Dear Benode

i m following the below link,

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-border-element/212090-Configure-SIP-TLS-between-CUCM-CUBE-CUBE.html

show dial-peer voice summary

dial-peer hunt 0

             AD                                    PRE PASS SESS-SER-GRP\  OUT

TAG    TYPE  MIN  OPER PREFIX    DEST-PATTERN      FER THRU SESS-TARGET               STAT PORT    KEEPALIVE    VRF

1          voip         up   up                 1...                              0    syst   ipv4:192.168.2.1                               busyout    NA

20001  pots        up   up                2000$                         0                           50/0/1               NA

I have checked the version it was not supported and I upgraded the version which supports the srtp to srtp but still it is not working, actually I m looking for a configuration example for such type of setup.

2 no's of  CME with secure sip trunk and the phone registered on both CME will have a SRTP.

Thanks

Ok @adamgibs7

What is "your CME version"?

Do you use CME as CA server for your SIPs control?

Do you try to configure srtp also between 2 CME? Do you want a secure cluster for your ip phone registered on your CME? 

What is the control use for your phone registration? 

Dear

As you mentioned in ur previous post to have srtp between the endpoints we don't need to have a secure sip trunk between both CME ??? as i mentioned in the document by trusting each other certificate you can build the secure sip trunk. Please clarify and help me to succeed

Here are the inputs

What is "your CME version"?

isr4300-universalk9.16.03.06.SPA.bin

Do you use CME as CA server for your SIPs control?

yes exporting each other self signed certificate to other and creating a trustpoint as guided in the document  link shared in the pose above.

Do you try to configure srtp also between 2 CME? Do you want a secure cluster for your ip phone registered on your CME? 

yes

What is the control use for your phone registration? 

sip 5061

Ok @adamgibs7@,  I don't think that a "SIP cluster" registered on CME permit to have SRTP between these internals endpoints. 

The design for SRTP to SRTP is done with CUCM and CUBE (no CME).

But a secure cluster for you internals endpoints on your CME is possible with SCCP control.

1. Secure sip trunk between two cme is supported.

2. Sips and srtp with sccp control for your internals ip phones is supported.

3. Sips ansd srtp with sip control for your internals ip phones is NOT supported.

Dear Experts

So the conclusion is

1. Secure SIP trunk with CME is supported. ---

secure sip trunk can be configured by the link posted in above threads i.e example between cube and cucm I am applying the same concept between CME ---CME Please correct me if I m wrong.

2. Secure SIP trunk with CME for SCCP Phones is supported.

If the secure SIP trunk is configured between the CME as mentioned in  point 1 than the phones should be registered on the CME by SCCP protocols,Please correct me if I m wrong

3. Secure SIP trunk with CME for SIP Phones is NOT supported.

If the secure SIP trunk is configured between the CME as mentioned in  point 1 than the phones should be registered on the CME by SIP protocols cannot use SRTP,Please correct me if I m wrong

Thanks

Ok @adamgibs7,

It's exactly correct.

But to be shape on one thing, as concerned  point 2. and 3. we talk about the control use for ip phone registration...sccp or sip. The word "sip trunk" is not appropriate under these points.

With sccp firmware you can have secure calls (secure sccp  and srtp) configured on your CME for INTERNALS CALLS.

With sip firmware (sip secure and srtp), "secure calls" for INTERNALS CALLS is NOT supported on CME.

At last, point 1. is aslo correct. Even if you have got IP phones with SIP firmware registered on your CME, you can configure secure sip and/or srtp on dial-peers with an other CME or CUBE. As a consequence, the RTP will be encrypted (srtp) between the two CME only and you will have RTP between endpoints and their Call Manager.

Dears

Please confirm the following.

With sccp firmware you can have secure calls (secure sccp  and srtp) configured on your CME for INTERNALS CALLS

In the above sentence  you are mentioning as a internal call when more than 2 phone are registered on the same CME and I can have a SRTP and secure signallng Secure sccp between these phones.

With sip firmware (sip secure and srtp), "secure calls" for INTERNALS CALLS is NOT supported on CME.

OK got it

and the last point on which my scenario is falling in,

I can have a sip or sccp phone registered to a CME with a secure sip trunk to another CME, and the phones registered on either part of the cme can have a srtp calling,

Please correct me if above thoughts are correct , if they are correct then I m on the correct path of the configuration and still the calls are failing.

"I can have a sip or sccp phone registered to a CME with a secure sip trunk to another CME, and the phones registered on either part of the cme can have a srtp calling."

The RTP will be encrypted (SRTP) only between your two CME.

The two CME work in RTP to SRTP internetworking

If you want a ALL SRTP "path" from one endpoint to an other endpoint registered on another CME then you need SCCP firmware on endpoints and configure the secure mode on each CME, plus configure SRTP on dial peer.

It is the srtp to srtp internetworking mode.

Dear Benode,

+5 to you, the above post hints very useful

very good explanation,

can I have a configuration example for both scenarios

Thanks