cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2690
Views
0
Helpful
5
Replies

How to secure SIP trunk between CUBE and Internet service provider

Hello Guys,

 

I'm setting a trunk sip between CUBEs and Internet SIP provider. (Twilio)

The incoming and outgoing calls work fine.

 

Now I want to set the SIP TLS and SRTP between Cube and Twilio.

My final idea is set the RTP-SRTP between CUBE and Twilio. The CUCM is not in mixed mode. So no certificates on my phones.

Like this:

SRTP-RTP.png

 

 

 

The documentation from Twilio is not very clear for me. 

https://www.twilio.com/docs/api/sip-trunking/getting-started#securetrunking

 

And the documentation from Cisco doesn't seem very complicated for SRTP-RTP

SRTP-RTP

But the SIP TLS seems more complicated

SIP TLS supported CUBE

 

So, I'm beginner in the security and I don't know by what to begin

 

Have you any advice to do it?

 

Thanks

Sébastien

 

5 Replies 5

ciscohinds
Level 1
Level 1

Were you able to figure this out?

gmgarrian
Level 4
Level 4

TLS and SRTP can be tricky.  The SRTP isn't too bad as you don't have to worry about creating a trust point just for that.  

 

TLS is another story.  Many time when I've run into problems with TLS it's due to a certificate or trustpoint issue. Make sure you import the entire certificate chain up to the root cert.  Adding to the complexity in your case is that you're setting this up between a Cisco CUBE and a third party.  

 

What are you doing for certificates?  Are you purchasing these from a third party CA or going with self-signed?  You'll need to make sure that Twilio will accept your cert and vice versa.

Hello guys,

 

For the certificates, we generated a CSR  on another server, then we have signed this by the CA authority that Twilio uses. ( FYI: Twilio said that they use the Globlasign as CA authority but it's not just. They use thawte)

 

Before to upload the certificate, we have converted from PEM to PKCS12 including certificate , signing ca ( root or intermediate ) and private key.

 

And to finish we have created the import certificate/key and generate trustpoint/RSA keypair

 

It seems like you have your certificates in order.  What I would do next is make some non-secure test calls first just to verify the VoIP configuration.  This way if there is an issue you're not chasing your tail thinking it's an encryption issue when it may be something with the basic call set up.

 

Then, configure TLS under sip-ua and test call set up again.  When that's working enable SRTP and make your final test calls.

 

I don't have tons of experience with TLS/SRTP so there may be a better method of doing this but this is how I would work it.

Hi Sebastien,

 

Hope you are doing fine.

 

I may need your kind help here.

 

Have you complete the setup for secure SIP trunk between CUBE and ISP?

 

Do we need to build secure sip from GW to CUCM as well?

 

Please share some experience on this item, very appreciate it.

 

Looking forward your reply.

 

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: