My aim is to connect my CUBE to a remote CUBE (G711u) with SIP-TLS control (SIPs) and encrypted the RTP payload (SRTP)
Between my CUBE and my CME (G729), I want only SIP and RTP.
source: https://www.cisco.com/en/US/docs/ios-xml/ios/voice/cube_proto/configuration/15-2mt/voi-srtp-rtp-int.html
LICENCE:
Even if cme-srst and cube licence are activated, I need also to activate the technology-package securityK9 in order to have access to all srtp commands.
CONTROL:
The Cisco Unified Border Element supports SIP To SIP calls with TLS. CUBE can be configured at both the global and dial-peer levels for allowing TLS to establish secure sessions between two CUBE.
In order to check the feature information for SIP TLS support on CUBE please refer to this cisco documentation:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube/configuration/cube-book/voi-cube-sip-tls.pdf
On my plateform I've got one CA (Windows 2012R2) and I use SCEP protocol in order to certified my CUBE with the CA.
SCEP documentation: https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-technote-scep-00.html
Step 1:
Generate on CUBE the rsa key:
crypto key generate rsa general-keys label CUBE modulus 2048
Step 2:
Create the pki trustpoint-CA on CUBE
crypto pki trustpoint ca-server
enrollment mode ra
enrollment url http://@ip-SRV-CA:80/certsrv/mscep/mscep.dll
serial-number
revocation-check none
rsakeypair CUBE
Step 3:
Collect the Root CA certificate in the CUBE's flash memory:
crypto pki authenticate ca-server
Step 4:
Check the receipt of the Root CA certificate thanks to the serial number in comparaison with the CA server.
sh crypto pki certificates verbose ca-server
CUBE-A#sh crypto pki certificates verbose ca-server
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 1B8EEAF0AFFE78A94C54BAAA45A13329
Certificate Usage: Signature
[.......]
Step 5:
Enroll the CUBE:
crypto pki enroll ca-server
Step 6:
The CUBE is waiting for a challenge. Then, on your CA server go to:
http://localhost/certsrv/mscep_admin/ (You will need Domain Administrator account)
Then you can copy the challenge (password's lifetime=60 minutes)
Step 7:
CUBE configuration:
voice service voip
allow-connections sip to sip
no supplementary-service sip handle-replaces
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
bind control source-interface Loopback0
bind media source-interface Loopback0
session transport tcp tls ***** global configuration or on dial-peer *****
registrar server expires max 600 min 60
[…….]
sip-ua
crypto signaling default trustpoint ca-server ecdsa-cipher
transport tcp tls v1.2
[…….]
On the dial-peer with the remote CUBE enter:
voice-class sip url sips
On my plateform the remote CUBE has got the same configuration. The same CA server is used. If you want to test with two differents CA server don't forget to put the Root CA certificate of the Remote CA server by creating another pki trustpoint:
crypto pki trustpoint Remote-CUBE
enrollment url http://@ip-Remote-CUBE:80
revocation-check none
SRTP:
You need first to configure the dspfarm profil in security mode:
dspfarm profile 1 transcode security
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
codec g729r8
maximum sessions 5
associate application CUBE
With LTI method we don't need to register the Secure Universal Transcoder to the CUBE, with SCCP method you need it, refer to the cisco documentation:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube_proto/configuration/12-4t/cube-proto-12-4t-book/voi-srtp-rtp-int.pdf
Then, we have to configure the dial-peers on our CUBE:
Dial-peer between CUBE and my local CME:
[.......]
dial-peer voice 29702 voip
description DP-INBOUND-FROM-LOCAL-CME
incoming called-number 2970.$
srtp fallback
no vad
[.......]
dial-peer voice 29710 voip
description DP-OUTBOUND-TO-LOCAL-CME
destination-pattern 2971.$
session protocol sipv2
session target ipv4:10.10.10.10
srtp pass-thru
no vad
[.......]
Dial-peer between CUBE and Remote CUBE:
[.......]
dial-peer voice 2970 voip
description DP-OUTBOUND-TO-REMOTE-CUBE
destination-pattern 2970.$
session protocol sipv2
session target ipv4:30.30.30.30
srtp
codec g711ulaw
no vad
[.......]
dial-peer voice 2971 voip
description DP-INBOUND-FROM-REMOTE-CUBE
incoming called-number 2971.$
srtp
codec g711ulaw
no vad
[.......]
On the voice service voip menu:
voice service voip
mode border-element license capacity 100
srtp fallback
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
sip
bind control source-interface Loopback0
bind media source-interface Loopback0
srtp-auth sha1-80 (SHA-32 by default).
We can also configured srtp-auth on the dial-peer:
voice-class sip srtp-auth sha1-80
TEST:
With CAIN ou Wireshark you can check the SIP-TLS connection and if the RTP is well encrypted between the two CUBE.
On your CUBE:
#show call active voice brief