cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9435
Views
0
Helpful
26
Replies

German Telekom SIP TLS SRTP

SathishAnbu4286
Level 1
Level 1

We are using sip trunk from service provider Telekom germany over the internet. To secure the connection we want to configure TLS and SRTP with service provider. Please help how to do it. 

1 Accepted Solution

Accepted Solutions

Marc,

After the secure trans-coder configuration all are working fine. Thank you very much for your support. 

View solution in original post

26 Replies 26

j.huizinga
Level 6
Level 6

You have to ask the provider if they support this

Normally providers don't do this

 

JH

Jaime Valencia
Cisco Employee
Cisco Employee

There are a few Cisco Live sessions on UC/CUBE security that cover the whole procedure, you can refer to those.

But as Jan mentioned, verify your telco does support this in first place.

HTH

java

if this helps, please rate

Guys,

Yes they support TLS. I am looking for document i am not able to get it please help

You can search all the Cisco Live Presentations through the On-Demand Library:

 

https://www.ciscolive.com/global/on-demand-library.html?search=cube%20security#/

The LRTCOL-2310 or BRKUCC-2006 are essential presentations.

George

Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

Thank you i got it.

I want to know is it possible to configure the TLS SRTP only towards service provider not towards CUCM.

If that is not possible do we need to enable mixed mode on CUCM. Even do we need to enable unity also secure connection? Because i am cluster i want to enable TLS for one remote location SIP trunk with service provider. 

marcfuhrmann
Level 1
Level 1

Moin,

I think this document helps:

srst_sip_trunking.html 

I think they used Deutsche Telekom in this document

 

Hope it helps

 

Marc

Guys,

Thanks for the link i am doing for first time. I have below doubt.

1. Is TLS/SRTP possible only between CUBE-->Service provider, not between CUCM--CUBE?

2. CUCM mixed is mandatory?

3. If it is both the leg how about unity. Unity is centralized and will that works?

4. Any CSR need to generate on CUBE and get it sign by public CA?

5. Or is it directly get the public certificate and install on CUBE?

6. Any certificate need to install on CUCM and CUBE?

 

 

Hi,

 

I am using this on a 2921 ISG G2. Transcoder is required on cube. I can post a working config for the ISR G2.

My problem is the LTI Secure Transcoder. It is not working properly on shared lines . Audio comes in after a few seconds.

 

1. Yes. TLS/SRTP is only between Cube and Telekom. Local phones, other tenants or other trunks can be used unsecure.

 

2. No. I am using CME only with 8800 Sip phones

 

3. See no 1. All other legs can be unsecured.

 

4. You import the root .cer from telekom (valid until 2033) into cube. No other cert required.

 

5. To have a secure connection to telekom, there is no other cert required.

 

If you have a ISR4k my config needs to be changed a little, but you do not need the transcoder. So that would be a huge plus, because it is given me a big problems on ISR G2.

 

Gruss

Marc

Hi Marc,

Thank you for your input it is very helpful. yes i am your ISR4K series router. If possible please share your configuration it will be more helpful. 

Hi,

 

Download the telekom certificate:

https://www.telesec.de/de/public-key-infrastruktur/support/root-zertifikate/category/59-t-telesec-globalroot-class-2 

 

Import the certificate

  1. enable
  2. configure terminal
  3. crypto pki trustpoint telekom
  4. revocation-check none
  5. enrollment terminal
  6. exit
  7. crypto pki authenticate telekom
  8. Open the telekom root certificate file that you downloaded in an editor.
  9. You will be prompted to enter the CA certificate. Cut and paste the entire contents of the base 64 encoded certificate between BEGIN CERTIFICATE and END CERTIFICATE at the command line. Press Enter and type quit. The router prompts you to accept the certificate. Enter yes to accept the certificate.

 

My configuration, changed to ISR4K, is attached. Hope it works for you.

 

Please remove your uncrypted telekom registrar on port 5060 from you config.

 

Let us know the result.

 

Marc

 

Hi Marc,

Thank you.

Sorry for confusion my router is ISR 2911 only. What could be issue my might face and what is the work around for that.

I saw your configuration and there is no registration under SIP-UA.  Is it not required or i need to update in 5061 and configure?

 

Is trans-coder need to configure with secure?

Hi,

on the ISR-G2 you need a transcoder for SRTP-RTP and RTP-SRTP.

My problem is that I use CME and on the incoming central line (0) the audio comes in after a few seconds on the phones. The sip-dn for extension zero (0) is a shared dn (sip only, not mixed shared line with SCCP) on 5 sip phones 8851 and a ATA190.

But this is specific to my configuration, and if you use a CUCM this may not be a problem for you.

Workaround is to use the Telekom Sip Trunk unsecure, or make the phones on CME secure (TLS/SRTP) as well.

 

The sip-ua registration is under "Tenant". With Tenants you can use multiple sip provider.

 

For the use of TLS/SRTP on Telekom Sip Trunk with ISR G2:

 

Download the telekom certificate

Telekom Certificate 

 

Import the certificate

  1. enable
  2. configure terminal
  3. crypto pki trustpoint telekom
  4. revocation-check none
  5. enrollment terminal
  6. exit
  7. crypto pki authenticate telekom
  8. Open the telekom root certificate file that you downloaded in an editor.
  9. You will be prompted to enter the CA certificate. Cut and paste the entire contents of the base 64 encoded certificate between BEGIN CERTIFICATE and END CERTIFICATE at the command line. Press Enter and type quit. The router prompts you to accept the certificate. Enter yes to accept the certificate.

Please remove your uncrypted telekom registrar on port 5060 from you config.

 

Let me know how the transcoder works for you.

 

Marc

 

Hi Marc,

Waiting for change window and let you know once done

Hi,

 

you have to check the amount of DSP's installed in your ISR2911 (sh inv). The 2911 voice bundle is equiped with a PVDM3-16 by default. That means you have to set "maximum sessions 6" in the LTI transcoder (if it is the only transcoder configured).

I have a ISR2921 with a PVDM3-32, so I can set "maximum sessions 12".

 

For ISR G2s/4K series, install the UCK9 package license to access all the voice features including CUBE. For SIP TLS/SRTP, SEC-K9 license is also required.

 

Hope this helps,

Marc