Re: SIP Encryption

toolshed1 · ‎01-29-2021

I have a quick question around SIP encryption.

We have Sx80, CUCM and Expressway.

On zoom we select 3rd party encryption which uses TLS 1.2

When i create security profile and apply that to sx it doesn't seem to work. When i do capture i dont even see Hello packets for TLS.

My question is if i need to encrypt between sx and zoom where do i have to enable TLS?

Error i'm getting is "unable to establish an encrypted connection to sip:xxxx@zoomxx.com"

Thank you in advance

Nithin Eluvathingal · ‎01-29-2021

calling Zoom will be a B2B call and I hope the below thread will help you securing B2B

https://community.cisco.com/t5/unified-communications/cisco-expressway-secure-b2b-tls-encrypted/td-p/2957680

toolshed1 · ‎01-30-2021

Nithin,

Thanks. I have TLS set to on on both my external and internal expressways.

I have a Transversal Zone - under SIP section has transport set as TLS. Transversal Zone is set for External and Internal Expressways.

On Internal Expressway i also have CUCM Zone. That one is set to TCP. Do i need to have CUCM to Expressways TLS as well?

Roger Kallberg · ‎01-30-2021

The call between your premises and Zoom would traverse your expressway and the actual connection between the two would be from your E to Zoom. That’s where the encryption typically would take place. You’re video endpoints would not use an encrypted channel to the C as that’s an on-premise connection. If you where to want to do that you’d need to look at setting your CM into mixed mode, with all that comes with that and your zone towards the CM from the C needs to be configured accordingly.

toolshed1 · ‎01-30-2021

Roger,

Thanks.Sorry i'm just a network guy that inherited collaboration system.

I am ok with endpoints being unencrypted internally. I'm just trying to figure out why i get that error and call does not take place if 3rd party encryption selected on zoom. If not selected everything works fine. On Expressway TLS is on, so i'm guessing it should be working, unless i'm missing something

Nithin Eluvathingal · ‎01-30-2021

collect logs from both Expressway C & E by making calls turning on encryption and analyse it using CSA tool.This will give more information what exactly happening.

The below document describes how to enable specific debug logs when you troubleshoot non-Single Sign-On (SSO) and SSO-enabled Jabber and non-Jabber Mobile and Remote Access (MRA) via Expressway/Video Control Server (VCS).

https://www.cisco.com/c/en/us/support/docs/unified-communications/expressway/213360-collect-expressway-vcs-diagnostic-log-fo.html

CSA tool link.

https://cway.cisco.com/csa/

toolshed1 · ‎02-02-2021

Nithin,

Thanks. That was very helpful.

Looks like i have to create DNS Zone on E and load their CA.

Haven't done that just yet to test

Adam Pawlowski · ‎02-02-2021

That should do it.

I have a DNS zone on the Expressway E cluster with TLS verify off and best effort.

It works for me to Zoom with AES 128.

I don't have it secured into our system yet for video but it is encrypted out to Zoom.

If zoomcrc is the only thing you need to communicate with, you could obtain their certificate chain and add the CA chain to the trust store but I did not do anything special for that and it works.

toolshed1 · ‎02-05-2021

I created a Zone and Search rules and that is working fine.

Under zone i have TLS verify mode On and for TLS verify subject name i have zoomcrc.com. Media Encryption is set to Auto

I uploaded Zoom root certs from their website

I'm getting

tvcs: Event="Outbound TLS Negotiation Error" Service="SIP" Detail="Peer's TLS certificate identity was unacceptable" Protocol="TLS" Common-name="zoomcrc.com" Level="1"

Adam Pawlowski · ‎02-05-2021

You'd have to look at the CN or SAN from the certificate to be able to do that.
It likely doesn't say zoomcrc.com , but if it lets you does *.zoomcrc.com

toolshed1 · ‎02-05-2021

yep. it's just a root cert.

I cant find their cert that would have CN or SAN on it