Guest

IP Telephony/Voice over IP (VoIP)

SIP-TLS between IOS SIP Gateway and CallManager Configuration Example

Document ID: 98746

Updated: Nov 29, 2007

   Print

Introduction

This document provides a sample configuration for SIP signaling encryption (SIP over Transport Layer Security) between a Cisco IOS® Gateway and Cisco Unified CallManager.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco IOS Gateway: Cisco 2821, Cisco IOS Software Release12.4(15)T1 with Advanced Enterprise Services Feature set

  • Cisco CallManager 5.1.2

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

Network Diagram

This document uses this network setup:

ios_ccm_sip_tls-1.gif

Configurations

This document uses these configurations:

Download the Cisco CallManager Self-signed Certificate

Complete these steps:

  1. Log into the Cisco Unified OS Administration Page in Cisco CallManager at https://<ccm ip address>/platform_gui/, and choose Security > Certificate Management > Download Certificate/CTL.

    ios_ccm_sip_tls-2.gif

  2. Click Download Own Cert.

    ios_ccm_sip_tls-3.gif

  3. Click CallManager as the Existing certificate type.

    ios_ccm_sip_tls-4.gif

  4. Click the Certificate Name.

    ios_ccm_sip_tls-5.gif

  5. Click Continue.

    ios_ccm_sip_tls-6.gif

  6. Right-click the CallManager.pem link, and select Save link as in order to download the certificate.

    ios_ccm_sip_tls-7.gif

Cisco IOS SIP Gateway Configuration

IOS SIP Gateway Configuration
maui-soho-01#


!--- Enable IP TCP MTU Path Discovery.


 ip tcp path-mtu-discovery 


!--- Configure NTP Server.


 ntp server 172.18.108.15 


!--- Upload the CCM Certificate to Cisco IOS Gateway.


crypto pki trustpoint CCM-Cert

 enrollment terminal

 revocation-check none

 
!--- Download the Cisco CallManager certificate, and paste 
 !--- the contents of the certificate, pem format.

 
Router(config)#crypto ca authenticate CCM-Cert 

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself 

-----BEGIN CERTIFICATE-----
MIICIjCCAYugAwIBAgIIS4xQN3bIZUowDQYJKoZIhvcNAQEFBQAwFzEVMBMGA1UE
AxMMUlRQTVMtQ0NNLTUxMB4XDTA3MDcyMzIzMjI0OVoXDTEyMDcyMzIzMjI0OVow
FzEVMBMGA1UEAxMMUlRQTVMtQ0NNLTUxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQD6HIRcgDXQmO/EWosnaMBaoqjzARIR0erx31uR9WOiaZqsgRY+Am5/E3FG
n1nJ/4NVmA45z1Q54vK0WULXgMBGANGHnBZFCNiJOiNeBfiEh1LGGMreVTLFqKB/
lNAMtTppc0AVyYFjAAcJtZfUGxolZCanY5TWfmlwGBMIDhnqQQIDAQABo3cwdTAL
BgNVHQ8EBAMCArwwJwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEF
BQcDBTAeBgNVHREEFzAVhhNzaXA6Q049UlRQTVMtQ0NNLTUxMB0GA1UdDgQWBBQr
pCXbwcRZ09AkO7V0HgHihiKpZzANBgkqhkiG9w0BAQUFAAOBgQAvNQqaVKKoZxUD
HCBIA292qZSsOht859FY3UJkWfGD+kjlGhjgjlxEQcaJOa7pDlorzH+HQIjFpcv6
1cl0tOdOrs2L6IAGd9e5DQ3qDwWxaB7TIsBPTkv9FLVURnKtJtVHbqjMd+AAtsDl
/DV5TbDUdre6Org1mn4uaMdrYzt1kQ==
-----END CERTIFICATE-----
 

Certificate has the following attributes:
       Fingerprint MD5: 1EF154E3 70E40379 1C7003B9 B29E111B 
      Fingerprint SHA1: CAFA0F83 B04B2E65 71104B73 64BF6AEB ABE9EED9
 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
 


!--- Configure a trustpoint in order to generate the self-signed 
!--- certificate of the Gateway.


