cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3446
Views
5
Helpful
5
Replies

Secure Inter-Cluster Trunk Between two CUCM

romuald.goux
Beginner
Beginner

Hi all,

Anybody can help with setting up a Inter-Cluster Trunk (Non-Gatekeeper Controlled) between a CUCM 5.1 and a CUCM 6.1 ?

I configured the phones for encryption. A intra-cluster call between two phones, with a profile encrypted, used SRTP. The case "Allowed SRTP" is checked  in the Trunk Configuration.

When there is a call between two Cluster, with two encrypted phones, SRTP is not used.

- Is it possible to use this configuration ?

- Does anybody have this trouble?

- Am I required to configure IPSec to use SRTP for the Inter-Cluster call ?

Any help would be appreciated.

Regards.

1 Accepted Solution

Accepted Solutions

Rob Huffman
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend

Hi Romauld,

IPSec would be required for the H.323 ICT calls to use SRTP

Overview for H.323 Gateway and H.323/H.225/H.245 Trunk Encryption

H.323 gateways and gatekeeper or non-gatekeeper controlled H.225/H.323/H.245 trunks that support security can authenticate to Cisco Unified Communications Manager if you configure an IPSec association in the Cisco Unified Communications Operating System. For information on creating an IPSec association between Cisco Unified Communications Manager and these devices, refer to the Cisco Unified Communications Operating System Administration Guide.

The H.323, H.225, and H.245 devices generate the encryption keys. These keys get sent to Cisco Unified Communications Manager through the signaling path, which you secure through IPSec. Although Cisco Unified Communications Manager does not recognize whether an IPSec connection exists, the session keys get sent in the clear if IPSec is not configured. Confirm that the IPSec connection exists, so the session keys get sent through a secure connection.

In addition to configuring an IPSec association, you must check the SRTP Allowed check box in the device configuration window in Cisco Unified Communications Manager Administration; for example, the H.323 Gateway, the H.225 Trunk (Gatekeeper Controlled), the Inter-Cluster Trunk (Gatekeeper Controlled), and the Inter-Cluster Trunk (Non-Gatekeeper Controlled) configuration windows. If you do not check this check box, Cisco Unified Communications Manager uses RTP to communicate with the device. If you check the check box, Cisco Unified Communications Manager allows secure and nonsecure calls to occur, depending on whether SRTP is configured for the device.


Caution If you check the SRTP Allowed check box in Cisco Unified Communications Manager Administration, Cisco strongly recommends that you configure IPSec, so security-related information does not get sent in the clear.

Cisco Unified Communications Manager does not confirm that you configured the IPSec connection correctly. If you do not configure the connection correctly, security-related information may get sent in the clear.

If the system can establish a secure media or signaling path and if the devices support SRTP, the system uses a SRTP connection. If the system cannot establish a secure media or signaling path or if at least one device does not support SRTP, the system uses a RTP connection. SRTP-to-RTP fallback (and vice versa) may occur for transfers from a secure device to a non-secure device, conferencing, transcoding, music on hold, and so on.



Cheers!

Rob

View solution in original post

5 Replies 5

Rob Huffman
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend

Hi Romauld,

IPSec would be required for the H.323 ICT calls to use SRTP

Overview for H.323 Gateway and H.323/H.225/H.245 Trunk Encryption

H.323 gateways and gatekeeper or non-gatekeeper controlled H.225/H.323/H.245 trunks that support security can authenticate to Cisco Unified Communications Manager if you configure an IPSec association in the Cisco Unified Communications Operating System. For information on creating an IPSec association between Cisco Unified Communications Manager and these devices, refer to the Cisco Unified Communications Operating System Administration Guide.

The H.323, H.225, and H.245 devices generate the encryption keys. These keys get sent to Cisco Unified Communications Manager through the signaling path, which you secure through IPSec. Although Cisco Unified Communications Manager does not recognize whether an IPSec connection exists, the session keys get sent in the clear if IPSec is not configured. Confirm that the IPSec connection exists, so the session keys get sent through a secure connection.

In addition to configuring an IPSec association, you must check the SRTP Allowed check box in the device configuration window in Cisco Unified Communications Manager Administration; for example, the H.323 Gateway, the H.225 Trunk (Gatekeeper Controlled), the Inter-Cluster Trunk (Gatekeeper Controlled), and the Inter-Cluster Trunk (Non-Gatekeeper Controlled) configuration windows. If you do not check this check box, Cisco Unified Communications Manager uses RTP to communicate with the device. If you check the check box, Cisco Unified Communications Manager allows secure and nonsecure calls to occur, depending on whether SRTP is configured for the device.


Caution If you check the SRTP Allowed check box in Cisco Unified Communications Manager Administration, Cisco strongly recommends that you configure IPSec, so security-related information does not get sent in the clear.

Cisco Unified Communications Manager does not confirm that you configured the IPSec connection correctly. If you do not configure the connection correctly, security-related information may get sent in the clear.

If the system can establish a secure media or signaling path and if the devices support SRTP, the system uses a SRTP connection. If the system cannot establish a secure media or signaling path or if at least one device does not support SRTP, the system uses a RTP connection. SRTP-to-RTP fallback (and vice versa) may occur for transfers from a secure device to a non-secure device, conferencing, transcoding, music on hold, and so on.



Cheers!

Rob

Hi Rob,

Thanks for you answer.

If I understand the red part, and espcially in my case, does it mean we need IPSEc connection between our two cluster for using SRTP ?

Bests regards.

Romuald.

For information,

After many tests and a response from TAC, this configuration can not be implemented between the version 5.1 and 6.1.

Between two clusters version 6.1, this configuration works.

Indeed, the SRTP is operational without IPSec between two clusters. IPSEC policies between the two clusters is used to encrypt the signaling.

Romuald

Romuald

I'm with same problem. But between UCM 5.1 and 7.1

Calls with srtp, show lock icon, between 7.1 and 7.1 and between 6.1 and 7.1. Just 5.1 and another version not works.

What is the number of your TAC case?

I'm with TAC open but collect logs, traces and more test to see the same result is very hard.

Can you send me you TAC number?

Regards

Peterson

Romuald.

Can you help me?

Best Regards

Peterson

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers