Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
457
Views
1
Helpful
5
Replies

Second secure SIP trunk between CUBE and Internet service provider .

W-Sardar
Level 1
Level 1

‎04-15-2025 01:33 AM - edited ‎04-15-2025 01:50 AM

Hi Team,

We are in the process of testing and implementing a secure SIP trunk between our CUBE and the Internet Service Provider. While we already have an existing SIP connection with the ISP, this new connection will be established over the internet.

We have installed the SSL certificate and would like guidance on how to configure the secure SIP trunk and apply the certificate without impacting the current SIP connection.

Could you please share a simple configuration example or format for this setup?

Preview file
9 KB
0 Helpful
5 Replies 5

Mohammadreza Hadi
Level 1
Level 1

‎04-15-2025 02:29 AM

is "sip trunk line" from ISP has authentication on it ?

(Rate by "Helpful" or "Accept") (محمدرضا هادی_ایران) (Email: morez.hadi@gmail.com)
0 Helpful

W-Sardar
Level 1
Level 1
In response to Mohammadreza Hadi

‎04-15-2025 02:36 AM - edited ‎04-15-2025 02:37 AM

Yes ,the new sip line will Include encryption and SIP digest authentication as standard .

0 Helpful

Roger Kallberg
VIP
VIP
In response to W-Sardar

‎04-15-2025 02:49 AM

It is just a matter of configuring a second set of dial peers, inbound and outbound, and set these up to use secure communication. There isn't much more to it.



Response Signature


0 Helpful

W-Sardar
Level 1
Level 1
In response to Roger Kallberg

‎04-15-2025 02:56 AM - edited ‎04-15-2025 02:57 AM

Please find the attached current configuration. Could you please share a simple configuration example or format?

0 Helpful

Roger Kallberg
VIP
VIP
In response to W-Sardar

‎04-16-2025 12:52 AM

Looks like your using BT as the ITSP and if I understood you correctly you're looking at adding their SIP trunk service over internet, aka SOTI. We happen to have the exact same setup, so instead of trying to make modifications to your shared config I took the easy way out by copying the parts of config from one of our SBCs that pertains to this and obfuscate any sensitive information.

voice service voip
 address-hiding
 sip
  sip-profiles inbound

voice class uri CUCM sip
 host ipv4:10.xx.xx.y1
 host ipv4:10.xx.xx.y2

voice class uri PSTNSOTI sip
 host ipv4:10.xx.xx.1

voice class uri PSTNGSIP sip
 host ipv4:10.xx.xx.2

voice class sip-profiles 10
 rule 10 request ANY sip-header From modify "<internal interface IP>" "<external interface 1 IP>" 
 rule 20 request ANY sip-header From modify "<external interface 1 IP>" "<public internet IP>" 
 rule 30 request ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2" 
 rule 40 response ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2" 
 rule 50 request ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*@.*(>)" "P-Asserted-Identity: \2+<main circuit number>@<public internet IP>\3" 
 rule 60 response ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*@.*(>)" "P-Asserted-Identity: \2+<main circuit number>@<public internet IP>\3" 
 rule 70 request ANY sip-header Contact modify "(<.*)@<external interface 1 IP>:(.*)>" "\1@<public internet IP>:\2>" 
 rule 80 response ANY sip-header Contact modify "(<.*)@<external interface 1 IP>:(.*)>" "\1@<public internet IP>:\2>" 
 rule 90 request ANY sip-header Via modify "(SIP.*) <external interface 1 IP>(.*)" "\1 <public internet IP>\2" 
 rule 100 request INVITE sip-header Requested-By modify "(.*:)<external interface 1 IP>>" "\1<public internet IP>>" 
 rule 110 request ANY sdp-header Session-Owner modify "<external interface 1 IP>" "<public internet IP>" 
 rule 120 response ANY sdp-header Session-Owner modify "<external interface 1 IP>" "<public internet IP>" 
 rule 130 request ANY sdp-header Connection-Info modify "<external interface 1 IP>" "<public internet IP>" 
 rule 140 response ANY sdp-header Connection-Info modify "<external interface 1 IP>" "<public internet IP>" 
 rule 150 request ANY sdp-header Audio-Connection-Info modify "<external interface 1 IP>" "<public internet IP>" 
 rule 160 response ANY sdp-header Audio-Connection-Info modify "<external interface 1 IP>" "<public internet IP>" 
 rule 170 request INVITE sip-header Diversion modify "Diversion:(.*)(<sip:).*@.*(>)" "Diversion: \2+<main circuit number>@<public internet IP>\3" 

voice class sip-profiles 20
 rule 10 request ANY sip-header From modify "<internal IP>" "<external interface 1 IP>" 
 rule 20 request ANY sip-header From modify "<external interface 1 IP>" "<public internet IP>" 
 rule 30 request ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2" 
 rule 40 response ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2" 
 rule 50 request ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*(@.*>)" "P-Asserted-Identity: \2+<main circuit number>\3" 
 rule 60 response ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*(@.*>)" "P-Asserted-Identity: \2+<main circuit number>\3" 
 rule 70 request ANY sip-header Contact modify "(<.*)@<external interface 1 IP>:(.*)>" "\1@<public internet IP>:\2>" 
 rule 80 response ANY sip-header Contact modify "(<.*)@<external interface 1 IP>:(.*)>" "\1@<public internet IP>:\2>" 
 rule 90 request ANY sip-header Via modify "(SIP.*) <external interface 1 IP>(.*)" "\1 <public internet IP>\2" 
 rule 100 request INVITE sip-header Requested-By modify "(.*:)<external interface 1 IP>>" "\1<public internet IP>>" 
 rule 110 request ANY sdp-header Session-Owner modify "<external interface 1 IP>" "<public internet IP>" 
 rule 120 response ANY sdp-header Session-Owner modify "<external interface 1 IP>" "<public internet IP>" 
 rule 130 request ANY sdp-header Connection-Info modify "<external interface 1 IP>" "<public internet IP>" 
 rule 140 response ANY sdp-header Connection-Info modify "<external interface 1 IP>" "<public internet IP>" 
 rule 150 request ANY sdp-header Audio-Connection-Info modify "<external interface 1 IP>" "<public internet IP>" 
 rule 160 response ANY sdp-header Audio-Connection-Info modify "<external interface 1 IP>" "<public internet IP>" 
 rule 170 request INVITE sip-header Diversion remove 

voice class sip-profiles 100
 rule 10 request ANY sip-header From modify "<public internet IP>" "<external interface 1 IP>" 
 rule 20 request OPTIONS sip-header SIP-Req-URI modify "<public internet IP>" "<external interface 1 IP>" 
 rule 30 request ANY sip-header To modify "<public internet IP>" "<external interface 1 IP>" 

voice class sip-profiles 200
 rule 10 request ANY sip-header Via modify "(SIP.*) <external interface 1 IP>(.*)" "\1 <public internet IP>\2" 
 rule 20 request OPTIONS sip-header From modify "(<.*):<external interface 1 IP>" "\1:<public internet IP>" 
 rule 30 request ANY sip-header To modify "(<.*):<external interface 1 IP>" "\1:<public internet IP>" 
 rule 40 request OPTIONS sip-header Contact modify "(<.*):<external interface 1 IP>" "\1:<public internet IP>" 
 rule 50 response ANY sdp-header Connection-Info modify "<external interface 1 IP>" "<public internet IP>" 
 rule 60 response ANY sdp-header Audio-Connection-Info modify "<external interface 1 IP>" "<public internet IP>" 

voice class sip-profiles 11
 rule 10 request ANY sip-header From modify "<internal IP>" "external interface 2 IP" 
 rule 20 request ANY sip-header From modify "From:(.*)(<sip:.*@.*>)" "From: \2" 
 rule 30 request ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2" 
 rule 40 response ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2" 
 rule 50 request ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*(@.*>)" "P-Asserted-Identity: \2+<main circuit number>\3" 
 rule 60 response ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*(@.*>)" "P-Asserted-Identity: \2+<main circuit number>\3" 
 rule 70 request INVITE sip-header Diversion modify "Diversion:(.*)(<sip:)(.*)(@.*>)" "Diversion: \2+<main circuit number>\4" 
 rule 80 request INVITE sip-header Diversion add "Diversion: <sip:+<main circuit number>@external interface 2 IP>" 

voice class sip-profiles 21
 rule 10 request ANY sip-header From modify "<internal IP>" "external interface 2 IP" 
 rule 20 request ANY sip-header From modify "From:(.*)(<sip:.*@.*>)" "From: \2" 
 rule 30 request ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2" 
 rule 40 response ANY sip-header Remote-Party-ID modify "Remote-Party-ID:(.*)(<sip:.*@.*>)" "Remote-Party-ID: \2" 
 rule 50 request ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*(@.*>)" "P-Asserted-Identity: \2+<main circuit number>\3" 
 rule 60 response ANY sip-header P-Asserted-Identity modify "P-Asserted-Identity:(.*)(<sip:).*(@.*>)" "P-Asserted-Identity: \2+<main circuit number>\3" 
 rule 70 request INVITE sip-header Diversion remove 

voice class e164-pattern-map 1
 description E164 Pattern Map for called number to CUCM
  e164 +49XXXXXXXXXXXX

voice class e164-pattern-map 2000
 description E164 Pattern Map for called number to PSTN
  e164 +.T

voice class e164-pattern-map 2001
 description E164 Pattern Map for emergency number
  e164 0112

voice class server-group 1
 ipv4 10.xx.xx.y1 preference 1
 ipv4 10.xx.xx.y2 preference 2
 description Inbound calls from PSTN to CUCM
 huntstop 1 resp-code 404 to 404

voice class server-group 2000
 ipv4 10.XX.XX.XX preference 1
 ipv4 10.XX.XX.XX preference 2
 description BT SOTI  - IP Addresses 
 huntstop 1 resp-code 404 to 404

voice class server-group 2100
 ipv4 10.XX.XX.XX preference 1
 ipv4 10.XX.XX.XX preference 2
 description ** BT One Voice - IP Addresses **
 huntstop 1 resp-code 404 to 404
 
voice class sip-options-keepalive 1
 description Used for Server Group SIP OPTIONS PING

voice class sip-options-keepalive 2000
 description ** BT SOTI - Options-Ping **
 down-interval 15
 retry 3
 transport tcp tls
 sip-profiles 200

voice class sip-options-keepalive 2100
 description ** BT One Voice - Options-Ping **
 down-interval 15
 retry 3
 transport udp

voice class tenant 2000
 connection-reuse
 audio forced
 session transport tcp tls
 bind control source-interface GigabitEthernet0/0/1
 bind media source-interface GigabitEthernet0/0/1

voice class tenant 2100
 audio forced
 bind control source-interface GigabitEthernet0/0/2
 bind media source-interface GigabitEthernet0/0/2

voice class tenant 1
 bind control source-interface GigabitEthernet0/0/0
 bind media source-interface GigabitEthernet0/0/0

dial-peer cor custom
 name CM
 name PSTN-SOTI
 name PSTN-GSIP
      
dial-peer cor list CM-IN
 member PSTN-SOTI
 member PSTN-GSIP

dial-peer cor list CM-OUT
 member CM

dial-peer cor list PSTN-SOTI-OUT
 member PSTN-SOTI

dial-peer cor list PSTN-SOTI-IN
 member CM

dial-peer cor list PSTN-GSIP-OUT
 member PSTN-GSIP

dial-peer cor list PSTN-GSIP-IN
 member CM


dial-peer voice 1000 voip
 corlist incoming CM-IN
 description Outbound calls from CUCM
 session protocol sipv2
 incoming uri via CUCM
 voice-class codec 1  
 voice-class sip tenant 1
 dtmf-relay rtp-nte sip-kpml
 no vad

dial-peer voice 1010 voip
 corlist outgoing CM-OUT
 description Inbound calls to CUCM
 session protocol sipv2
 session server-group 1
 destination e164-pattern-map 1
 voice-class codec 1  
 voice-class sip tenant 1
 voice-class sip options-keepalive profile 1
 dtmf-relay rtp-nte sip-kpml
 no vad

dial-peer voice 100 voip
 corlist incoming PSTN-SOTI-IN
 description Inbound calls from PSTN
 translation-profile incoming PSTN-IN
 max-conn 150
 session protocol sipv2
 incoming uri via PSTNSOTI
 voice-class codec 10  
 voice-class sip profiles 100 inbound
 voice-class sip tenant 2000
 dtmf-relay rtp-nte
 srtp
 no vad

dial-peer voice 110 voip
 corlist outgoing PSTN-SOTI-OUT
 description Outbound calls to PSTN
 translation-profile outgoing PSTN-OUT
 huntstop
 max-conn 150
 session protocol sipv2
 session server-group 2000
 destination e164-pattern-map 2000
 voice-class codec 10  
 voice-class sip profiles 10
 voice-class sip tenant 2000
 voice-class sip options-keepalive profile 2000
 dtmf-relay rtp-nte
 srtp
 no vad

dial-peer voice 120 voip
 corlist outgoing PSTN-SOTI-OUT
 description Emergency calls to PSTN 
 translation-profile outgoing PSTN-OUT
 huntstop
 max-conn 150
 session protocol sipv2
 session server-group 2000
 destination e164-pattern-map 2001
 voice-class codec 10  
 voice-class sip profiles 20
 voice-class sip tenant 2000
 voice-class sip options-keepalive profile 2000
 dtmf-relay rtp-nte
 srtp
 no vad

dial-peer voice 200 voip
 corlist incoming PSTN-GSIP-IN
 description Inbound calls from PSTN-GSIP
 translation-profile incoming PSTN-IN
 redirect ip2ip
 session protocol sipv2
 incoming uri via PSTNGSIP
 voice-class codec 10  
 voice-class sip early-offer forced
 voice-class sip tenant 2100
 dtmf-relay rtp-nte
 fax-relay sg3-to-g3
 fax rate 9600
 fax nsf 000000
 fax protocol t38 version 0 ls-redundancy 2 hs-redundancy 1 fallback pass-through g711ulaw
 no vad

dial-peer voice 210 voip
 corlist outgoing PSTN-GSIP-OUT
 description Outbound calls to PSTN-GSIP 
 translation-profile outgoing PSTN-OUT
 huntstop
 session protocol sipv2
 session server-group 2100
 destination e164-pattern-map 2000
 voice-class codec 10  
 voice-class sip profiles 11
 voice-class sip tenant 2100
 voice-class sip options-keepalive profile 2100
 dtmf-relay sip-kpml rtp-nte sip-notify
 fax-relay sg3-to-g3
 fax rate 9600
 fax nsf 000000
 fax protocol t38 version 0 ls-redundancy 2 hs-redundancy 1 fallback pass-through g711ulaw
 no vad

dial-peer voice 220 voip
 corlist outgoing PSTN-GSIP-OUT
 description Emergency calls to PSTN-GSIP
 translation-profile outgoing PSTN-OUT
 huntstop
 session protocol sipv2
 session server-group 2100
 destination e164-pattern-map 2001
 voice-class codec 10  
 voice-class sip profiles 21
 voice-class sip tenant 2100
 voice-class sip options-keepalive profile 2100
 dtmf-relay sip-kpml rtp-nte sip-notify
 no vad

sip-ua 
 no remote-party-id
 retry invite 2
 timers trying 300
 timers connection establish tls 5
 transport tcp tls v1.2 minimum
  crypto signaling default trustpoint <name of choice> cn-san-validate server    
 g729-annexb override


no dial-peer voice 100 voip !Can possibly be removed as it's a H.323 dial peer
no dial-peer voice 101 voip !Can possibly be removed as it's a H.323 dial peer


dspfarm profile 10 transcode universal  
 codec g729abr8 !Remove as B = VAD and you're not using that
 codec g729ar8
 codec g711alaw
 codec g711ulaw
 codec g729br8 !Remove as B = VAD and you're not using that
 codec g729r8
 codec g722-64
 maximum sessions 12
 associate application SCCP
 
 
 
*** Bonus ** It would be advisable to use VRFs to split the two SIP trunks, but not technically an absolute must
ip vrf BTSOTI
 rd 1:1

ip vrf BTGSIP
 rd 2:2

interface GigabitEthernet0/0/1
 description WAN interface to BT SOTI
 ip vrf forwarding BTSOTI
  ip access-group BTSOTI_ACL in !You should use an ACL to filter what traffic is allowed to/from ITSP

interface GigabitEthernet0/0/2
 description WAN interface to BT One Voice
 ip vrf forwarding BTGSIP
 ip access-group BTGSIP_ACL in !You should use an ACL to filter what traffic is allowed to/from ITSP

ip route vrf BTGSIP 0.0.0.0 0.0.0.0 10.1X.XX.XX name EXT_TO_BTGSIP_DEFAULT
ip route vrf BTSOTI 0.0.0.0 0.0.0.0 10.2X.XX.XX name EXT_TO_BTSOTI_DEFAULT

 



Response Signature


Customers Also Viewed These Support Documents