12-18-2010 11:26 AM - edited 03-16-2019 02:30 AM
2x scenario below between CM <SIP TRUNK> CME, scenario 1 is working, but scenario 2 can it be supported?
scenario 1. normal sip trunk (with SRTP allow is working)
scenario 2. between CM and CME (secure sip trunk profile not working on CM to CME) <- does CME support secure sip profile to CM?
--------------- scenario1.
on CM when i add SIP trunk (using non-secure sip trunk profile) and check on SRTP to allow, SRTP traffic is working between CM and CME
my CME configuration as follow
!
dial-peer voice 1 voip
destination-pattern 5...
session protocol sipv2
session target ipv4:10.1.1.1
dtmf-relay rtp-nte
srtp
!
--------------- scenario2.
on CM when i add SIP trunk (USING SECURE SIP TRUNK PROFILE) and check on SRTP to allow, the call cannot be establish to CME
question A. on CME what do i need to configure to make it work to establish secure SIP trunk encrypted TLS with CM?
does CME support encrypted TLS SIP trunk with CM?
question B. or is SIP trunk security profile for encrypted TLS signaling is just for between CM to CM?
and not for CM to CME?
anyone has answer or solution to question A and B?
Solved! Go to Solution.
12-23-2010 10:05 AM
Hi,
In the SIP Trunk Security Profile you should have the following set ...
Device Security Mode = Authenticated
Incoming Transport Type = TLS
1. Make sure the CME is running "Advanced Enterprise Services Feature set"
2. Configure the CME to trust the CCM Certificate.
3. Once the necessary configs are completed, make sure the voip dial-peer
is configured with "session transport tcp tls" so that the session will
be established in the TLS format.
4. You can download CallManager.pem from the OS Admin Page > Security >
Certificate Management > Find > Click the CallManager.pem file > Download.
You will need to upload this file to the CME Router.
5. You will need to upload the .pem file from the CME Router to the
CallManager. To do this from the OS Admin Page > Security > Certificate
Management > Upload Certificate > Configure the following ...
* "CallManager-Trust" for the Certificate Name
* Leave "Root Certificate" Blank
* Click Upload File and select the .pem file you saved off from the CME
Router.
> Upload File > Restart Cisco Tomcat [ Utils service restart Cisco Tomcat ]
and Cisco CallManager Services.
6. Make test calls and check if they are successful.
Please rate useful posts!
Jyothi
12-23-2010 10:05 AM
Hi,
In the SIP Trunk Security Profile you should have the following set ...
Device Security Mode = Authenticated
Incoming Transport Type = TLS
1. Make sure the CME is running "Advanced Enterprise Services Feature set"
2. Configure the CME to trust the CCM Certificate.
3. Once the necessary configs are completed, make sure the voip dial-peer
is configured with "session transport tcp tls" so that the session will
be established in the TLS format.
4. You can download CallManager.pem from the OS Admin Page > Security >
Certificate Management > Find > Click the CallManager.pem file > Download.
You will need to upload this file to the CME Router.
5. You will need to upload the .pem file from the CME Router to the
CallManager. To do this from the OS Admin Page > Security > Certificate
Management > Upload Certificate > Configure the following ...
* "CallManager-Trust" for the Certificate Name
* Leave "Root Certificate" Blank
* Click Upload File and select the .pem file you saved off from the CME
Router.
> Upload File > Restart Cisco Tomcat [ Utils service restart Cisco Tomcat ]
and Cisco CallManager Services.
6. Make test calls and check if they are successful.
Please rate useful posts!
Jyothi
12-23-2010 11:13 AM
Thanks Jyothi,
for the detail doc it certainly help, we're almost there left 1x small issue hope you can advice
when I set to authenticated on CM sip secure profile, it said the profile must be
encrypted see below error message in red, due to I'm using SRTP,
*I've already imported all cert and my ios has adv ent service feature
question 1. if I am to set to Encrypted Mode in SIP secure profile, then what should be my configuration on ios voice gateway? will the command "session transport tcp tls" still work for encrypted mode or the command is just meant for authenticated mode?
question 2. or is there another command on the voice gateway for encrypted sip trunk?
---error message on CM sip secure profile: *i've SRTP allow checked box ticked on sip trunk and my phone is on secure encrypted mode
Update failed. [9018] The Security Profile must be Encrypted and TLS because another device is using this profile which has SRTP enabled
12-23-2010 12:30 PM
hmm didn't seem to work i change to non-srtp on phone, only the sip trunk is authenticated mode between CM and CME
imported the cert between CM and CME, my ios is:
(C2800NM-ADVENTERPRISEK9_IVS_LI-M), Version 15.1(1)T2
i place a call from CM to CME via the AUTHENTICATED MODE SIP SECURE TRUNK
between CM phone (non-secure) and CME phone (non-secure)
and the call cannot be establish...error message for TLS over TCP in green below
dial-peer voice already included transport session tcp tls
question1. is there any additional command i need to add to inform CME it is referencing or associating with CM .pem cert? example like secure conferencing, there's command to associate trustpoint abc, how about secure sip trunk on CME is there any command to inform router to associate to trustpoint?
dspfarm profile 1 conference security
trustpoint abc
port=5061, transport=TLS Over TCP
Dec 23 22:08:04.591: //-1/xxxxxxxxxxxx/SIP/Info/ccsip_process_sipspi_queue_event: ccsip_spi_get_msg_type returned: 2 for event 63
Dec 23 22:08:04.591: //-1/xxxxxxxxxxxx/SIP/Info/ccsip_process_sipspi_queue_event: ccsip_spi_get_msg_type returned: 2 for event 54
Dec 23 22:08:04.591: //107/F28C532B8124/SIP/Info/ccsip_set_cc_cause_for_spi_err: Categorized cause:38, category:186
Dec 23 22:08:04.591: //-1/xxxxxxxxxxxx/SIP/Info/ccsip_set_release_source_for_peer: ownCallId[107], src[6]
Dec 23 22:08:04.591: //107/F28C532B8124/SIP/Info/sipSPIInitiateDisconnect: Initiate call disconnect(38) for outgoing call
Dec 23 22:08:04.591: //107/F28C532B8124/SIP/Info/ccsip_call_statistics: Stats are not supported for IPIP call.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide