Exotel Virtual SIP Trunking – TLS (Mumbai)

this article provides technical integration steps for enterprise customers setting up exotel’s virtual sip trunking (vsip) over tls via the mumbai pop it includes configuration guidelines, sip headers, and best practices for secure sip based pstn interconnects 1\ product overview exotel’s virtual sip trunking (alpha) over tls enables secure, encrypted pstn call origination and termination between your sip infrastructure and exotel's platform the alpha version is designed for pilot usage and is not covered by production grade slas 2\ architecture call type pstn < > sip gateway interconnect transport sip over tls (port 443) media secure rtp (srtp) over udp (ports 10000–40000) authentication ip whitelisting (no sip registration) edge location mumbai pop (india) note – vsip throttling exotel enforces a default vsip rate limit of 200 calls per minute (cpm) per trunk to safeguard carrier capacity and call quality if your traffic profile requires a higher burst rate, raise a request via your csm or support ticket the capacity planning team will review historical traffic, carrier limits, and qos requirements and can increase the throttling threshold accordingly 3\ required configuration ip whitelisting provide your static public ip to exotel for acl entry dynamic ips or nat setups are not recommended ports to open type port range protocol purpose signaling 443 tcp sip over tls media 10000–40000 udp srtp streams sip domain and proxy details media server pop region media ips mumbai dc 182 76 143 61, 122 15 8 184 ka dc 14 194 10 247, 61 246 82 75 signalling server pop region proxy fqdn mumbai dc pstn in2 exotel com mumbai cloud pstn in4 exotel com use this fqdn in your trunk peer setup 4\ sample configuration – asterisk pbx \[general] externip = \<your public ip> localnet = 192 168 0 0/16 \[exotelvsip] type = friend context = incoming fromdomain = \<accountsid> pstn exotel com host = pstn in2 exotel com port = 443 transport = tls disallow = all allow = alaw allow = ulaw nat = force rport insecure = port canreinvite = no sendrpid = yes trustrpid = yes relaxdtmf = yes encryption = yes 5\ sip message format a invite from exotel trunk (exotel → customer) when a customer receives an inbound call from exotel over tls , exotel uses the customer's sip uri as the request uri and includes customer cli, exophone, and media parameters securely sip invite examples inbound invite (exotel → customer) invite sip +91xxxxxxxxxx@\<customer ip> 5061;transport=tls sip/2 0 record route sip \<exotel ip> 443;transport=tls;lr via sip/2 0/tls \<exotel ip> 443;branch=z9hg4bk2414 from "+91aaaaaaaaaa" \<sip +91aaaaaaaaaa\@exotelt pstn exotel com>;tag=as2aefddf2 to \<sip +91xxxxxxxxxx@\<customer ip>> call id \<uuid>@pstn mum1 exotel com cseq 102 invite allow invite, ack, cancel, options, bye, refer, subscribe, notify, info, publish, message supported replaces x exotel legsid \<leg id> x exotel callsid \<call id> x exotel trunksid \<trunk id> p asserted identity \<sip +91aaaaaaaaaa\@exotelt pstn exotel com> p early media supported contact \<sip +91aaaaaaaaaa@\<public ip>\ port;transport=tls> content type application/sdp content length 1168 max forwards 67 v=0 o=root 1683048786 1683048786 in ip4 \<exotel media ip> c=in ip4 \<exotel media ip> t=0 0 m=audio 37456 rtp/savp 8 0 96 a=rtpmap 8 pcma/8000 a=rtpmap 0 pcmu/8000 a=rtpmap 96 telephone event/8000 a=fmtp 96 0 15 a=sendrecv a=rtcp 37457 a=ptime 20 a=crypto 1 aes cm 128 hmac sha1 80 inline \<srtp key> header reference table – invite from exotel header mandatory description request uri yes destination sip uri (customer exophone) from yes caller cli shown to customer — e g , original end user number to yes exophone provisioned in exotel system x exotel callsid yes unique identifier for this call session x exotel legsid optional unique identifier for this leg of the call x exotel trunksid optional exotel trunk id through which the call is routed p asserted identity optional caller id verification (especially for cli masking) contact optional contact uri of sip ua for future dialog messages content type / sdp yes contains secure media negotiation (rtp/savp with crypto key) b invite to exotel trunk (customer → exotel) this message is used when the customer initiates a secure outbound call using their exophone as cli tls is used for sip signalling, and srtp for media encryption outbound invite (customer → exotel) invite sip +91yyyyyyyyyy@\<exotel ip> 5070 sip/2 0 via sip/2 0/tls \<customer ip> 5061;branch=z9hg4bkbk4041f853 max forwards 70 from "+91xxxxxxxxxx" \<sip +91xxxxxxxxxx\@exotelt pstn exotel com>;tag=as63e4d7f1 to \<sip +91yyyyyyyyyy@\<exotel ip>> contact \<sip +91xxxxxxxxxx@\<customer ip> 5061;transport=tls> call id \<uuid>@exotelt pstn exotel com cseq 102 invite allow invite, ack, cancel, options, bye, refer, subscribe, notify, info, publish, message supported replaces, timer content type application/sdp content length 371 v=0 o=root 1002281923 1002281923 in ip4 \<customer media ip> c=in ip4 \<customer media ip> t=0 0 m=audio 18232 rtp/savp 8 0 101 a=rtpmap 8 pcma/8000 a=rtpmap 0 pcmu/8000 a=rtpmap 101 telephone event/8000 a=fmtp 101 0 16 a=ptime 20 a=maxptime 150 a=sendrecv a=crypto 1 aes cm 128 hmac sha1 80 inline \<srtp key> header reference table – invite to exotel header mandatory description request uri yes number to be dialed (callee) via exotel's sip ip from yes cli of customer (must be exophone registered with exotel) to yes callee number (may not affect routing) contact optional customer's contact uri for sip dialog continuation call id yes unique sip session id from the customer's sip server cseq yes command sequence used in sip transactions allow yes supported sip verbs supported optional sip extensions like replaces, timer content type / sdp yes secure media parameters, codecs, ports, and srtp crypto key (rtp/savp) key identity fields direction caller id (cli) in from called number in request uri comment exotel → customer customer’s cli (real caller) exophone assigned to the customer cli → customer via exotel trunk customer → exotel exophone (as cli) final user’s number exotel uses from to verify cli 6\ best practices and pre checks use only static ips and tls compliant sbcs validate g 711 codec support with pcma as preferred confirm srtp support and crypto attribute handling in your sip stack avoid sip alg or nat devices without explicit rtp pinholes 7\ how to test your setup inbound test (exotel → your sip server) map a vn to your sip trunk in the dashboard dial the vn and capture traffic via sngrep or tcpdump confirm receipt of tls invite and correct srtp flow outbound test (your sip server → exotel) initiate sip invite to pstn in2 exotel com 443 confirm 200 ok with srtp attributes negotiated check the rtp/savp audio path and exotel response headers 8\ troubleshooting tips issue cause solution no invite received ip not whitelisted confirm acl entry with exotel support 403 forbidden wrong domain or auth config check the fromdomain and peer trunk settings call drops in 30s rtp timeout or nat enable symmetric rtp / force rport no audio srtp failure or media block confirm udp 10000–40000 and srtp config 9\ support and next steps this guide documents exotel vsip over tls via mumbai pop under the alpha release future ga versions will include additional security layers, reporting, and failover routing for support contact your exotel account manager or file a ticket via https //support exotel com with account sid timestamp of test sip trace logs ( pcap or raw headers)