11-26-2019 07:41 AM
We are using sip trunk from service provider Telekom germany over the internet. To secure the connection we want to configure TLS and SRTP with service provider. Please help how to do it.
Solved! Go to Solution.
12-09-2019 09:31 AM
Hi Marc,
I am not able to configure below commands any idea?
voice class srtp-crypto 1
crypto 1 AES_CM_128_HMAC_SHA1_32
crypto 2 AES_CM_128_HMAC_SHA1_80
12-09-2019 10:43 PM
Hi Marc,
Followed your steps but registration not happening
MX-GW1#
000378: Dec 10 05:17:29.174: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Sent:
REGISTER sips:sip-trunk.telekom.de:5061 SIP/2.0
Via: SIP/2.0/TLS 192.168.178.2:5061;branch=z9hG4bK13A8C6
From: <sips:+496237977400@sip-trunk.telekom.de>;tag=2CB60E8-1255
To: <sips:+496237977400@sip-trunk.telekom.de>
Date: Tue, 10 Dec 2019 05:17:29 GMT
Call-ID: EA1C97FC-1A4211EA-88C8A0A6-F286BBE6
User-Agent: Cisco-SIPGateway/IOS-15.7.3.M5
Max-Forwards: 70
Timestamp: 1575955049
CSeq: 5 REGISTER
Contact: <sip:192.168.178.2:5061;bnc>
Expires: 240
Supported: path
Authorization: Digest username="551135170181",realm="sip-trunk.telekom.de",uri="sips:sip-trunk.telekom.de:5061",response="",nonce=""
Content-Length: 0
Proxy-Require: gin
Require: gin
000379: Dec 10 05:17:29.206: //2478/000000000000/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 416 Unsupported URI Scheme
Via: SIP/2.0/TLS 192.168.178.2:5061;received=217.7.207.185;branch=z9hG4bK13A8C6
To: <sips:+496237977400@sip-trunk.telekom.de>;tag=b7413aae
From: <sips:+496237977400@sip-trunk.telekom.de>;tag=2CB60E8-1255
Call-ID: EA1C97FC-1A4211EA-88C8A0A6-F286BBE6
CSeq: 5 REGISTER
Reason: TSSI;cause=4160017
Content-Length: 0
12-09-2019 10:57 PM
Hi,
you followed the guide for ISR4k. Please follow the guide for your ISR G2.
include:
voice-class sip srtp-auth sha1-32 sha1-80
under:
dial-peer voice 21 voip
BTW:
I have problems with the image you are using. For me 15.6 or 15.7.M4b works better.
Marc
12-09-2019 11:50 PM
Hi marc,
Yes i tried G2 configuration already but registration not happening.
Version 15.7(3)M5
Model 2911
sip-ua
registrar dns:sip-trunk.telekom.de:5061 scheme sips expires 240 tcp tls auth-realm sip-trunk.telekom.de
credentials number +496237977400 username 551135XXXX password XXXXXX realm sip-trunk.telekom.de
authentication username 551135XXXX password XXXXXX realm sip-trunk.telekom.de
no remote-party-id
timers expires 60000
timers register 100
timers buffer-invite 1000
timers dns registrar-cache ttl
sip-server dns:sip-trunk.telekom.de:5061
connection-reuse
transport tcp tls v1.2
crypto signaling remote-addr 217.0.0.0 255.255.0.0 trustpoint telekom
incoming Dial Peer
dial-peer voice 101 voip
description **CUCM/PBX **
incoming called-number +4962379774..
translation-profile incoming FromPSTN
session protocol sipv2
session transport tcp tls
session server-group 1
incoming uri via 1
voice-class codec 1
no voice-class sip outbound-proxy
voice-class sip srtp-auth sha1-32 sha1-80
voice-class sip url sips
voice-class sip options-keepalive profile 101
voice-class sip bind control source-interface GigabitEthernet0/1
voice-class sip bind media source-interface GigabitEthernet0/1
dtmf-relay rtp-nte
srtp
fax-relay ecm disable
fax rate 14400
fax nsf 000000
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw
no vad
Outgoing Dial Peer
dial-peer voice 201 voip
description **SIP-TRUNK.TELEKOM.DE**
translation-profile outgoing ToPSTN
destination-pattern *T
session protocol sipv2
session target sip-server
session transport tcp tls
voice-class sip srtp-auth sha1-32 sha1-80
voice-class sip url sips
voice-class codec 1
voice-class sip outbound-proxy dns:reg.sip-trunk.telekom.de
voice-class sip profiles 201
voice-class sip bind media source-interface GigabitEthernet0/1
srtp
dtmf-relay rtp-nte
fax-relay ecm disable
fax rate 14400
fax nsf 000000
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw
clid strip name
no vad
crypto pki trustpoint telekom
enrollment terminal
serial-number
revocation-check none
And imported root CA from telekom
12-10-2019 12:30 AM
Sip profile missing under sip-ua.
