Talking to a NetCologne SIP trunk

NetCologne is an Internet connectivity, telephony and television services provider based, not surprisingly, in Cologne, Germany.

For business customers they offer two types of SIP connection:

• based on a dedicated network link to NetCologne with fixed IP addresses at each end
• over the Internet from any IP address you want to connect from

I needed to connect an Asterisk server to the latter type of connection, and frankly NetCologne were not much use in guiding me on how to set this up.

The letter they sent confirming the order and giving the connection credentials said:

• registration is only possible using TLS
• the media path must be encrypted with sRTP
• we use an RSA key

TLS and sRTP are nothing out of the ordinary, but I haven't yet worked out where the RSA key comes in, even after having got this working (and their tech support people couldn't tell me either).

I had previously set up TLS connections from Asterisk servers using the old (but very easy to use) chan_sip driver, however NetCologne published the DNS name you need to connect to only as a NAPTR record, which apparently chan_sip cannot use, meaning that you have to use chan_pjsip instead.

Now, I know that sooner or later everyone using Asterisk is going to have to learn how PJSIP works, but for this implementation I wasn't going to convert the entire system, so it's fortunate that you can actually run chan_sip and chan_pjsip simultaneously on a single server - all you need to do is ensure that each binds to a different port number (for which I used 5060 for chan_sip and 5061 for chan_pjsip).

NetCologne provide no guidance whatsoever on how to configure Asterisk (or any other system for that matter) to talk to their services (I spoke to their technical support people, who told me this), but fortunately I found that Nano-Comp electronic GmbH published an article written in February 2024 pointing out exactly this, and providing an example of how to make things work.

Their example didn't quite work for me, so here's my version of the same thing, in case it's helpful to anyone else. I do not claim in any way that this is a model configuration, but it works for me.

The main changes I made were to explicitly specify port 5061 to connect to at NetCologne, and to use port 5062 as the local port (because I already have a chan_sip TLS connection using port 5061, which I can't be bothered to convert into the complexity of chan_pjsip - that one doesn't use NAPTR, so chan_sip works fine with it).

pjsip.conf

[global]
type = global
keep_alive_interval = 0

[nc_registration]
type = registration
transport = nc_transport
outbound_auth = nc_auth
client_uri = sip:+49xxxyyyyyy@pbx.sip-trunk.netcologne.de:5061
contact_user = +49xxxyyyyyy
server_uri = sip:pbx.sip-trunk.netcologne.de
line = yes
expiration = 3600
endpoint = nc_endpoint 

[nc_transport]
type = transport
protocol = tls
method = tlsv1_2
cos = 3
tos = cs5
bind = 0.0.0.0:5062
ca_list_path = /etc/ssl/certs/
cert_file = /etc/letsencrypt/live/fullchain.pem
priv_key_file = /etc/letsencrypt/live/myhostname/privkey.pem

[nc_endpoint]
type = endpoint
from_domain = pbx.sip-trunk.netcologne.de
from_user = +49xxxyyyyyy
context = NetCologne ; this is the context incoming calls will arrive at
language = de
outbound_auth = nc_auth
media_encryption = sdes
aors = nc_aor
cos_audio = 5
tos_audio = ef
direct_media_method = invite
dtmf_mode = rfc4733
direct_media = no
disallow = all
allow = alaw
allow = ulaw
transport = nc_transport

[nc_auth]
type = auth
auth_type = userpass
username = +49xxxyyyyyy ; as provided by NetCologne
password = the surprisingly short password provided by NetCologne
realm = pbx.sip-trunk.netcologne.de

[nc_aor]
type = aor
contact = sip:+49xxxyyyyyy@pbx.sip-trunk.netcologne.de
qualify_frequency = 30

You should then be able to confirm that things are working:

*CLI> pjsip show registrations

 <Registration/ServerURI.......................>  <Auth...>  <Status.......>
==========================================================================================
 nc_registration/sip:pbx.sip-trunk.netcologne.de  nc_auth    Registered        (exp. 247s)

*CLI> pjsip show aors

      Aor:  <Aor.................>  <MaxContact>
    Contact:  <Aor/ContactUri............................> <Hash....> <Status> <RTT(ms)..>
==========================================================================================
      Aor:  nc_aor                  0
    Contact:  nc_aor/sip:+49xxxyyyyyy@pbx.sip-trunk.netcol 71aba8a13f Avail    19.347

You can then place outbound test calls using the following in your dialplan:

Dial(PJSIP/${TARGET}@nc_endpoint);

Note that, somewhat surprisingly, you can only use the test number they give you (for configuring things with before migrating your business number/s over) to place outbound calls; you cannot dial into it. This is very frustrating if one of the questions you wanted to answer during the test process was "can I add extra digits on the end of the base number they give me, same as works with the existing ISDN30 connection?"

I'll update this article once I find out the answer to that question (which will only be once we've migrated the entire block of 600 phone numbers over to the new service, so it had better work!).

Go up
Return to main index.