Solved: Re: German Telekom SIP TLS SRTP - Page 2

SathishAnbu4286 · ‎11-26-2019

We are using sip trunk from service provider Telekom germany over the internet. To secure the connection we want to configure TLS and SRTP with service provider. Please help how to do it.

SathishAnbu4286 · ‎12-09-2019

Hi Marc,

I am not able to configure below commands any idea?

voice class srtp-crypto 1
crypto 1 AES_CM_128_HMAC_SHA1_32
crypto 2 AES_CM_128_HMAC_SHA1_80

SathishAnbu4286 · ‎12-09-2019

Hi Marc,

Followed your steps but registration not happening

MX-GW1#
000378: Dec 10 05:17:29.174: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
REGISTER sips:sip-trunk.telekom.de:5061 SIP/2.0
Via: SIP/2.0/TLS 192.168.178.2:5061;branch=z9hG4bK13A8C6
From: <sips:+496237977400@sip-trunk.telekom.de>;tag=2CB60E8-1255
To: <sips:+496237977400@sip-trunk.telekom.de>
Date: Tue, 10 Dec 2019 05:17:29 GMT
Call-ID: EA1C97FC-1A4211EA-88C8A0A6-F286BBE6
User-Agent: Cisco-SIPGateway/IOS-15.7.3.M5
Max-Forwards: 70
Timestamp: 1575955049
CSeq: 5 REGISTER
Contact: <sip:192.168.178.2:5061;bnc>
Expires: 240
Supported: path
Authorization: Digest username="551135170181",realm="sip-trunk.telekom.de",uri="sips:sip-trunk.telekom.de:5061",response="",nonce=""
Content-Length: 0
Proxy-Require: gin
Require: gin

000379: Dec 10 05:17:29.206: //2478/000000000000/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 416 Unsupported URI Scheme
Via: SIP/2.0/TLS 192.168.178.2:5061;received=217.7.207.185;branch=z9hG4bK13A8C6
To: <sips:+496237977400@sip-trunk.telekom.de>;tag=b7413aae
From: <sips:+496237977400@sip-trunk.telekom.de>;tag=2CB60E8-1255
Call-ID: EA1C97FC-1A4211EA-88C8A0A6-F286BBE6
CSeq: 5 REGISTER
Reason: TSSI;cause=4160017
Content-Length: 0

marcfuhrmann · ‎12-09-2019

Hi,

you followed the guide for ISR4k. Please follow the guide for your ISR G2.

include:

voice-class sip srtp-auth sha1-32 sha1-80

under:

dial-peer voice 21 voip

BTW:

I have problems with the image you are using. For me 15.6 or 15.7.M4b works better.

Marc

SathishAnbu4286 · ‎12-09-2019

Hi marc,

Yes i tried G2 configuration already but registration not happening.

Version 15.7(3)M5

Model 2911

sip-ua
registrar dns:sip-trunk.telekom.de:5061 scheme sips expires 240 tcp tls auth-realm sip-trunk.telekom.de
credentials number +496237977400 username 551135XXXX password XXXXXX realm sip-trunk.telekom.de
authentication username 551135XXXX password XXXXXX realm sip-trunk.telekom.de
no remote-party-id
timers expires 60000
timers register 100
timers buffer-invite 1000
timers dns registrar-cache ttl
sip-server dns:sip-trunk.telekom.de:5061
connection-reuse
transport tcp tls v1.2
crypto signaling remote-addr 217.0.0.0 255.255.0.0 trustpoint telekom

incoming Dial Peer
dial-peer voice 101 voip
description **CUCM/PBX **
incoming called-number +4962379774..
translation-profile incoming FromPSTN
session protocol sipv2
session transport tcp tls
session server-group 1
incoming uri via 1
voice-class codec 1
no voice-class sip outbound-proxy
voice-class sip srtp-auth sha1-32 sha1-80
voice-class sip url sips
voice-class sip options-keepalive profile 101
voice-class sip bind control source-interface GigabitEthernet0/1
voice-class sip bind media source-interface GigabitEthernet0/1
dtmf-relay rtp-nte
srtp
fax-relay ecm disable
fax rate 14400
fax nsf 000000
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw
no vad

Outgoing Dial Peer
dial-peer voice 201 voip
description **SIP-TRUNK.TELEKOM.DE**
translation-profile outgoing ToPSTN
destination-pattern *T
session protocol sipv2
session target sip-server
session transport tcp tls
voice-class sip srtp-auth sha1-32 sha1-80
voice-class sip url sips
voice-class codec 1
voice-class sip outbound-proxy dns:reg.sip-trunk.telekom.de
voice-class sip profiles 201
voice-class sip bind media source-interface GigabitEthernet0/1
srtp
dtmf-relay rtp-nte
fax-relay ecm disable
fax rate 14400
fax nsf 000000
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw
clid strip name
no vad

crypto pki trustpoint telekom
enrollment terminal
serial-number
revocation-check none

And imported root CA from telekom

marcfuhrmann · ‎12-10-2019

Sip profile missing under sip-ua.

