PJSIP Endpoint Templates and SIP Trunk

Define a base template once, then create endpoints by inheriting from it. This eliminates repetition and ensures consistent settings across all phones. Includes transport definitions and SIP trunk configuration.

Requirements

• res_pjsip.so and related modules loaded
• TLS certificates if using encrypted transport
• SIP trunk account credentials from your provider

Transports (pjsip.conf)

[transport-udp]
type = transport
protocol = udp
bind = 0.0.0.0:5060

[transport-tcp]
type = transport
protocol = tcp
bind = 0.0.0.0:5060

[transport-tls]
type = transport
protocol = tls
bind = 0.0.0.0:5061
cert_file = /etc/asterisk/keys/asterisk.crt
priv_key_file = /etc/asterisk/keys/asterisk.key
method = tlsv1_2

SIP Trunk (pjsip.conf)

[trunk-auth]
type = auth
auth_type = userpass
username = your_trunk_username
password = your_trunk_password

[trunk-registration]
type = registration
outbound_auth = trunk-auth
server_uri = sip:sip.provider.com
client_uri = sip:your_username@sip.provider.com

[trunk-endpoint]
type = endpoint
context = from-trunk
allow = !all,ulaw,alaw
outbound_auth = trunk-auth
aors = trunk-aor
direct_media = no
send_pai = yes
send_rpid = yes
trust_id_outbound = yes
from_domain = sip.provider.com

[trunk-aor]
type = aor
contact = sip:sip.provider.com
qualify_frequency = 60
qualify_timeout = 3.0

[trunk-identify]
type = identify
endpoint = trunk-endpoint
match = sip.provider.com

Endpoint Template (pjsip.conf)

[endpoint-internal](!)
type = endpoint
context = internal
disallow = all
allow = ulaw,alaw,g722
direct_media = no
trust_id_outbound = yes
dtmf_mode = rfc4733
rewrite_contact = yes
rtp_symmetric = yes
force_rport = yes
rtp_keepalive = 15
device_state_busy_at = 1
named_call_group = office
named_pickup_group = office
media_encryption = sdes

[aor-internal](!)
type = aor
max_contacts = 5
qualify_frequency = 30
qualify_timeout = 3.0
remove_existing = no

Using Templates for Extensions

; Extension 1001 - inherits all settings from endpoint-internal
[1001](endpoint-internal)
auth = 1001-auth
aors = 1001
callerid = Alice Smith <1001>
mailboxes = 1001@default

[1001](aor-internal)

[1001-auth]
type = auth
auth_type = userpass
username = 1001
password = strong_random_password_here

How it works

1. Template syntax (!): The exclamation mark in [endpoint-internal](!) marks this section as a template. It won't create an actual endpoint. it just defines defaults that other sections inherit.
2. Inheritance (template-name): [1001](endpoint-internal) creates endpoint 1001 with all the settings from the template, plus any overrides specified in the [1001] section.
3. Trunk components: A SIP trunk needs 5 objects: auth (credentials), registration (keeps trunk registered), endpoint (call routing), AOR (address of record / contact), and identify (matches inbound packets to the trunk endpoint).
4. !all codec syntax: allow = !all,ulaw,alaw,g722 first disables all codecs, then enables specific ones in preference order. G.722 provides wideband (HD) audio for internal calls.
5. NAT traversal: rewrite_contact = yes, rtp_symmetric = yes, and force_rport = yes handle phones behind NAT. rtp_keepalive = 15 sends periodic RTP packets to keep NAT pinholes open.
6. Call groups: named_call_group and named_pickup_group enable directed and group call pickup (*8 and **XXXX patterns).

Tips

• Generate strong random passwords for each endpoint: openssl rand -base64 16.
• Set device_state_busy_at = 1 so BLF lights show busy when the phone is on a call.
• Use max_contacts = 5 in the AOR template so the same extension can register from multiple devices (desk phone, softphone, mobile app).
• Verify trunk status with pjsip show registration trunk-registration on the CLI.
• For TLS, generate certificates with Let's Encrypt or a self-signed CA. Most desk phones support TLS but may need the CA certificate imported.