cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3894
Views
0
Helpful
3
Replies

does CME support Secure SIP trunk to CM ?

ommanipadmehum
Level 1
Level 1

2x scenario below between CM <SIP TRUNK> CME, scenario 1 is working, but scenario 2 can it be supported?

scenario 1. normal sip trunk (with SRTP allow is working)

scenario 2. between CM and CME (secure sip trunk profile not working on CM to CME) <- does CME support secure sip profile to CM?

--------------- scenario1.

on CM when i add SIP trunk (using non-secure sip trunk profile) and check on SRTP to allow, SRTP traffic is working between CM and CME

my CME configuration as follow

!
dial-peer voice 1 voip
destination-pattern 5...
session protocol sipv2
session target ipv4:10.1.1.1
dtmf-relay rtp-nte

srtp
!

--------------- scenario2.

on CM when i add SIP trunk (USING SECURE SIP TRUNK PROFILE) and check on SRTP to allow, the call cannot be establish to CME

question A. on CME what do i need to configure to make it work to establish secure SIP trunk encrypted TLS with CM?

does CME support encrypted TLS SIP trunk with CM?

question B. or is SIP trunk security profile for encrypted TLS signaling is just for between CM to CM?

and not for CM to CME?

anyone has answer or solution to question A and B?

1 Accepted Solution

Accepted Solutions

Jyothi V
Level 1
Level 1

Hi,

In the SIP Trunk Security Profile you should have the following set ...

Device Security Mode = Authenticated
Incoming Transport Type = TLS

1. Make sure the CME is running "Advanced Enterprise Services Feature set"

2. Configure the CME to trust the CCM Certificate.

3. Once the necessary configs are completed, make sure the voip dial-peer
is configured with "session transport tcp tls" so that the session will
be established in the TLS format.

4. You can download CallManager.pem from the OS Admin Page > Security >
Certificate Management > Find > Click the CallManager.pem file > Download.
You will need to upload this file to the CME Router.

5. You will need to upload the .pem file from the CME Router to the
CallManager. To do this from the OS Admin Page > Security > Certificate
Management > Upload Certificate > Configure the following ...

* "CallManager-Trust" for the Certificate Name
* Leave "Root Certificate" Blank
* Click Upload File and select the .pem file you saved off from the CME
Router.

> Upload File > Restart Cisco Tomcat [ Utils service restart Cisco Tomcat ]
and Cisco CallManager Services.

6. Make test calls and check if they are successful.

Please rate useful posts!

Jyothi

View solution in original post

3 Replies 3

Jyothi V
Level 1
Level 1

Hi,

In the SIP Trunk Security Profile you should have the following set ...

Device Security Mode = Authenticated
Incoming Transport Type = TLS

1. Make sure the CME is running "Advanced Enterprise Services Feature set"

2. Configure the CME to trust the CCM Certificate.

3. Once the necessary configs are completed, make sure the voip dial-peer
is configured with "session transport tcp tls" so that the session will
be established in the TLS format.

4. You can download CallManager.pem from the OS Admin Page > Security >
Certificate Management > Find > Click the CallManager.pem file > Download.
You will need to upload this file to the CME Router.

5. You will need to upload the .pem file from the CME Router to the
CallManager. To do this from the OS Admin Page > Security > Certificate
Management > Upload Certificate > Configure the following ...

* "CallManager-Trust" for the Certificate Name
* Leave "Root Certificate" Blank
* Click Upload File and select the .pem file you saved off from the CME
Router.

> Upload File > Restart Cisco Tomcat [ Utils service restart Cisco Tomcat ]
and Cisco CallManager Services.

6. Make test calls and check if they are successful.

Please rate useful posts!

Jyothi

Thanks Jyothi,
for the detail doc it certainly help, we're almost there left 1x small issue hope you can advice
when I set to authenticated on CM sip secure profile, it said the profile must be
encrypted see below error message in red, due to I'm using SRTP,

*I've already imported all cert and my ios has adv ent service feature

question 1. if I am to set to Encrypted Mode in SIP secure profile, then what should be my configuration on ios voice gateway? will the command "session transport tcp tls" still work for encrypted mode or the command is just meant for authenticated mode?


question 2. or is there another command on the voice gateway for encrypted sip trunk?

---error message on CM sip secure profile: *i've SRTP allow checked box ticked on sip trunk and my phone is on secure encrypted mode


Update failed. [9018] The Security Profile must be Encrypted and TLS  because another device is using this profile which has SRTP enabled

hmm didn't seem to work i change to non-srtp on phone, only the sip trunk is authenticated mode between CM and CME

imported the cert between CM and CME, my ios is:

(C2800NM-ADVENTERPRISEK9_IVS_LI-M), Version 15.1(1)T2

i place a call from CM to CME via the AUTHENTICATED MODE SIP SECURE TRUNK

between CM phone (non-secure) and CME phone (non-secure)

and the call cannot be establish...error message for TLS over TCP in green below

dial-peer voice already included transport session tcp tls

question1. is there any additional command i need to add to inform CME it is referencing or associating with CM .pem cert? example like secure conferencing, there's command to associate trustpoint abc, how about secure sip trunk on CME is there any command to inform router to associate to trustpoint?

dspfarm profile 1 conference security
trustpoint abc

port=5061, transport=TLS Over TCP
Dec 23 22:08:04.591: //-1/xxxxxxxxxxxx/SIP/Info/ccsip_process_sipspi_queue_event: ccsip_spi_get_msg_type returned: 2 for event 63
Dec 23 22:08:04.591: //-1/xxxxxxxxxxxx/SIP/Info/ccsip_process_sipspi_queue_event: ccsip_spi_get_msg_type returned: 2 for event 54
Dec 23 22:08:04.591: //107/F28C532B8124/SIP/Info/ccsip_set_cc_cause_for_spi_err: Categorized cause:38, category:186
Dec 23 22:08:04.591: //-1/xxxxxxxxxxxx/SIP/Info/ccsip_set_release_source_for_peer: ownCallId[107], src[6]
Dec 23 22:08:04.591: //107/F28C532B8124/SIP/Info/sipSPIInitiateDisconnect: Initiate call disconnect(38) for outgoing call
Dec 23 22:08:04.591: //107/F28C532B8124/SIP/Info/ccsip_call_statistics: Stats are not supported for IPIP call.