It's all in my config. Why not use the tenant configuration?

SathishAnbu4286 · ‎12-10-2019

Marc,

Thank you it was profile issue..

After applying the profile trunk registered. But issue with CUCM and CUBE. So i need to align the configuration for call routing.

Business hour now i will check and let you know.

Thank you very much because no service provider support. i dont have enough information your input was very much helpful.

SathishAnbu4286 · ‎12-10-2019

Marc,

You are right now i am facing media resource issue. believe it is a transcoder issue.

Do i need to configure 2 sets of transcode 1 towards CUCM with RTP and other with service provider with SRTP.

Can you share your transcoder config?

marcfuhrmann · ‎12-10-2019

Hi,

I am using CME only, so my help is limited here. My transcoder configuration is in my config for ISR G2

voice-card 0

dspfarm

dsp services dspfarm

!
dspfarm profile 2 transcode universal security

codec g729abr8

codec g729ar8

codec g711alaw

codec g711ulaw

codec g722-64

maximum sessions 6

associate application CUBE

This config will do the SRTP-RTP-SRTP transcoding both directions.

Make sure you have a PVDM module installed.

SathishAnbu4286 · ‎12-10-2019

Marc,

After the secure trans-coder configuration all are working fine. Thank you very much for your support.

kvsaheednetpro · ‎01-08-2020

Hi,

I have the same issue. My SIP TLS trunk with Telekom.de is not registering. I read you said "After applying the profile trunk registered". what profile you are talking about? My config is as below.

voice class tenant 2
registrar dns:sip-trunk.telekom.de scheme sips expires 240 tcp tls auth-realm sip-trunk.telekom.de

credentials number xxxxxxxxx username xxxxxxxxx password xxxxxxxx realm sip-trunk.telekom.de
authentication username xxxxxxxxx password xxxxxxxx

sip-server dns:sip-trunk.telekom.de:5061
session transport tcp tls
asserted-id pai
bind control source-interface Dialer1
bind media source-interface Dialer1
sip-profiles 2
outbound-proxy dns:reg.sip-trunk.telekom.de
early-offer forced
srtp-crypto 1

dial-peer voice 200 voip
description #ITSP INBOUND DIAL-PEER#
translation-profile incoming PSTN_National
session protocol sipv2
incoming called e164-pattern-map 3
voice-class codec 2
voice-class sip url sips
voice-class sip call-route p-called-party-id
voice-class sip tenant 2
dtmf-relay rtp-nte
no vad

dial-peer voice 201 voip
description #ITSP OUTBOUND DIAL-PEER#
session protocol sipv2
session target sip-server
destination e164-pattern-map 2
voice-class codec 2
voice-class sip url sips
voice-class sip localhost dns:xxxx.com preferred
voice-class sip tenant 2
dtmf-relay rtp-nte
no vad

sip-ua
transport tcp tls v1.2
crypto signaling remote-addr 217.0.0.0 255.255.0.0 trustpoint ProviderCert

Thanks and Regards,

Saheed

marcfuhrmann · ‎01-08-2020

Hi,

I have attached two working configuratons. Not sure what you already included in your full configuration, but I guess that you already implemented the Telekom root certificate.

Not sure if you have an ISR-G2 or a ISR4K. Attached are both configs.

Make sure not running into this bug: CSCvr90926

isr4300-universalk9.16.09.03.SPA.bin is working for me on ISR4331.

If you need further help, please post your full configuration.

Marc

marcfuhrmann · ‎03-21-2020

Regarding this bug: CSCvr90926

It should be resolved in 16.9.5 and 16.12.3

I tried both images but still getting the same error when dialing out:

%VOICE_IEC-3-GW: CCAPI: Internal Error (Resource busy): IEC=1.1.181.1.25.114 on callID ............

Does anybody have a solution for this?

Marc