It's all in my config. Why not use the tenant configuration?
12-10-2019 01:39 AM
Marc,
Thank you it was profile issue..
After applying the profile trunk registered. But issue with CUCM and CUBE. So i need to align the configuration for call routing.
Business hour now i will check and let you know.
Thank you very much because no service provider support. i dont have enough information your input was very much helpful.
12-10-2019 01:54 AM
Marc,
You are right now i am facing media resource issue. believe it is a transcoder issue.
Do i need to configure 2 sets of transcode 1 towards CUCM with RTP and other with service provider with SRTP.
Can you share your transcoder config?
12-10-2019 02:14 AM - edited 12-10-2019 02:20 AM
Hi,
I am using CME only, so my help is limited here. My transcoder configuration is in my config for ISR G2
voice-card 0
dspfarm
dsp services dspfarm
!
dspfarm profile 2 transcode universal security
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
codec g722-64
maximum sessions 6
associate application CUBE
This config will do the SRTP-RTP-SRTP transcoding both directions.
Make sure you have a PVDM module installed.
12-10-2019 09:01 PM
Marc,
After the secure trans-coder configuration all are working fine. Thank you very much for your support.
01-08-2020 06:16 AM
Hi,
I have the same issue. My SIP TLS trunk with Telekom.de is not registering. I read you said "After applying the profile trunk registered". what profile you are talking about? My config is as below.
voice class tenant 2
registrar dns:sip-trunk.telekom.de scheme sips expires 240 tcp tls auth-realm sip-trunk.telekom.de
credentials number xxxxxxxxx username xxxxxxxxx password xxxxxxxx realm sip-trunk.telekom.de
authentication username xxxxxxxxx password xxxxxxxx
sip-server dns:sip-trunk.telekom.de:5061
session transport tcp tls
asserted-id pai
bind control source-interface Dialer1
bind media source-interface Dialer1
sip-profiles 2
outbound-proxy dns:reg.sip-trunk.telekom.de
early-offer forced
srtp-crypto 1
dial-peer voice 200 voip
description #ITSP INBOUND DIAL-PEER#
translation-profile incoming PSTN_National
session protocol sipv2
incoming called e164-pattern-map 3
voice-class codec 2
voice-class sip url sips
voice-class sip call-route p-called-party-id
voice-class sip tenant 2
dtmf-relay rtp-nte
no vad
dial-peer voice 201 voip
description #ITSP OUTBOUND DIAL-PEER#
session protocol sipv2
session target sip-server
destination e164-pattern-map 2
voice-class codec 2
voice-class sip url sips
voice-class sip localhost dns:xxxx.com preferred
voice-class sip tenant 2
dtmf-relay rtp-nte
no vad
sip-ua
transport tcp tls v1.2
crypto signaling remote-addr 217.0.0.0 255.255.0.0 trustpoint ProviderCert
Thanks and Regards,
Saheed
01-08-2020 09:26 AM
Hi,
I have attached two working configuratons. Not sure what you already included in your full configuration, but I guess that you already implemented the Telekom root certificate.
Not sure if you have an ISR-G2 or a ISR4K. Attached are both configs.
Make sure not running into this bug: CSCvr90926
isr4300-universalk9.16.09.03.SPA.bin is working for me on ISR4331.
If you need further help, please post your full configuration.
Marc
03-21-2020 03:51 AM
Regarding this bug: CSCvr90926
It should be resolved in 16.9.5 and 16.12.3
I tried both images but still getting the same error when dialing out:
%VOICE_IEC-3-GW: CCAPI: Internal Error (Resource busy): IEC=1.1.181.1.25.114 on callID ............
Does anybody have a solution for this?
Marc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide