Solved: Re: Cube Sip tls-srtp to sip-rtp

M02@rt37 · ‎03-05-2018

Hi,I configure two CME with two CUBE in order to test SIP-TLS between the CUBE.

All is ok as concerned the secure signalisation CUBE to CUBE.

I want now to configure srtp between the two CUBE ans let RTP between each CUBE and its CME.

All the router have got the same IOS 15.6. The CUBE have got the AdvSuiteUcK9 activated.

On the CUBE, I have access to the srtp-auth command in global config voice service voip and also on the dial-peer.

On CUBE, I separated the inbound dial peer and the oubound dial-peer. With the dial-peer in front of the CME I let rtp. On the dial-peer between the CUBE i configured srtp command. I register also the srtp-auth sha-80.

Srtp is not OK. Is there any configuration on voice service voip to configure? My 15.6 IOS is ok for srtp-rtp internetworking? When I use CAIN to mirror my conversation between CUBE i check that the conversation is not secure.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

R0g22 · ‎03-19-2018

Weren't you using ISR-4k ? Well I might have assumed that, never mind. With ISR-G2 etc you need a transcoder to be able to do the interop. With ISR-4k, you don't. It is handled natively by the RP. I was under the incorrect assumption that you have a ISR-4k.

View solution in original post

R0g22 · ‎03-05-2018

"I want now to configure srtp between the two CUBE ans let RTP between each CUBE and its CME."

Quoting this from your initial post. What does the call flow look like ? I am assuming the following -
CME >> CUBE >> CUBE >> CME

So you need RTP b/w CME and CUBE but SRTP b/w CUBE's ?

Read the following for SRTP-RTP interop -
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube_proto/configuration/12-4t/cube-proto-12-4t-book/voi-srtp-rtp-int.html#GUID-3C024A78-4EFF-4ED0-8AD1-7295062BC81D

M02@rt37 · ‎03-05-2018

Tks for your reply.

Exactly we are in this configuration:

CME-A >>CUBE-A>>CUBE-B>>CME-B

I've followed the cisco documentation U gave me by your link.

Unfortunelty srtp is down. I think I miss something to configure on the voice service voip but I dont know what. The cisco doc is pretty good but It seems to be written for guys who already have succeed for this configuration type.

I'm Ok that I have to configure srtp command in my dial-peer....i can also configure the srtp-auth....

When I try a call from CME-A to CME-B, with this configuration, I've got an error "503 Service Unavailable" on the sip message on the CME-A. No sip message in inbound on the CUBE-A.....I try to configure srtp fallback on the dial peer between CME and CUBE....same error.

May I have to do something particular on this last dial-peer? or again on the voice service voip?

Tks.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

R0g22 · ‎03-05-2018

Ok. A couple of checks -
1. Configure outgoing dial-peers on both CUBE A and CUBE B for calls coming to the respective CME's with "srtp fallback" command to support non-secure fallback.
2. The incoming/outgoing dial-peers b/w the CUBE's need to have "srtp" configured.

The "srtp-auth" is a deprecated command though you can still use. Instead you can use "voice-class srtp-crypto" command to configure your preferred cipher suite.

You can configure the commands either globally or on a per DP basis but if both are configured, DP level commands always take preference.

M02@rt37 · ‎03-05-2018

I exactly configure this on each CME and each CUBE as concerned their own dial-peer.

Always this same error "Service Unavailable"on my CME-A when I try a call from A to B. Nothing in inbound on my CUBE-A.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

R0g22 · ‎03-05-2018

Ok. Good. One thing out of the type. Attach "show run" from both CME and CUBE. Enable the following on both CME A and CUBE A -
debug ccsip message
debug ccsip error
debug ccsip info
debug voice ccapi inout

Enable "voice iec syslog" on both the routers in global configuration mode. Make a test call and share the logs in a text file please.

M02@rt37 · ‎03-05-2018

Ok thank U. I will come back soon with what U want.

But I'm sure that I have no debug in my CUBE-A with debug ccsip mesages command.when I try a call from A to B.

On the otherside CME-A speak to me with this debug ccsip message command....Service Unavailable.

Tks

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

M02@rt37 · ‎03-05-2018

Do U have a quick dial-peer configuration in order to compare with my configuration. I have no debug in inbound on CUBE-A....only on CME-A. In fact my infrastrucutre is built on a classified context. Then I can't copy paste right now the config or debug.

Is there anything to do on CME-A? sound very strange.... Ok I have on my CUBE-A:

dial-peer voice 10 voip

description DP-out- TO-CME-A

session target ipv4: 10.10.10.10

session protocol sipv2

srtp fallback

destination-pattern 2970. $

no vad

voice-class codec 1

dial-peer voice 20 voip

description DP-in-FROM-CME-A

srtp fallback

incoming called-numner 2971. $

no vad

voice-class codec 1

dial-peer voice 30 voip

description DP-out-TO-CUBE-B

session target ipv4:30.30.30.30

session protocol sipv2

srtp

destination-pattern 2971. $

no vad

voice-class codec 1

dial-peer voice 40 voip

description DP-in-FROM-CUBE-B

srtp

incoming called-number 2970. $

no vad

voice-class codec 1

Nothing about srtp on voice service voip.

In sip-ua, I've just configured the TLS crypto signaling command.

Nothing else on cube as concerned srtp. Nothing else in particular in my CME-A's dial-peer. One outbound dial peer towards my CUBE-A for everyrhing U call. And one default inbound dial-peer. For this two dial-peer no srtp configuration.

I double check all the architecture with RTP evreywhere and it's ok. *tls b/w cube is ok also.

With this srtp configuration on the different dial-peer on CUBe...when I try a call from A to B the CME-A give me an error "Service unavailable"and I have nothing in inbound on my CUBE-A.

Regards.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

R0g22 · ‎03-05-2018

Your configuration looks good. I don't have a specific setup to share the config. I had a secure cluster with SRTP-RTP interop in the my lab but I had to take it down recently due to some issues with my UCS blade.
You can share the config from the CUBE and CME as well as the requested logs. CCSIP messages alone are sometimes not good enough to see what is wrong.

M02@rt37 · ‎03-07-2018

I come back to U with all my logs

Tks.

Regards.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

M02@rt37 · ‎03-19-2018

Ok @R0g22 it's ok now.

Sip tls and srtp are good!

The issue was my LTI transcoder. It wasn't in security mode. Even if LTI doesn't need trustpoint, it needs the security mode.

Thats all. My configuration was good for rtp to srtp internetworking.

Tks.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

R0g22 · ‎03-19-2018

Weren't you using ISR-4k ? Well I might have assumed that, never mind. With ISR-G2 etc you need a transcoder to be able to do the interop. With ISR-4k, you don't. It is handled natively by the RP. I was under the incorrect assumption that you have a ISR-4k.

M02@rt37 · ‎03-19-2018

Thanks for your help @R0g22.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.