc1918("$si") && !is_ip_rfc1918("$var(dst)")) {
$dlg_var(rtp_direction) = "direction=external direction=external";
return;
} else if (!is_ip_rfc1918("$si") && is_ip_rfc1918("$var(dst)")) {
$dlg_var(rtp_direction) = "direction=external direction=internal";
return;
} else if (is_ip_rfc1918("$si")) {
$dlg_var(rtp_direction) = "direction=internal direction=external";
return;
} else if (!is_ip_rfc1918("$si")) {
$dlg_var(rtp_direction) = "direction=external direction=external";
return;
}

}

route[GET_ICE] {
if (isflagset(FLT_FROM_TLS)) {
if (is_ip_rfc1918("$si")) {
$dlg_var(ice) = "ICE=force RTP/SAVPF";
} else {
$dlg_var(ice) = "ICE=remove RTP/AVP";
}
} else {
$dlg_var(ice) = "ICE=remove";
}
}

route[BUILD_RTPENGINE_PARAMETER] {
route(SET_RTP_DIRECTION); # returns $dlg_var(rtp_direction)
if ( is_method("INVITE") ) {
route(GET_ICE); # returns $dlg_var(ice)
}
$var(rtp_param) = "replace-origin replace-session-connection " + $dlg_var(ice) + " " + $dlg_var(rtp_direction);
rtpengine_manage($var(rtp_param));
}`

Logs:
`[srtp] Processing incoming DTLS packet
[srtp] Sending DTLS packet
[srtp] Sending DTLS packet
[srtp] Sending DTLS packet
[srtp] Sending DTLS packet
[srtp] Sending DTLS packet
[srtp] Processing incoming DTLS packet
[crypto] DTLS: Peer certificate accepted
[srtp] Sending DTLS packet
[srtp] Sending DTLS packet
[crypto] DTLS handshake successful
[crypto] DTLS-SRTP successfully negotiated using AES_CM_128_HMAC_SHA1_80
[srtp] SRTP keys, incoming:
[srtp] --- AES_CM_128_HMAC_SHA1_80 key YortX5/hCupZzMIF/cWE1w== salt Hb0TpUrEoL0PPSZ9uRE=
[srtp] SRTP keys, outgoing:
[srtp] --- AES_CM_128_HMAC_SHA1_80 key FNPwtH7FmgWQVn+m5+Do3A== salt vUUSrJJacQo9r1MWk20=
[crypto] DTLS-SRTP successfully negotiated using AES_CM_128_HMAC_SHA1_80
[srtp] SRTP keys, incoming:
[srtp] --- AES_CM_128_HMAC_SHA1_80 key YortX5/hCupZzMIF/cWE1w== salt Hb0TpUrEoL0PPSZ9uRE=
[srtp] SRTP keys, outgoing:
[srtp] --- AES_CM_128_HMAC_SHA1_80 key FNPwtH7FmgWQVn+m5+Do3A== salt vUUSrJJacQo9r1MWk20=
[ice] Sending ICE/STUN request for candidate pair udlODE5B1Kl51a8f:4284775548:1 from 10.5.0.8 to 169.254.226.251:49156
[ice] Sending ICE/STUN request for candidate pair udlODE5B1Kl51a8f:3499111857:1 from 10.5.0.8 to 172.31.208.1:49157
[ice] Sending ICE/STUN request for candidate pair udlODE5B1Kl51a8f:3181892339:1 from 10.5.0.8 to 192.168.1.165:49158
[ice] Sending ICE/STUN request for candidate pair udlODE5B1Kl51a8f:2087290297:1 from 10.5.0.8 to 176.223.17.217:49158
[ice] Sending ICE/STUN request for candidate pair mKKrzeQ2xypmkl66:Hac1fd94a:1 from 10.5.0.8 to 172.31.217.74:35826
[core] New ingress SSRC for: 10.5.0.2:35826 SSRC: 61cc1d7f
[srtp] Generated session key: master key 14d3f0b4..., master salt bd4512ac..., label 00, length 16, result 1965d69c...
[srtp] Generated session key: master key 14d3f0b4..., master salt bd4512ac..., label 01, length 20, result 166d5684...
[srtp] Generated session key: master key 14d3f0b4..., master salt bd4512ac..., label 02, length 14, result 1d205ab9...
[core] Handling packet: remote 10.5.0.2:35826 (expected: 10.5.0.2:35826) -> local 10.5.0.8:19316 (RTP seq 5382 TS 80 SSRC 61cc1d7f)
[core] New egress (direct) SSRC for: 176.223.17.217:49158 SSRC: 61cc1d7f
[srtp] SRTP output wanted, but no crypto suite was negotiated
[core] Error when sending message. Error: Inappropriate ioctl for device
[core] Handling packet: remote 10.5.0.2:35826 (expected: 10.5.0.2:35826) -> local 10.5.0.8:19316 (RTP seq 5383 TS 160 SSRC 61cc1d7f)

[core] Closing call due to timeout
[core] Final packet stats:
[core] --- Tag 'm5qgq6plgn', created 1:51 ago for branch ''
[core] --- subscribed to media with monologue tag '3cbf0a9a-4818-487a-8c77-2e9f2afdaa81' (index: 1)
[core] --- subscription for media with monologue tag '3cbf0a9a-4818-487a-8c77-2e9f2afdaa81' (index: 1)
[core] ------ Media #1 (audio over RTP/SAVPF) using unknown codec
[core] --------- Port 10.5.0.8:16324 <> 176.223.17.217:49158, SSRC 0, in 0 p, 0 b, 112 e, 111 ts, out 0 p, 0 b, 0 e
[core] --- Tag '3cbf0a9a-4818-487a-8c77-2e9f2afdaa81', created 1:51 ago for branch ''
[core] --- subscribed to media with monologue tag 'm5qgq6plgn' (index: 1)
[core] --- subscription for media with monologue tag 'm5qgq6plgn' (index: 1)
[core] ------ Media #1 (audio over RTP/SAVPF) using G722/8000
[core] --------- Port 10.5.0.8:19316 <> 10.5.0.2:35826, SSRC 61cc1d7f, in 112 p, 10304 b, 0 e, 106 ts, out 7 p, 1947 b, 0 e`

Thank you.

[Richard Fuchs]

On 20/09/2025 09.55, Fernando Lopes wrote:

Hello everyone,
I'm having an issue and could use some help:
[srtp] SRTP output wanted, but no crypto suite was negotiated
My setup is: WebRTC → WSS → Kamailio → UDP → Asterisk

As already mentioned on the Kamailio mailing list, based on this:

[core] --- Tag 'm5qgq6plgn', created 1:51 ago for branch ''
[core] --- subscribed to media with monologue tag '3cbf0a9a-4818-487a-8c77-2e9f2afdaa81' (index: 1)
[core] --- subscription for media with monologue tag '3cbf0a9a-4818-487a-8c77-2e9f2afdaa81' (index: 1)
[core] ------ Media #1 (audio over RTP/SAVPF) using unknown codec
[core] --------- Port 10.5.0.8:16324 <> 176.223.17.217:49158, SSRC 0, in 0 p, 0 b, 112 e, 111 ts, out 0 p, 0 b, 0 e
[core] --- Tag '3cbf0a9a-4818-487a-8c77-2e9f2afdaa81', created 1:51 ago for branch ''
[core] --- subscribed to media with monologue tag 'm5qgq6plgn' (index: 1)
[core] --- subscription for media with monologue tag 'm5qgq6plgn' (index: 1)
[core] ------ Media #1 (audio over RTP/SAVPF) using G722/8000
[core] --------- Port 10.5.0.8:19316 <> 10.5.0.2:35826, SSRC 61cc1d7f, in 112 p, 10304 b, 0 e, 106 ts, out 7 p, 1947 b, 0 e`

it looks like you're trying to do SRTP on both sides, when I'm guessing the Asterisk side should be plain RTP.

Also as already mentioned, enable debug logging and inspect the flags passed to rtpengine for the offers and answers. From there you should be able to see which flags are passed wrong, or which are missing.

Cheers

[Fernando Lopes]

I know, I've been trying for a day and half and still nothing, I think I might go insane, I don't know what to try next, I receive audio from asterisk but sending it back to the client is being the problem.

