Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3754
Views
5
Helpful
5
Replies

Secure Inter-Cluster Trunk Between two CUCM

Go to solution
romuald.goux
Level 1
Level 1

‎02-03-2011 06:05 AM - edited ‎03-16-2019 03:15 AM

Hi all,

Anybody can help with setting up a Inter-Cluster Trunk (Non-Gatekeeper Controlled) between a CUCM 5.1 and a CUCM 6.1 ?

I configured the phones for encryption. A intra-cluster call between two phones, with a profile encrypted, used SRTP. The case "Allowed SRTP" is checked  in the Trunk Configuration.

When there is a call between two Cluster, with two encrypted phones, SRTP is not used.

- Is it possible to use this configuration ?

- Does anybody have this trouble?

- Am I required to configure IPSec to use SRTP for the Inter-Cluster call ?

Any help would be appreciated.

Regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Huffman
Hall of Fame
Hall of Fame

‎02-03-2011 06:24 AM

Hi Romauld,

IPSec would be required for the H.323 ICT calls to use SRTP

Overview for H.323 Gateway and H.323/H.225/H.245 Trunk Encryption

H.323 gateways and gatekeeper or non-gatekeeper controlled H.225/H.323/H.245 trunks that support security can authenticate to Cisco Unified Communications Manager if you configure an IPSec association in the Cisco Unified Communications Operating System. For information on creating an IPSec association between Cisco Unified Communications Manager and these devices, refer to the Cisco Unified Communications Operating System Administration Guide.

The H.323, H.225, and H.245 devices generate the encryption keys. These keys get sent to Cisco Unified Communications Manager through the signaling path, which you secure through IPSec. Although Cisco Unified Communications Manager does not recognize whether an IPSec connection exists, the session keys get sent in the clear if IPSec is not configured. Confirm that the IPSec connection exists, so the session keys get sent through a secure connection.

In addition to configuring an IPSec association, you must check the SRTP Allowed check box in the device configuration window in Cisco Unified Communications Manager Administration; for example, the H.323 Gateway, the H.225 Trunk (Gatekeeper Controlled), the Inter-Cluster Trunk (Gatekeeper Controlled), and the Inter-Cluster Trunk (Non-Gatekeeper Controlled) configuration windows. If you do not check this check box, Cisco Unified Communications Manager uses RTP to communicate with the device. If you check the check box, Cisco Unified Communications Manager allows secure and nonsecure calls to occur, depending on whether SRTP is configured for the device.

Caution If you check the SRTP Allowed check box in Cisco Unified Communications Manager Administration, Cisco strongly recommends that you configure IPSec, so security-related information does not get sent in the clear.

Cisco Unified Communications Manager does not confirm that you configured the IPSec connection correctly. If you do not configure the connection correctly, security-related information may get sent in the clear.

If the system can establish a secure media or signaling path and if the devices support SRTP, the system uses a SRTP connection. If the system cannot establish a secure media or signaling path or if at least one device does not support SRTP, the system uses a RTP connection. SRTP-to-RTP fallback (and vice versa) may occur for transfers from a secure device to a non-secure device, conferencing, transcoding, music on hold, and so on.



http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/7_0_1/secugd/secumgcp.html#wp1055164

Cheers!

Rob

View solution in original post

5 Replies 5

Go to solution
Rob Huffman
Hall of Fame
Hall of Fame

‎02-03-2011 06:24 AM

Hi Romauld,

IPSec would be required for the H.323 ICT calls to use SRTP

Overview for H.323 Gateway and H.323/H.225/H.245 Trunk Encryption

H.323 gateways and gatekeeper or non-gatekeeper controlled H.225/H.323/H.245 trunks that support security can authenticate to Cisco Unified Communications Manager if you configure an IPSec association in the Cisco Unified Communications Operating System. For information on creating an IPSec association between Cisco Unified Communications Manager and these devices, refer to the Cisco Unified Communications Operating System Administration Guide.

The H.323, H.225, and H.245 devices generate the encryption keys. These keys get sent to Cisco Unified Communications Manager through the signaling path, which you secure through IPSec. Although Cisco Unified Communications Manager does not recognize whether an IPSec connection exists, the session keys get sent in the clear if IPSec is not configured. Confirm that the IPSec connection exists, so the session keys get sent through a secure connection.

In addition to configuring an IPSec association, you must check the SRTP Allowed check box in the device configuration window in Cisco Unified Communications Manager Administration; for example, the H.323 Gateway, the H.225 Trunk (Gatekeeper Controlled), the Inter-Cluster Trunk (Gatekeeper Controlled), and the Inter-Cluster Trunk (Non-Gatekeeper Controlled) configuration windows. If you do not check this check box, Cisco Unified Communications Manager uses RTP to communicate with the device. If you check the check box, Cisco Unified Communications Manager allows secure and nonsecure calls to occur, depending on whether SRTP is configured for the device.

Caution If you check the SRTP Allowed check box in Cisco Unified Communications Manager Administration, Cisco strongly recommends that you configure IPSec, so security-related information does not get sent in the clear.

Cisco Unified Communications Manager does not confirm that you configured the IPSec connection correctly. If you do not configure the connection correctly, security-related information may get sent in the clear.

If the system can establish a secure media or signaling path and if the devices support SRTP, the system uses a SRTP connection. If the system cannot establish a secure media or signaling path or if at least one device does not support SRTP, the system uses a RTP connection. SRTP-to-RTP fallback (and vice versa) may occur for transfers from a secure device to a non-secure device, conferencing, transcoding, music on hold, and so on.



http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/7_0_1/secugd/secumgcp.html#wp1055164

Cheers!

Rob

Go to solution
romuald.goux
Level 1
Level 1
In response to Rob Huffman

‎02-10-2011 03:05 AM

Hi Rob,

Thanks for you answer.

If I understand the red part, and espcially in my case, does it mean we need IPSEc connection between our two cluster for using SRTP ?

Bests regards.

Romuald.

0 Helpful

Go to solution
romuald.goux
Level 1
Level 1
In response to romuald.goux

‎02-16-2011 02:26 AM

For information,

After many tests and a response from TAC, this configuration can not be implemented between the version 5.1 and 6.1.

Between two clusters version 6.1, this configuration works.

Indeed, the SRTP is operational without IPSec between two clusters. IPSEC policies between the two clusters is used to encrypt the signaling.

Romuald

0 Helpful

Go to solution
Peterson Cristovam
Level 4
Level 4
In response to romuald.goux

‎04-08-2011 01:56 PM

Romuald

I'm with same problem. But between UCM 5.1 and 7.1

Calls with srtp, show lock icon, between 7.1 and 7.1 and between 6.1 and 7.1. Just 5.1 and another version not works.

What is the number of your TAC case?

I'm with TAC open but collect logs, traces and more test to see the same result is very hard.

Can you send me you TAC number?

Regards

Peterson

0 Helpful

Go to solution
Peterson Cristovam
Level 4
Level 4
In response to Peterson Cristovam

‎04-13-2011 06:53 AM

Romuald.

Can you help me?

Best Regards

Peterson

0 Helpful
Customers Also Viewed These Support Documents