This article provides technical integration steps for enterprise customers setting up Exotel’s Virtual SIP Trunking (vSIP) over TLS via the Mumbai PoP. It includes configuration guidelines, SIP headers, and best practices for secure SIP-based PSTN interconnects.
1. Product Overview
Exotel’s Virtual SIP Trunking (Alpha) over TLS enables secure, encrypted PSTN call origination and termination between your SIP infrastructure and Exotel's platform. The Alpha version is designed for pilot usage and is not covered by production-grade SLAs.
2. Architecture
Call Type: PSTN <-> SIP Gateway Interconnect
Transport: SIP over TLS (Port 443)
Media: Secure RTP (SRTP) over UDP (Ports 10000–40000)
Authentication: IP Whitelisting (no SIP registration)
Edge Location: Mumbai PoP (India)
Note – vSIP Throttling
Exotel enforces a default vSIP rate-limit of 200 calls per minute (CPM) per trunk to safeguard carrier capacity and call quality.
If your traffic profile requires a higher burst rate, raise a request via your CSM or Support ticket. The capacity-planning team will review historical traffic, carrier limits, and QoS requirements and can increase the throttling threshold accordingly.
3. Required Configuration
IP Whitelisting
Provide your static public IP to Exotel for ACL entry.
Dynamic IPs or NAT setups are not recommended.
Ports to Open
SIP Domain and Proxy Details
Media Server POP
Signalling Server POP
Use this FQDN in your trunk peer setup.
4. Sample Configuration – Asterisk PBX
[general]
externip = <your_public_ip>
localnet = 192.168.0.0/16
[exotelvsip]
type = friend
context = incoming
fromdomain = <accountsid>.pstn.exotel.com
host = pstn.in2.exotel.com
port = 443
transport = tls
disallow = all
allow = alaw
allow = ulaw
nat = force_rport
insecure = port
canreinvite = no
sendrpid = yes
trustrpid = yes
relaxdtmf = yes
encryption = yes
5. SIP Message Format
A. INVITE from Exotel Trunk (Exotel → Customer)
When a customer receives an inbound call from Exotel over TLS, Exotel uses the customer's SIP URI as the request URI and includes customer CLI, Exophone, and media parameters securely.
SIP INVITE Examples
Inbound INVITE (Exotel → Customer)
INVITE sip:+91XXXXXXXXXX@<customer-ip>:5061;transport=tls SIP/2.0
Record-Route: sip:<exotel-ip>:443;transport=tls;lr
Via: SIP/2.0/TLS <exotel-ip>:443;branch=z9hG4bK2414...
From: "+91AAAAAAAAAA" <sip:+91AAAAAAAAAA@exotelt.pstn.exotel.com>;tag=as2aefddf2
To: <sip:+91XXXXXXXXXX@<customer-ip>>
Call-ID: <UUID>@pstn.mum1.exotel.com
CSeq: 102 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces
X-Exotel-LegSid: <leg-id>
X-Exotel-CallSid: <call-id>
X-Exotel-TrunkSid: <trunk-id>
P-Asserted-Identity: <sip:+91AAAAAAAAAA@exotelt.pstn.exotel.com>
P-Early-Media: supported
Contact: <sip:+91AAAAAAAAAA@<public-ip>:port;transport=tls>
Content-Type: application/sdp
Content-Length: 1168
Max-Forwards: 67
v=0
o=root 1683048786 1683048786 IN IP4 <exotel-media-ip>
c=IN IP4 <exotel-media-ip>
t=0 0
m=audio 37456 RTP/SAVP 8 0 96
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-15
a=sendrecv
a=rtcp:37457
a=ptime:20
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:<srtp-key>
Header Reference Table – INVITE from Exotel
B. INVITE to Exotel Trunk (Customer → Exotel)
This message is used when the customer initiates a secure outbound call using their Exophone as CLI. TLS is used for SIP signalling, and SRTP for media encryption.
Outbound INVITE (Customer → Exotel)
INVITE sip:+91YYYYYYYYYY@<exotel-ip>:5070 SIP/2.0
Via: SIP/2.0/TLS <customer-ip>:5061;branch=z9hG4bKbK4041f853
Max-Forwards: 70
From: "+91XXXXXXXXXX" <sip:+91XXXXXXXXXX@exotelt.pstn.exotel.com>;tag=as63e4d7f1
To: <sip:+91YYYYYYYYYY@<exotel-ip>>
Contact: <sip:+91XXXXXXXXXX@<customer-ip>:5061;transport=tls>
Call-ID: <UUID>@exotelt.pstn.exotel.com
CSeq: 102 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Type: application/sdp
Content-Length: 371
v=0
o=root 1002281923 1002281923 IN IP4 <customer-media-ip>
c=IN IP4 <customer-media-ip>
t=0 0
m=audio 18232 RTP/SAVP 8 0 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:<srtp-key>
Header Reference Table – INVITE to Exotel
Key Identity Fields
6. Best Practices and Pre-checks
Use only static IPs and TLS-compliant SBCs.
Validate G.711 codec support with PCMA as preferred.
Confirm SRTP support and crypto attribute handling in your SIP stack.
Avoid SIP ALG or NAT devices without explicit RTP pinholes.
7. How to Test Your Setup
Inbound Test (Exotel → Your SIP Server)
Map a VN to your SIP trunk in the dashboard.
Dial the VN and capture traffic via sngrep or tcpdump.
Confirm receipt of TLS INVITE and correct SRTP flow.
Outbound Test (Your SIP Server → Exotel)
Initiate SIP INVITE to pstn.in2.exotel.com:443.
Confirm 200 OK with SRTP attributes negotiated.
Check the RTP/SAVP audio path and Exotel response headers.
8. Troubleshooting Tips
9. Support and Next Steps
This guide documents Exotel vSIP over TLS via Mumbai PoP under the Alpha release. Future GA versions will include additional security layers, reporting, and failover routing.
For support:
Contact your Exotel account manager.
Or file a ticket via https://support.exotel.com with:
Account SID
Timestamp of test
SIP trace logs (.pcap or raw headers)
Version: Alpha-TLS-Mumbai | Last updated: June 2025