Thank you George.

How can we configure the SIP trunk with

SRTP and TLS 1.2?
I have done until now

dial-peer voice 3000 voip
destination-pattern 3...
translate-outgoing calling 1
session protocol sipv2
session target ipv4:1.2.3.4:5080
session transport tcp tls
voice-class codec 2
voice-class sip srtp-auth sha1-80 sha1-32
voice-class sip dtmf-relay force rtp-nte
voice-class sip tenant 1
voice-class sip srtp-crypto 1
voice-class sip bind control source-interface GigabitEthernet0/0/0
voice-class sip bind media source-interface GigabitEthernet0/0/0
dtmf-relay rtp-nte
srtp fallback
ip qos dscp cs3 signaling
no vad

sip-ua
sip-server ipv4:1.2.3.4:5080
transport tcp tls v1.2
connection-reuse via-port
crypto signaling remote-addr 1.2.3.4 255.255.255.255 trustpoint cube1
crypto signaling default trustpoint cube1
presence enable

crypto pki trustpoint cube1
enrollment selfsigned
revocation-check none
rsakeypair RSA2048 2048

on the voice service voip, due to another trunk with the provider that sends the calls unencrypted, I have the following

voice service voip
sip
bind control source-interface GigabitEthernet0/0/1
bind media source-interface GigabitEthernet0/0/1
registrar server expires max 1200 min 300
early-offer forced

voice class tenant 1
sip-server ipv4:1.2.3.4:5080
srtp-crypto 1
srtp-auth sha1-80 sha1-32
session transport tcp tls
url sips
bind control source-interface GigabitEthernet0/0/0
bind media source-interface GigabitEthernet0/0/0

voice class srtp-crypto 1
crypto 1 AES_CM_128_HMAC_SHA1_80
crypto 2 AES_CM_128_HMAC_SHA1_32

voice class tls-profile 1
trustpoint cube1
cn-san validate server

and it does not work. The server does not check for the client (my router) certificate, only the client should check the server certificate. In the crypto pki trustpoint cube1, I have installed the root certificate that created the remote server certificate.

Anything missing from the config ?