cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4094
Views
10
Helpful
7
Replies

Configuring CUBE for TCP TLS.

dlewis006
Level 1
Level 1

I have a 2911 running as ipbaseK9 and uck9 set as border element under voice service voip.  My question is...Why do I not have the option to set session transport TCP TLS?  I only have the option of UDP or TCP.  My goal is to connect to my CUBE to a provider VIA TLS and I just don't see the option to even set that. Is this a certificate issue? There is a self signed already on the CUBE.

 

 

 

Thanks,
Dan

 

voice service voip
 address-hiding
 mode border-element
 allow-connections sip to sip
 fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
 sip
  bind control source-interface GigabitEthernet0/0
  bind media source-interface GigabitEthernet0/0
  session transport tcp

7 Replies 7

George Thomas
Level 10
Level 10

CUBE TLS requires the security license which it doesnt look like you have. 

Please rate useful posts.

That makes sense.  It appears I do not have that license.

Karthik Sivaram
Level 4
Level 4

hi dlewis,

 

Can you include  a "show version" from your  regards ?

 

Regards,

Karthik  Sivaram

SoTel_TLS#show ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 18:57 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

SoTel_TLS uptime is 1 week, 5 days, 15 hours, 4 minutes
System returned to ROM by reload at 22:50:33 UTC Wed Nov 5 2014
System restarted at 22:53:17 UTC Wed Nov 5 2014
System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command

 

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO2911/K9 (revision 1.0) with 483328K/40960K bytes of memory.
Processor board ID FTX1650A041
3 Gigabit Ethernet interfaces
1 terminal line
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)


License Info:

License UDI:

-------------------------------------------------
Device#   PID                   SN
-------------------------------------------------
*0        CISCO2911/K9          FTX1650A041     

 

Technology Package License Information for Module:'c2900'

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot  
------------------------------------------------------------------
ipbase        ipbasek9      Permanent      ipbasek9
security      None          None           None
uc            uck9          Permanent      uck9
data          None          None           None

Configuration register is 0x2102

hi dlewis,

 

I  just  tested this in the lab  you  will need to  accept the security package...

 

license boot module c2900 technology-package securityk9 

&


reload the router

 

It  should work thereafter.

 

Hope this helps!

 

Regards,

Karthik Sivaram

 

 

Thank you for your assistance. I have enabled the security package and I am able to get our  CUBE configuration registered with one of our servers as UDP, but when I enable TCP TLS it only sends SRV registration request as TCP and not TLS. We have our DNS server setup to respond to the TLS response in order to complete the TLS registration.  Does anyone have any suggestions?  I was able to verify this in a Wireshark trace.

 

 

Thanks,
Dan

 

voice service voip
 address-hiding
 mode border-element
 allow-connections sip to sip
 fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
 sip
  bind control source-interface GigabitEthernet0/0
  bind media source-interface GigabitEthernet0/0
  session transport tcp tls
!
sip-ua
 authentication username xxxxxxxxxx password xxxxxxxxxxxxx
 retry invite 3
 retry register 10
 registrar ipv4:4.28.93.140:5071 expires 3600 tcp tls
 sip-server dns:voip.sotelsystems.com
 host-registrar

 

 


 

Hi

First of all SRV request is DNS based and not sip based. So any SRV request will be made using DNS protocol and not SIP. Enabling TLS encrypts your sip signaling and possibly your media. Hence cube is not going to encrypt your SRV exchange based on this.

Second point is cube needs to be setup as a CA to do TLS. There can't be any encryption until certificates ate exchanged and there can't be a successful exchange without a trust entity.

Third you need to enable sips because sip over TLS uses sips.

Please refer here for details on setting this up

http://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-border-element/100446-cube-sip-tls.html

Please rate all useful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: