Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3077
Views
0
Helpful
5
Replies

How to secure SIP trunk between CUBE and Internet service provider

Sebastien Denoncin
Level 1
Level 1

‎01-09-2018 05:17 AM - edited ‎03-17-2019 11:54 AM

Hello Guys,

 

I'm setting a trunk sip between CUBEs and Internet SIP provider. (Twilio)

The incoming and outgoing calls work fine.

 

Now I want to set the SIP TLS and SRTP between Cube and Twilio.

My final idea is set the RTP-SRTP between CUBE and Twilio. The CUCM is not in mixed mode. So no certificates on my phones.

Like this:

SRTP-RTP.png

 

 

 

The documentation from Twilio is not very clear for me. 

https://www.twilio.com/docs/api/sip-trunking/getting-started#securetrunking

 

And the documentation from Cisco doesn't seem very complicated for SRTP-RTP

SRTP-RTP

But the SIP TLS seems more complicated

SIP TLS supported CUBE

 

So, I'm beginner in the security and I don't know by what to begin

 

Have you any advice to do it?

 

Thanks

Sébastien

 

2 people had this problem
Labels:
0 Helpful
5 Replies 5

ciscohinds
Level 1
Level 1

‎06-25-2018 10:21 AM

Were you able to figure this out?

0 Helpful

gmgarrian
Level 4
Level 4

‎06-25-2018 01:34 PM

TLS and SRTP can be tricky.  The SRTP isn't too bad as you don't have to worry about creating a trust point just for that.  

 

TLS is another story.  Many time when I've run into problems with TLS it's due to a certificate or trustpoint issue. Make sure you import the entire certificate chain up to the root cert.  Adding to the complexity in your case is that you're setting this up between a Cisco CUBE and a third party.  

 

What are you doing for certificates?  Are you purchasing these from a third party CA or going with self-signed?  You'll need to make sure that Twilio will accept your cert and vice versa.

0 Helpful

Sebastien Denoncin
Level 1
Level 1
In response to gmgarrian

‎06-26-2018 01:06 AM

Hello guys,

 

For the certificates, we generated a CSR  on another server, then we have signed this by the CA authority that Twilio uses. ( FYI: Twilio said that they use the Globlasign as CA authority but it's not just. They use thawte)

 

Before to upload the certificate, we have converted from PEM to PKCS12 including certificate , signing ca ( root or intermediate ) and private key.

 

And to finish we have created the import certificate/key and generate trustpoint/RSA keypair

 

0 Helpful

gmgarrian
Level 4
Level 4
In response to Sebastien Denoncin

‎06-26-2018 05:42 AM

It seems like you have your certificates in order.  What I would do next is make some non-secure test calls first just to verify the VoIP configuration.  This way if there is an issue you're not chasing your tail thinking it's an encryption issue when it may be something with the basic call set up.

 

Then, configure TLS under sip-ua and test call set up again.  When that's working enable SRTP and make your final test calls.

 

I don't have tons of experience with TLS/SRTP so there may be a better method of doing this but this is how I would work it.

0 Helpful

yye551
Level 1
Level 1
In response to Sebastien Denoncin

‎05-22-2019 01:32 AM

Hi Sebastien,

 

Hope you are doing fine.

 

I may need your kind help here.

 

Have you complete the setup for secure SIP trunk between CUBE and ISP?

 

Do we need to build secure sip from GW to CUCM as well?

 

Please share some experience on this item, very appreciate it.

 

Looking forward your reply.

 

Thanks.

0 Helpful
Customers Also Viewed These Support Documents