Cisco UBE Support for SRTP-RTP Internetworking
Cisco UBE Support for SRTP-RTP Internetworking
CUBE Support for SRTP-RTP Internetworking
The Cisco Unified Border Element Support for SRTP-RTP Internetworking feature connects SRTP Cisco Unified CallManager domains with the following:
- RTP Cisco Unified CallManager domains. Domains that do not support SRTP or have not been configured for SRTP, as shown in the figure below.
- RTP Cisco applications or servers. For example, Cisco Unified MeetingPlace, Cisco WebEx, or Cisco Unity, which do not support SRTP, or have not been configured for SRTP, or are resident in a secure data center, as shown in the figure below.
- RTP to third-party equipment. For example, IP trunks to PBXs or virtual machines, which do not support SRTP.
The Cisco Unified Border Element Support for SRTP-RTP Internetworking feature connects SRTP enterprise domains to RTP SIP provider SIP trunks. SRTP-RTP internetworking connects RTP enterprise networks with SRTP over an external network between businesses. This provides flexible secure business-to-business communications without the need for static IPsec tunnels or the need to deploy SRTP within the enterprise, as shown in the figure below.
SRTP-RTP internetworking also connects SRTP enterprise networks with static IPsec over external networks, as shown inthe figure below.
SRTP-RTP internetworking on the Cisco UBE in a network topology uses single-pair key generation. Existing audio and dual-tone multifrequency (DTMF) transcoding is used to support voice calls. SRTP-RTP internetworking support is provided in both flow-through and high-density mode. SRTP-SRTP pass-through is not impacted.
SRTP is configured on one dial peer and RTP is configured on the other dial peer using the srtp and srtp fallback commands. The dial-peer configuration takes precedence over the global configuration on the Cisco UBE.
Fallback handling occurs if one of the call endpoints does not support SRTP. The call can fall back to RTP-RTP, or the call can fail, depending on the configuration. Fallback takes place only if the srtp fallback command is configured on the respective dial peer. RTP-RTP fallback occurs when no transcoding resources are available for SRTP-RTP internetworking.
TLS on the Cisco Unified Border Element
The Cisco Unified Border Element Support for SRTP-RTP Internetworking feature allows Transport Layer Security (TLS) to be enabled or disabled between the Skinny Call Control Protocol (SCCP) server and the SCCP client. By default, TLS is enabled, which provides added protection at the transport level and ensures that SRTP keys are not easily accessible. Once TLS is disabled, the SRTP keys are not protected.
SRTP-RTP internetworking is available with normal and universal transcoders. The transcoder on the Cisco Unified Border Element is invoked using SCCP messaging between the SCCP server and the SCCP client. SCCP messages carry the SRTP keys to the digital signal processor (DSP) farm at the SCCP client. The transcoder can be within the same router or can be located in a separate router. TLS should be disabled only when the transcoder is located in the same router. To disable TLS, configure the no form of the tls command in dsp farm profile configuration mode. Disabling TLS improves CPU performance.
Supplementary Services Support on the Cisco UBE for RTP-SRTP Calls
The Supplementary Services Support on Cisco UBE for RTP-SRTP Calls feature supports the following supplementary services on the Cisco UBE:
- Midcall codec change with voice class codec configuration for SRTP-RTP and SRTP pass-through calls.
- Reinvite-based call hold.
- Reinvite-based call resume.
- Music on hold (MoH) invoked from the Cisco Unified Communications Manager (Cisco UCM), where the call leg changes between SRTP and RTP for an MoH source. Reinvite-based call forward.
- Reinvite-based call transfer.
- Call transfer based on a REFER message, with local consumption or pass-through of the REFER message on the Cisco UBE.
- Call forward based on a 302 message, with local consumption or pass-through of the 302 message on the Cisco UBE.
- T.38 fax switchover.
- Fax pass-through switchover.
- DO-EO for SRTP-RTP calls.
- DO-EO for SRTP pass-through calls.
When the initial SRTP-RTP or SRTP pass-through call is established on the Cisco UBE, a call can switch between SRTP and RTP for various supplementary services that can be invoked on the end points. Transcoder resources are used to perform SRTP-RTP conversion on Cisco UBE. When the call switches between SRTP and RTP, the transcoder is dynamically inserted, deleted, or modified. Both normal transcoding and high-density (optimized) transcoding are supported.
For call transfers involving REFER and 302 messages (messages that are locally consumed on Cisco UBE), end-to-end media renegotiation is initiated from Cisco UBE only when you configure the supplementary-service media-renegotiate command in voice service voip configuration mode.
When supplementary services are invoked from the end points, the call can switch between SRTP and RTP during the call duration. Hence, Cisco recommends that you configure such SIP trunks for SRTP fallback.
Configuring the Certificate Authority
1. enable
2. configure terminal
3. ip http server
4. crypto pki server cs-label
5. database level complete
6. grant auto
7. no shutdown
8. exit
Configuring a Trustpoint for the Secure Universal Transcoder
1. enable
2. configure terminal
3. crypto pki trustpoint name
4. enrollment url url
5. serial-number
6. revocation-check method
7. rsakeypair key-label
8. end
9. crypto pki authenticate name
10. crypto pki enroll name
11. exit
Configuring DSP Farm Services
1. enable
2. configure terminal
3. voice-card slot
4. dspfarm
5. dsp services dspfarm
6. Repeat Steps 3, 4, and 5 to configure a second voice card.
7. exit
Associating SCCP to the Secure DSP Farm Profile
1. enable
2. configure terminal
3. sccp local interface-type interface-number
4. sccp ccm ip-address identifier identifier-number version version-number
5. sccp
6. associate ccm identifier-number priority priority-number
7. associate profile profile-identifier register device-name
8. dspfarm profile profile-identifier transcode universal security
9. trustpoint trustpoint-label
10. codec codec-type
11. Repeat Step 10 to configure reuired codecs.
12. maximum sessions number
13. associate application sccp
14. no shutdown
15. exit
Registering the Secure Universal Transcoder to the CUBE
1. enable
2. configure terminal
3. telephony-service
4. sdspfarm transcode sessions number
5. sdspfarm tag number device-name
6. em logout time1 time2 time3
7. max-ephones max-ephones
8. max-dn max-directory-numbers
9. ip source-address ip-address
10. secure-signaling trustpoint label
11. tftp-server-credentials trustpoint label
12. create cnf-files
13. no sccp
14. sccp
15. end
Configuring SRTP-RTP Internetworking Support
Perform the task in this section to enable SRTP-RTP internetworking support between one or multiple Cisco Unified Border Elements for SIP-SIP audio calls. In this task, RTP is configured on the incoming call leg and SRTP is configured on the outgoing call leg.
Before You BeginBefore you configure the Cisco Unified Border Element Support for SRTP-RTP Internetworking feature, you should register the secure universal transcoder to the Cisco Unified Border Element, as described in the Registering the Secure Universal Transcoder to the CUBE.
Note |
The Cisco Unified Border Element Support for SRTP-RTP Internetworking feature is available only on platforms that support transcoding on the Cisco Unified Border Element. The feature is also available only on secure Cisco IOS images on the Cisco Unified Border Element. > |
10. dial-peer voice tag voip
11. Repeat Steps 4, 5, 6, and 7 to configure a second dial peer.
12. srtp
13. codec codec
14. exit
Troubleshooting Tips
The following commands can help troubleshoot Cisco Unified Border Element support for SRTP-RTP internetworking:
- show crypto pki certificates
- show sccp
- show sdspfarm
Enabling SRTP on the Cisco UBE
You can configure SRTP with the fallback option so that a call can fall back to RTP if SRTP is not supported by the other call end. Enabling SRTP is required for supporting nonsecure supplementary services such as MoH, call forward, and call transfer.
Configuration
Enabling SRTP on a Dial Peer
SUMMARY STEPS
1. enable
2. configure terminal
3. dial-peer voice tag voip
4. srtp fallback
Example: Enabling SRTP on a Dial Peer
Device(config)# dial-peer voice 10 voip Device(config-dial-peer)# srtp fallback Device(config-dial-peer)# exit
Troubleshooting Tips
Verifying SRTP-RTP Supplementary Services Support on the Cisco UBE
Perform this task to verify the configuration for SRTP-RTP supplementary services support on the Cisco UBE. The show commands need not be entered in any specific order.
1. enable
2. show call active voice brief
3. show sccp connection
4. show dspfarm dsp active
5. exit figuration Examples for CUBE Support for SRTP-RTP Internetworking
SRTP-RTP Internetworking Example
The following example shows how to configure Cisco Unified Border Element support for SRTP-RTP internetworking. In this example, the incoming call leg is RTP and the outgoing call leg is SRTP.
enable configure terminal ip http server crypto pki server 3845-cube database level complete grant auto no shutdown %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted. % Some server settings cannot be changed after CA certificate generation. % Please enter a passphrase to protect the private key or type Return to exit Password: Re-enter password: % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] % SSH-5-ENABLED: SSH 1.99 has been enabled % Exporting Certificate Server signing certificate and keys... % Certificate Server enabled. %PKI-6-CS_ENABLED: Certificate server now enabled. ! crypto pki trustpoint secdsp enrollment url http://10.13.2.52:80 serial-number revocation-check crl rsakeypair 3845-cube exit ! crypto pki authenticate secdsp Certificate has the following attributes: Fingerprint MD5: CCC82E9E 4382CCFE ADA0EB8C 524E2FC1 Fingerprint SHA1: 34B9C4BF 4841AB31 7B0810AD 80084475 3965F140 % Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted. crypto pki enroll secdsp % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: Re-enter password: % The subject name in the certificate will include: 3845-CUBE % The serial number in the certificate will be: FHK1212F4MU % Include an IP address in the subject name? [no]: Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority % The 'show crypto pki certificate secdsp verbose' command will show the fingerprint. CRYPTO_PKI: Certificate Request Fingerprint MD5: 56CE5FC3 B8411CF3 93A343DA 785C2360 CRYPTO_PKI: Certificate Request Fingerprint SHA1: EE029629 55F5CA10 21E50F08 F56440A2 DDC7469D %PKI-6-CERTRET: Certificate received from Certificate Authority ! voice-card 0 dspfarm dsp services dspfarm voice-card 1 dspfarm dsp services dspfarm exit ! sccp local GigabitEthernet 0/0 sccp ccm 10.13.2.52 identifier 1 version 5.0.1 sccp SCCP operational state bring up is successful.sccp ccm group 1 associate ccm 1 priority 1 associate profile 1 register sxcoder dspfarm profile 1 transcode universal security trustpoint secdsp codec g711ulaw codec g711alaw codec g729ar8 codec g729abr8 codec g729r8 codec ilbc codec g729br8 maximum sessions 84 associate application sccp no shutdown exit ! telephony-service %LINEPROTO-5-UPDOWN: Line protocol on Interface EDSP0, changed state to upsdspfarm units 1 sdspfarm transcode sessions 84 sdspfarm tag 1 sxcoder em logout 0:0 0:0 0:0 max-ephones 4 max-dn 4 ip source-address 10.13.2.52 Updating CNF files CNF-FILES: Clock is not set or synchronized, retaining old versionStamps CNF files updating complete secure-signaling trustpoint secdsp tftp-server-credentials trustpoint scme CNF-FILES: Clock is not set or synchronized, retaining old versionStamps CNF files update complete (post init) create cnf-files CNF-FILES: Clock is not set or synchronized, retaining old versionStamps no sccp ! sccp SCCP operational state bring up is successful. end %SDSPFARM-6-REGISTER: mtp-1:sxcoder IP:10.13.2.52 Socket:1 DeviceType:MTP has registered. %SYS-5-CONFIG_I: Configured from console by console dial-peer voice 201 voip destination-pattern 5550111 session protocol sipv2 session target ipv4:10.13.25.102 incoming called-number 5550112 codec g711ulaw ! dial-peer voice 200 voip destination-pattern 5550112 session protocol sipv2 session target ipv4:10.13.2.51 incoming called-number 5550111 srtp codec g711ulaw
Feature Information for CUBE Support for SRTP-RTP Internetworking
Feature Name | Releases | Feature Information |
---|---|---|
Cisco Unified Border Element Support for SRTP-RTP Internetworking | 12.4(22)YB , 15.0(1)M | This feature allows secure enterprise-to-enterprise calls. Support for SRTP-RTP internetworking between one or multiple Cisco Unified Border Elements is enabled for SIP-SIP audio calls.
The following sections provide information about this feature: The following command was introduced: tls. |
Supplementary Services Support on Cisco UBE for RTP-SRTP Calls | 15.2(1)T | The SRTP-RTP Internetworking feature was enhanced to support supplementary services for SRTP-RTP calls on Cisco UBE. |
Supplementary Services Support on Cisco UBE for RTP-SRTP Calls | Cisco IOS XE Release 3.7S | The SRTP-RTP Internetworking feature was enhanced to support supplementary services for SRTP-RTP calls on Cisco UBE. |
Original url # http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube_proto/configuration/xe-3s/asr1000/cube-proto-xe-3s-asr1000-book/voi-srtp-rtp-int.html