I'm trying to make an encrypted call fom a TX9000, registered at a CUCM 9.0.1, to an EX90, registered at a VCS X7.1. I configured a SIP trunk as given in the Deployment Guide
Cisco Unified Communications Manager with Cisco VCS
Cisco VCS X7.1
CUCM v6.1, 7.x and 8.x
Everything seems to work fine. The calls from TX9000 to another TX9000 (both CUCM registered) are encrypted and also calls from TX9000 to a Telepresence Server (registered at the VCS) are encrypted. But calls from TX9000 to EX90 are unencrypted or I' getting no connection if encryption is set to 'required' (SIP Message 488 Not Acceptable Media).
I know the Deployment Guide wasn't written for CUCM 9 and that's the point: Are there any configuration steps I have to do in addtion?
Thanks in advance.
yes I'm using a customer zone profile on the VCS.
yes, the EX90 is SIP registered with TLS. In the logs I can see TLS is working but calls are unencrypted.
ALthough I don't think this will help in this particular case, it may be worth checking this out too - There is one setting that is not available on the web that is normally changed when the "Cisco Unified Call Manager" profile is chosen. Can you log in via ssh as admin, run "xconf zones", and find the zone that points towards your CUCM. it will have a unique number, in this case 4:
*c xConfiguration Zones Zone 4 Name: "CUCM 101"
Then, please run:
xConfiguration Zones Zone 4 Neighbor Interworking SIP Encryption EncryptSRTCP: Yes
Replacing "4" with your zone profile number. Then try again.
Other than that I cannot think of what may be causing this, so this may need a TAC case to look at traces from the calls.
I will check this out and try again.
I also do not think it will help, because encryption from CUCM registered endpoints to a Telepresence Server is working fine. These calls also use this zone.
But anyway, I will check and give you feedback.
Yes, other thing is that the trunk to VCS on the CUCM is using the vcs-interop normalization script. But after that we'd really need to look at the SDP exchanges between EX90 and CUCM
the setting was
xConfiguration Zones Zone 2 Neighbor Interworking SIP Encryption EncryptSRTCP
*c xConfiguration Zones Zone 2 Neighbor Interworking SIP Encryption EncryptSRTCP: No
but setting it to YES did not help: 488 / Not Acceptable Media
So we started a TAC Case. I will give feedback!
This should work I had it working before:
1. TX9000 has profile must have Device profile security as secure (which is already there as you can have TX9000 to TX9000 secure)
2. SIP Trunk in CUCM to VCS must have SIP normalization script enabled and SRTP flag allowed
3. CUCM to VCS must be TLS and viceversa.
This can be done easily by doing mutual authentication (exchange CUCM cert and VCS cert)
4. VCS make sure it has a TLS transport towards CUCM, If I remember correctly VCS wont announce crypto caps in SDP if transport is not TLS.
5. In VCS configure default settings for zone
6. For endpoint you can configure TLS and best effort for transport and media respectively
I have the same issue between a 9971 registered on cucm8.6.2 and EX90 or E20 registered on VCS7.2.
I'm trying to make an encrypted call fom a EX90 or E20, and a 9971.
EX90 and E20 is registerd with TLS
9971 is in secure mode, encryption works between two 9971
SIP Trunk TLS is Active between CUCM and VCS
In CUCM zone, i have a custom profile with the setting from Deployment Guide CUCM8_9 and X7.2
On VCS, i put the command: xConfiguration Zones Zone 4 Neighbor Interworking SIP Encryption EncryptSRTCP: Yes
On CUCM SIP Trunk, SRTP allowed is checked
SIP Media enccryption mode is Best effort in Default Zone and CUCM zone
Did you upload CUCM cert on VCS?
Any suggestion will be appreciated