[srtp] Generated session key: master key 113d7eac..., master salt 267e96e7..., label 03, length 16, result a94fd827...
[srtp] Generated session key: master key 113d7eac..., master salt 267e96e7..., label 04, length 20, result 73e35d6d...
[srtp] Generated session key: master key 113d7eac..., master salt 267e96e7..., label 05, length 14, result 2b4d1c96...
[srtp] Crypto debug: RTCP SSRC f30ad242, enc pl: 65ee3385a100001, idx 2147483649, rcv hmac: e2e51eb35f87af8edd09, calc hmac: e2e51eb35f87af8edd09, dec pl: ec7968d960009f9c81ca0
[core] Handling packet: remote 10.5.0.2:44790 (expected: 10.5.0.2:44790) -> local 10.5.0.8:17198
[rtcp] Calling handler for RTCP packet type 200
[core] SR from 42d20af3: RTP TS 36320 PC 454 OC 40860 NTP TS 3967379673/1820546432=3967379673.423879
[rtcp] Calling handler for RTCP packet type 202
[rtcp] SRTCP output wanted, but no crypto suite was negotiated

[core] Handling packet: remote 10.5.0.2:40286 (expected: 10.5.0.2:40286) -> local 10.5.0.8:13362 (RTP seq 26533 TS 33904 SSRC 17668769)
[core] Handling packet: remote 10.5.0.2:40286 (expected: 10.5.0.2:40286) -> local 10.5.0.8:13362 (RTP seq 26534 TS 33984 SSRC 17668769)
[core] Handling packet: remote 10.5.0.2:40286 (expected: 10.5.0.2:40286) -> local 10.5.0.8:13362 (RTP seq 26535 TS 34064 SSRC 17668769)
[core] Handling packet: remote 10.5.0.2:40286 (expected: 10.5.0.2:40286) -> local 10.5.0.8:13362 (RTP seq 26536 TS 34144 SSRC 17668769)
[core] Handling packet: remote 10.5.0.2:40286 (expected: 10.5.0.2:40286) -> local 10.5.0.8:13362 (RTP seq 26537 TS 34224 SSRC 17668769)
[core] Handling packet: remote 10.5.0.2:40286 (expected: 10.5.0.2:40286) -> local 10.5.0.8:13362 (RTP seq 26538 TS 34304 SSRC 17668769)
[core] Handling packet: remote 10.5.0.2:40286 (expected: 10.5.0.2:40286) -> local 10.5.0.8:13362 (RTP seq 26539 TS 34384 SSRC 17668769)
[core] Handling packet: remote 10.5.0.2:40286 (expected: 10.5.0.2:40286) -> local 10.5.0.8:13362 (RTP seq 26540 TS 34464 SSRC 17668769)
[core] Handling packet: remote 10.5.0.2:40286 (expected: 10.5.0.2:40286) -> local 10.5.0.8:13362 (RTP seq 26541 TS 34544 SSRC 17668769)

[core] --- Tag 'eaeplccpc0', created 1:51 ago for branch ''
[core] ---     subscribed to media with monologue tag 'ddbd1d9f-cce7-4abe-94b5-6154f3a5303a' (index: 1)
[core] ---     subscription for media with monologue tag 'ddbd1d9f-cce7-4abe-94b5-6154f3a5303a' (index: 1)
[core] ------ Media #1 (audio over UDP/TLS/RTP/SAVPF) using unknown codec
[core] --------- Port        10.5.0.8:18026 <>  176.223.17.217:60002, SSRC 0, in 0 p, 0 b, 340 e, 111 ts, out 0 p, 0 b, 0 e
[core] --- Tag 'ddbd1d9f-cce7-4abe-94b5-6154f3a5303a', created 1:51 ago for branch ''
[core] ---     subscribed to media with monologue tag 'eaeplccpc0' (index: 1)
[core] ---     subscription for media with monologue tag 'eaeplccpc0' (index: 1)
[core] ------ Media #1 (audio over UDP/TLS/RTP/SAVPF) using G722/8000
[core] --------- Port        10.5.0.8:13362 <>        10.5.0.2:40286, SSRC 17668769, in 340 p, 31280 b, 0 e, 104 ts, out 2 p, 778 b, 0 e

Thank you.

[Richard Fuchs]

On 20/09/2025 14.03, Fernando Lopes wrote:
> I know, I've been trying for a day and half and still nothing, I think
> I might go insane, I don't know what to try next, I receive audio from
> asterisk but sending it back to the client is being the problem.

Again: Look at the offer and answer flags.

Cheers

[Fernando Lopes]

I'm feeling a bit silly—the issue was with the interface internal and external IPs in rtpengine.conf. The RTPengine flags, It works if I don’t set any of them. I’m not sure if this is the best practice, but it works.

Thank you for the help.