Hi Guy,

yes I'm using a customer zone profile on the VCS.

and

yes, the EX90 is SIP registered with TLS. In the logs I can see TLS is working but calls are unencrypted.

Ingo

ALthough I don't think this will help in this particular case, it may be worth checking this out too - There is one setting that is not available on the web that is normally changed when the "Cisco Unified Call Manager" profile is chosen. Can you log in via ssh as admin, run "xconf zones", and find the zone that points towards your CUCM. it will have a unique number, in this case 4:

*c xConfiguration Zones Zone 4 Name: "CUCM 101"

Then, please run:

xConfiguration Zones Zone 4 Neighbor Interworking SIP Encryption EncryptSRTCP: Yes

Replacing "4" with your zone profile number. Then try again.

Other than that I cannot think of what may be causing this, so this may need a TAC case to look at traces from the calls.

Thanks,

Guy

I will check this out and try again.

I also do not think it will help, because encryption from CUCM registered endpoints to a Telepresence Server is working fine. These calls also use this zone.

But anyway, I will check and give you feedback.

Ingo

Yes, other thing is that the trunk to VCS on the CUCM is using the vcs-interop normalization script. But after that we'd really need to look at the SDP exchanges between EX90 and CUCM

Hi Guy,

the setting was

xConfiguration Zones Zone 2 Neighbor Interworking SIP Encryption EncryptSRTCP

*c xConfiguration Zones Zone 2 Neighbor Interworking SIP Encryption EncryptSRTCP: No

OK

but setting it to YES did not help: 488 / Not Acceptable Media

So we started a TAC Case. I will give feedback!

Regards

Ingo

Sounds good. One last thing, what is Media encryption mode set to on the neighbour zone to CUCM, on the VCS?

Media encryption mode sounds familiar to mem, but where do I find this setting? Can't find it in the Neighbour Zone Configuration.

ah, it's X7.2 only, at least that rules one thing out.

Cheers,

Guy

Hi,

This should work I had it working before:

1. TX9000 has profile must have Device profile security as secure (which is already there as you can have TX9000 to TX9000 secure)

2. SIP Trunk in CUCM to VCS must have SIP normalization script enabled and SRTP flag allowed

3. CUCM to VCS must be TLS and viceversa.

This can be done easily by doing mutual authentication (exchange CUCM cert and VCS cert)

4. VCS make sure it has a TLS transport towards CUCM, If I remember correctly VCS wont announce crypto caps in SDP if transport is not TLS.

5. In VCS configure default settings for zone

6. For endpoint you can configure TLS and best effort for transport and media respectively

HTH

Hi Gonzalo,

I have the same issue between a 9971 registered on cucm8.6.2 and EX90 or E20 registered on VCS7.2.

I'm trying to make an encrypted call fom a EX90 or E20, and a 9971.

EX90 and E20 is registerd with TLS

9971 is in secure mode, encryption works between two 9971

SIP Trunk TLS is Active between CUCM and VCS

In CUCM zone, i have a custom profile with the setting from Deployment Guide CUCM8_9 and X7.2

On VCS,  i put the command: xConfiguration Zones Zone 4 Neighbor Interworking SIP Encryption EncryptSRTCP: Yes

On CUCM SIP Trunk, SRTP allowed  is checked

SIP Media enccryption mode is Best effort in Default Zone and CUCM zone

Did you upload CUCM cert on VCS?

Any suggestion will be appreciated

Regards