Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3647
Views
0
Helpful
7
Replies

Cisco SPA504G encrypted SRTP connection

Go to solution
pakozdibea
Level 1
Level 1

‎02-06-2017 12:20 PM - edited ‎03-21-2019 09:03 AM

Hello,

I've been struggling with establishing SRTP connections for a while now. Little do I know about this project but I tried to configure it anyway.

I use 2 extensions. Either of them supports TLS and encryption while the other one doesn't.

Under Voice > SIP > SRTP METHOD, I can choose between x-sipura and s-descriptor. I wasn't able to establish any encrypted connection with x-sipura, therefore s-descriptor is selected now.

Voice > Phone > Secure Call Serv : yes

Both fields (Mini Certificate, SRTP Private Key) are empty under Voice > Ext * . I don't know what should I type there.

And if I set Voice > User > Secure Call Setting to yes I can't initiate calls with that extension which doesn't support encryption. It says : $Not acceptable here. (and I also can't receive unencrypted calls)

X-sipura didn't work, maybe it needs Mini Certificate and SRTP Private Key but I don't know how should I obtain them. (It's rumored to be more secure.)

So, I'd like to initiate encrypted calls if it's possible and unencrypted ones if it's not possible without any intervention. Right now I have to call *18 before each call, which isn't convenient at all.

Thank you in advance.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dan Lukes
VIP Alumni
VIP Alumni

‎02-18-2017 03:10 AM

SRTP needs to be supported by both ends. Unfortunately, you didn't described your topology, so we don't knwo what PBX/switch you are using.

x-sipura is proprietary method. Mini Certificate, SRTP Private Key is required for it, they needs to be generated by Cisco tool available upon request. x-sipura kind of SRTP require no encrypted SIP session. But I assume your PBX is not capable to speak x-sipura, thus it's no solution for you at all. And no, x-sipora is no longer considered "more secure" because of length of keys used. It's questionable it can be called secure at all.

s-descriptor is RFC method. It require secured SIP session, e.g. TLS here. Unfortunately, the SPA504G MCU is not so powerfull, thus TLS cause session setup delays. See Cisco XML Phone applicatiosn over https (SSL) for some measurement. We conssidered such delay so long to be acceptable for our clients.

Also note there are several issues related to TLS - SPA[35]xx accepts certificates even they are expired. SPA[12]xx ATA devices with firmware older than 1.3.2 doesn't check certificates at all (any certificate is considered valid), ...

Note. SRTP is not end-to-end solution. It is just hop-by-hop encryption. Your phone is connected to particular PBX. The assumed scenario is - single path = single policy. Either all calls are encrypted bettwen your phone and nearest next hop, or they are unencrypted.

Before we can debug something, you need to lear how to turn on syslog&debug messages and catch them. No way to debug issues with no such log available.

But may be I just missed the goal/question.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎02-06-2017 06:19 PM

SPA endpoints are covered in the SMB community, might want to move your thread over there.

HTH

java

if this helps, please rate
0 Helpful

Go to solution
pakozdibea
Level 1
Level 1
In response to Jaime Valencia

‎02-07-2017 02:18 AM

Thank you for your hint.

Did you mean to move my thread to 'Small Business Security'?

0 Helpful

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to pakozdibea

‎02-07-2017 09:21 AM

That's a good question, I'd try the SMB voice area in first place.

HTH

java

if this helps, please rate
0 Helpful

Go to solution
Dan Lukes
VIP Alumni
VIP Alumni
In response to Jaime Valencia

‎02-18-2017 02:11 AM

The best place is SMB voice -> Voice Systems

I moved it here already.

0 Helpful

Go to solution
Dan Lukes
VIP Alumni
VIP Alumni

‎02-18-2017 03:10 AM

SRTP needs to be supported by both ends. Unfortunately, you didn't described your topology, so we don't knwo what PBX/switch you are using.

x-sipura is proprietary method. Mini Certificate, SRTP Private Key is required for it, they needs to be generated by Cisco tool available upon request. x-sipura kind of SRTP require no encrypted SIP session. But I assume your PBX is not capable to speak x-sipura, thus it's no solution for you at all. And no, x-sipora is no longer considered "more secure" because of length of keys used. It's questionable it can be called secure at all.

s-descriptor is RFC method. It require secured SIP session, e.g. TLS here. Unfortunately, the SPA504G MCU is not so powerfull, thus TLS cause session setup delays. See Cisco XML Phone applicatiosn over https (SSL) for some measurement. We conssidered such delay so long to be acceptable for our clients.

Also note there are several issues related to TLS - SPA[35]xx accepts certificates even they are expired. SPA[12]xx ATA devices with firmware older than 1.3.2 doesn't check certificates at all (any certificate is considered valid), ...

Note. SRTP is not end-to-end solution. It is just hop-by-hop encryption. Your phone is connected to particular PBX. The assumed scenario is - single path = single policy. Either all calls are encrypted bettwen your phone and nearest next hop, or they are unencrypted.

Before we can debug something, you need to lear how to turn on syslog&debug messages and catch them. No way to debug issues with no such log available.

But may be I just missed the goal/question.

0 Helpful

Go to solution
pakozdibea
Level 1
Level 1
In response to Dan Lukes

‎02-25-2017 12:30 PM

Thank you for your valuable reply. You clarified a lot.

I think I can establish encrypted calls now. I tested with CSipSimple. I logged in with another account (both support SRTP) and Cisco played the secure call tone and CSipSimple indicated the call is encrypted.

SRTP method: s-descriptor

Secure Call Serv: yes

Secure Call Setting : no    but I add *18 to some numbers.

That's my workaround since if I set secure call setting to yes, it tries to encrypt all the calls and fails if it's not possible. I have several (4) lines, and some of them don't support encryption or even TLS. $Not acceptable here.

Is it possible to set encryption to certain lines?

For example

EXT1, UDP unencrypted

EXT2 TLS with SRTP support. 

0 Helpful

Go to solution
Dan Lukes
VIP Alumni
VIP Alumni
In response to pakozdibea

‎02-26-2017 11:14 AM 

Cisco played the secure call tone and CSipSimple indicated the call is encrypted.

Glad to hear you solved it.

if I set secure call setting to yes, it tries to encrypt all the calls and fails if it's not possible.

It's documented behavior, as far as I know.

Is it possible to set encryption to certain lines?

No, as far as I know.

SRTP method is SIP/SIP_Parameters, Secure Call Serv is Phone/Supplementary_Services, Secure Call Setting is User/Supplementary_Services - all three are global, not per-extension. Thus no way to force secure call on particular extension, but require no encryption on another one.

Yes, SIP Transport is per-extension SIP Setting but it doesn't enable/disable RTP encryption. It configure SIP transfer method only. You can configure SIP over TLS while RTP will be still encrypted. You can configure unencrypted SIP over UDP with encrypted RTP (although it's meaningless as encryption keys has been disclosed in unencrypted SIP).

0 Helpful
Customers Also Viewed These Support Documents