This article provides technical integration steps for enterprise customers setting up Exotel’s Virtual SIP Trunking (vSIP) over TLS via the Mumbai PoP. It includes configuration guidelines, SIP headers, and best practices for secure SIP-based PSTN interconnects.

1. Product Overview

Exotel’s Virtual SIP Trunking (Alpha) over TLS enables secure, encrypted PSTN call origination and termination between your SIP infrastructure and Exotel's platform. The Alpha version is designed for pilot usage and is not covered by production-grade SLAs.

2. Architecture

  • Call Type: PSTN <-> SIP Gateway Interconnect

  • Transport: SIP over TLS (Port 443)

  • Media: Secure RTP (SRTP) over UDP (Ports 10000–40000)

  • Authentication: IP Whitelisting (no SIP registration)

  • Edge Location: Mumbai PoP (India)

Note – vSIP Throttling

Exotel enforces a default vSIP rate-limit of 200 calls per minute (CPM) per trunk to safeguard carrier capacity and call quality.

If your traffic profile requires a higher burst rate, raise a request via your CSM or Support ticket. The capacity-planning team will review historical traffic, carrier limits, and QoS requirements and can increase the throttling threshold accordingly.

3. Required Configuration

IP Whitelisting

  • Provide your static public IP to Exotel for ACL entry.

  • Dynamic IPs or NAT setups are not recommended.

Ports to Open

Type

Port Range

Protocol

Purpose

Signaling

443

TCP

SIP over TLS

Media

10000–40000

UDP

SRTP streams



SIP Domain and Proxy Details


Media Server POP

Region

Media IPs

Mumbai DC

182.76.143.61, 122.15.8.184

KA DC

14.194.10.247, 61.246.82.75


Signalling Server POP

Region

Proxy FQDN

Mumbai DC

pstn.in2.exotel.com

Mumbai Cloud

pstn.in4.exotel.com


Use this FQDN in your trunk peer setup.

4. Sample Configuration – Asterisk PBX

[general]

externip = <your_public_ip>

localnet = 192.168.0.0/16


[exotelvsip]

type = friend

context = incoming

fromdomain = <accountsid>.pstn.exotel.com

host = pstn.in2.exotel.com

port = 443

transport = tls

disallow = all

allow = alaw

allow = ulaw

nat = force_rport

insecure = port

canreinvite = no

sendrpid = yes

trustrpid = yes

relaxdtmf = yes

encryption = yes


5. SIP Message Format


A. INVITE from Exotel Trunk (Exotel → Customer)

When a customer receives an inbound call from Exotel over TLS, Exotel uses the customer's SIP URI as the request URI and includes customer CLI, Exophone, and media parameters securely.


SIP INVITE Examples

Inbound INVITE (Exotel → Customer)

INVITE sip:+91XXXXXXXXXX@<customer-ip>:5061;transport=tls SIP/2.0

Record-Route: sip:<exotel-ip>:443;transport=tls;lr

Via: SIP/2.0/TLS <exotel-ip>:443;branch=z9hG4bK2414...

From: "+91AAAAAAAAAA" <sip:+91AAAAAAAAAA@exotelt.pstn.exotel.com>;tag=as2aefddf2

To: <sip:+91XXXXXXXXXX@<customer-ip>>

Call-ID: <UUID>@pstn.mum1.exotel.com

CSeq: 102 INVITE

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE

Supported: replaces

X-Exotel-LegSid: <leg-id>

X-Exotel-CallSid: <call-id>

X-Exotel-TrunkSid: <trunk-id>

P-Asserted-Identity: <sip:+91AAAAAAAAAA@exotelt.pstn.exotel.com>

P-Early-Media: supported

Contact: <sip:+91AAAAAAAAAA@<public-ip>:port;transport=tls>

Content-Type: application/sdp

Content-Length: 1168

Max-Forwards: 67


v=0

o=root 1683048786 1683048786 IN IP4 <exotel-media-ip>

c=IN IP4 <exotel-media-ip>

t=0 0

m=audio 37456 RTP/SAVP 8 0 96

a=rtpmap:8 PCMA/8000

a=rtpmap:0 PCMU/8000

a=rtpmap:96 telephone-event/8000

a=fmtp:96 0-15

a=sendrecv

a=rtcp:37457

a=ptime:20

a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:<srtp-key>

Header Reference Table – INVITE from Exotel

Header

Mandatory

Description

Request URI

Yes

Destination SIP URI (customer Exophone)

From

Yes

Caller CLI shown to customer — e.g., original end-user number

To

Yes

Exophone provisioned in Exotel system

X-Exotel-CallSid

Yes

Unique identifier for this call session

X-Exotel-LegSid

Optional

Unique identifier for this leg of the call

X-Exotel-TrunkSid

Optional

Exotel trunk ID through which the call is routed

P-Asserted-Identity

Optional

Caller ID verification (especially for CLI masking)

Contact

Optional

Contact URI of SIP UA for future dialog messages

Content-Type / SDP

Yes

Contains secure media negotiation (RTP/SAVP with crypto key)



B. INVITE to Exotel Trunk (Customer → Exotel)

This message is used when the customer initiates a secure outbound call using their Exophone as CLI. TLS is used for SIP signalling, and SRTP for media encryption.

Outbound INVITE (Customer → Exotel)

INVITE sip:+91YYYYYYYYYY@<exotel-ip>:5070 SIP/2.0

Via: SIP/2.0/TLS <customer-ip>:5061;branch=z9hG4bKbK4041f853

Max-Forwards: 70

From: "+91XXXXXXXXXX" <sip:+91XXXXXXXXXX@exotelt.pstn.exotel.com>;tag=as63e4d7f1

To: <sip:+91YYYYYYYYYY@<exotel-ip>>

Contact: <sip:+91XXXXXXXXXX@<customer-ip>:5061;transport=tls>

Call-ID: <UUID>@exotelt.pstn.exotel.com

CSeq: 102 INVITE

Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE

Supported: replaces, timer

Content-Type: application/sdp

Content-Length: 371


v=0

o=root 1002281923 1002281923 IN IP4 <customer-media-ip>

c=IN IP4 <customer-media-ip>

t=0 0

m=audio 18232 RTP/SAVP 8 0 101

a=rtpmap:8 PCMA/8000

a=rtpmap:0 PCMU/8000

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-16

a=ptime:20

a=maxptime:150

a=sendrecv

a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:<srtp-key>



Header Reference Table – INVITE to Exotel

Header

Mandatory

Description

Request URI

Yes

Number to be dialed (callee) via Exotel's SIP IP

From

Yes

CLI of customer (must be Exophone registered with Exotel)

To

Yes

Callee number (may not affect routing)

Contact

Optional

Customer's contact URI for SIP dialog continuation

Call-ID

Yes

Unique SIP session ID from the customer's SIP server

CSeq

Yes

Command sequence used in SIP transactions

Allow

Yes

Supported SIP verbs

Supported

Optional

SIP extensions like replacestimer

Content-Type / SDP

Yes

Secure media parameters, codecs, ports, and SRTP crypto key (RTP/SAVP)


Key Identity Fields

Direction

Caller ID (CLI) in From

Called Number in Request URI

Comment

Exotel → Customer

Customer’s CLI (real caller)

Exophone assigned to the customer

CLI → customer via Exotel trunk

Customer → Exotel

Exophone (as CLI)

Final user’s number

Exotel uses From to verify CLI


6. Best Practices and Pre-checks

  • Use only static IPs and TLS-compliant SBCs.

  • Validate G.711 codec support with PCMA as preferred.

  • Confirm SRTP support and crypto attribute handling in your SIP stack.

  • Avoid SIP ALG or NAT devices without explicit RTP pinholes.

7. How to Test Your Setup

Inbound Test (Exotel → Your SIP Server)

  • Map a VN to your SIP trunk in the dashboard.

  • Dial the VN and capture traffic via sngrep or tcpdump.

  • Confirm receipt of TLS INVITE and correct SRTP flow.

Outbound Test (Your SIP Server → Exotel)

  • Initiate SIP INVITE to pstn.in2.exotel.com:443.

  • Confirm 200 OK with SRTP attributes negotiated.

  • Check the RTP/SAVP audio path and Exotel response headers.

8. Troubleshooting Tips

Issue

Cause

Solution

No INVITE received

IP not whitelisted

Confirm ACL entry with Exotel support

403 Forbidden

Wrong domain or auth config

Check the fromdomain and peer trunk settings

Call drops in 30s

RTP timeout or NAT

Enable symmetric RTP / force_rport

No audio

SRTP failure or media block

Confirm UDP 10000–40000 and SRTP config


9. Support and Next Steps

This guide documents Exotel vSIP over TLS via Mumbai PoP under the Alpha release. Future GA versions will include additional security layers, reporting, and failover routing.

For support:

  • Contact your Exotel account manager.

  • Or file a ticket via https://support.exotel.com with:

    • Account SID

    • Timestamp of test

    • SIP trace logs (.pcap or raw headers)

Version: Alpha-TLS-Mumbai | Last updated: June 2025