SPA3102: SRTP + Non standard port for TLS

mcampbellsmith · ‎12-03-2009

Hi!

I want to run a secure voip setup and need some information about the following. I am connecting the SPA3102 to FreeSwitch which uses normal standards for TLS and SRTP.

1. How do enable and ensure that the SPA3102 uses SRTP?
2. I am required to run TLS on a non-standard port. If I use 5061 then I can get registered. When I configure the SPA3102 to use the other port, it does not register. There are no firewalls etc in the way at the moment while I am testing. How do I do this and what is the supported port range? I have tried SIP-Port and EXT-SIP-Port.

I have the latest firmware 5.1.10(GW)

Thanks

mcampbellsmith · ‎12-03-2009

I enabled syslog and when I set the server to work with TLS port 5061 but set port 442 on the SPA3102 (under tab Line 1, Sip Port:), I see the following:
Dec 3 23:02:09 192.168.1.141 SIP:TLS Port 442
Dec 3 23:02:09 192.168.1.141 SIP:TLS Port 442
:
:
Dec 3 23:02:17 192.168.1.141 [0:0]SIP/TLS:Connect=0
Dec 3 23:02:17 192.168.1.141 [0:0]SIP/TLS:Connect=0
Dec 3 23:02:17 192.168.1.141 [0:0]SIP/TLS:Connect OK
Dec 3 23:02:17 192.168.1.141 [0:0]SIP/TLS:Connect OK
Dec 3 23:02:17 192.168.1.141 [0]->192.168.1.120:5061(525)
Dec 3 23:02:17 192.168.1.141 [0]->192.168.1.120:5061(525)
Dec 3 23:02:17 192.168.1.141 REGISTER sip:192.168.1.120 SIP/2.0

Why does the SPA use 5061 when it is configured to use 442?

When I change the server to use port 442, I only see this:

Dec 3 23:09:24 192.168.1.141 [0:0]SIP/TCP:Connecting(4)
Dec 3 23:09:24 192.168.1.141 [0:0]SIP/TCP:Connecting(4)
Dec 3 23:09:24 192.168.1.141 [0:0]SIP/TCP:Connect=-1
Dec 3 23:09:24 192.168.1.141 [0:0]SIP/TCP:Connect=-1

By the way, what is [0]SIP/TCP LocalPort and how would that affect this?

EDIT:
Registration works if I put domain.com:port, so that is great.

Now just onto SRTP. Tips on how to set this up would be appreciated...

mcampbellsmith · ‎12-03-2009

Hi Again,

I noted this comment on the FreeSwitch mailing list. Is this correct? Will the SPA3102 or SPA2102 ever support STANDARD SRTP?

AFAIK, the Cisco/Linksys SPA series ATAs do not support SDES key
exchange to appropriately support SRTP and FreeSWITCH. They do their
proprietary Sipura key exchange only, not sure if Cisco plans on
upgrading the firmware to ever support SDES on the ATAs. They added
support for SDES to their IP Phones about 1 year ago, but nothing has
happened with the ATAs as of yet.

Alberto Montilla · ‎12-04-2009

Dear Sir;

Comment is right. Standard key exchange for SRTP is not supported on SPA2102 and SPA3102, but on the SPA9X2 and SPA500 phones. Current key exchange for SPA2102 and SPA3102 is proprietary and works between SPA ATAs or with a gateway that implement the SPA key exchange. Admin guide provides further info on how to generate the SRTP key (there is a SRTP key generator tool on the community).

On the TLS SIP port issue I would recommend you check the configuration. What port would you like to change? Internal (device) port or the external (proxy) UDP port?

- If it is the internal, you need to go to the Line X tab and modify the SIP port parameter (default for line 1 is 5060 and line 2 is 5061).

- If it is the external, you need to add ":" to the proxies (e.g. myproxy.com:)

Regards
Alberto

mcampbellsmith · ‎12-04-2009

amontill wrote:

Comment is right. Standard key exchange for SRTP is not supported on SPA2102 and SPA3102, but on the SPA9X2 and SPA500 phones. Current key exchange for SPA2102 and SPA3102 is proprietary and works between SPA ATAs or with a gateway that implement the SPA key exchange.

Thanks Alberto.

Are there any plans to include standard key exchange in the SPA3102/SPA2102 in a future firmware release? I understand the SPA9X2 and SPA500 phones have had the support for over one year...

Thanks

Regards

Mark

Alberto Montilla · ‎12-07-2009

Dear Mark;

Will check with engineering and let you know.

Regards
Alberto

mcampbellsmith · ‎12-12-2009

Hi Alberto,

Did you get any response from engineering regarding standard SRTP support?

Thanks!

Alberto Montilla · ‎12-15-2009

Dear Sir;

Not yet, will ping again. Thanks

mcampbellsmith · ‎12-28-2009

Any response from Engineering?

mcampbellsmith · ‎01-05-2010

Just a ping to see if there is any news on this...

Alberto Montilla · ‎01-07-2010

Dear Sir;

It is in the roadmap but no committed date for development.

Regards
Alberto

lnemchev · ‎04-12-2010

Hello Alberto ,

I couldn't find the key generator, could you please provide a link to donwload it.

Thanks a lot

Alberto Montilla · ‎04-12-2010

Dear Sir;

Which country are you located? I would need to refer you to our AM/SE to provide you with the tool based on the country you are located.

regards
Alberto

lnemchev · ‎04-12-2010

Hello Alberto ,

My customer is located in Germany.Which are the differencies between the versions for different countries?

Thanks!

Luba

anzzvvered · ‎07-28-2012

Please get back Alberto.

This has caused too much pain for enough of us.