 

crypto pki trustpoint CCM-SIP-1
 enrollment selfsigned
 fqdn none
 subject-name CN=SIP-GW
 revocation-check none
 rsakeypair CCM-SIP-1
 

Router(config)#crypto ca enroll CCM-SIP-1 
% The fully-qualified domain name will not be included in the certificate
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
 


!— View the certificate in PEM format, and copy the Self-signed CA certificate
!--- (output starting from “----BEGIN” to “CERTIFICATE----“) to a file named SIP-GW.pem 
 

 

Router(config)#crypto pki export CCM-SIP-1 pem terminal 
% Self-signed CA certificate:
-----BEGIN CERTIFICATE-----
MIIBhDCCAS6gAwIBAgIBATANBgkqhkiG9w0BAQQFADARMQ8wDQYDVQQDEwZTSVAt
R1cwHhcNMDcwOTA1MjAwMTA3WhcNMjAwMTAxMDAwMDAwWjARMQ8wDQYDVQQDEwZT
SVAtR1cwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAzgvQDbs9BgdrxxXW1S/h4CZC
6JcMbBrhyO/VWOLWVe6BCFG+baJjUdYtyyvaMnlyeeVEh0/MuqCfsDo8TvJJKwID
AQABo3EwbzAPBgNVHRMBAf8EBTADAQH/MBwGA1UdEQQVMBOCEUYzNDAuMjguMjUt
MjgwMC0yMB8GA1UdIwQYMBaAFF6gnOpo7VY8BHL4mbSvwNxCKi62MB0GA1UdDgQW
BBReoJzqaO1WPARy+Jm0r8DcQioutjANBgkqhkiG9w0BAQQFAANBAHhnQS4EKcP6
IBVdtA4CM/74qCjhtsu/jciaIe90BXs56wrj7ZC4m1sIMzDAHfsl7dJlB2IOw9Sk
s980Np7dLJU=
-----END CERTIFICATE-----
 

% General Purpose Certificate:
-----BEGIN CERTIFICATE-----
MIIBhDCCAS6gAwIBAgIBATANBgkqhkiG9w0BAQQFADARMQ8wDQYDVQQDEwZTSVAt
R1cwHhcNMDcwOTA1MjAwMTA3WhcNMjAwMTAxMDAwMDAwWjARMQ8wDQYDVQQDEwZT
SVAtR1cwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAzgvQDbs9BgdrxxXW1S/h4CZC
6JcMbBrhyO/VWOLWVe6BCFG+baJjUdYtyyvaMnlyeeVEh0/MuqCfsDo8TvJJKwID
AQABo3EwbzAPBgNVHRMBAf8EBTADAQH/MBwGA1UdEQQVMBOCEUYzNDAuMjguMjUt
MjgwMC0yMB8GA1UdIwQYMBaAFF6gnOpo7VY8BHL4mbSvwNxCKi62MB0GA1UdDgQW
BBReoJzqaO1WPARy+Jm0r8DcQioutjANBgkqhkiG9w0BAQQFAANBAHhnQS4EKcP6
IBVdtA4CM/74qCjhtsu/jciaIe90BXs56wrj7ZC4m1sIMzDAHfsl7dJlB2IOw9Sk
s980Np7dLJU=
-----END CERTIFICATE----- 

 


!--- Configure the SIP stack in the Cisco IOS GW to use the self-signed 
!--- certificate of the router in order to establish a SIP TLS connection from/to 
!--- Cisco CallManager.


 
sip-ua 
 crypto signaling remote-addr 172.18.110.84 255.255.255.255 trustpoint CCM-SIP-1 strict-cipher
 


!--- Configure the T1 PRI.


 
controller T1 1/0/0
 framing esf
 linecode b8zs
 pri-group timeslots 1-24
 


!--- Configure the ISDN switch type and incoming-voice under the D-channel 
!--- interface.


 
interface Serial1/0/0:23
 no ip address
 encapsulation hdlc
 isdn switch-type primary-ni
 isdn incoming-voice voice
 no cdp enable
 


!--- Configure a POTS dial-peer that is used as an inbound dial-peer for calls 
!--- that come in across the T1 PRI line.


 
dial-peer voice 2 pots
 description PSTN PRI Circuit
 destination-pattern 9T
 incoming called-number .
 direct-inward-dial
 port 1/0/0:23
 


!--- Configure an outbound voip dial-peer in order to route calls to the 
!--- Cisco CallManager.


 
dial-peer voice 3 voip
 destination-pattern 75...
 session protocol sipv2
 session target ipv4:172.18.110.84:5061
 session transport tcp tls
 dtmf-relay rtp-nte
 codec g711ulaw 

Upload Cisco IOS SIP Gateway’s Certificate to Cisco Unified CallManager

Complete these steps:

  1. Log into the Cisco Unified OS Administration Page in Cisco CallManager at https://<ccm ip address>/platform_gui/, and choose Security > Certificate Management > Upload Certificate/CTL.

    ios_ccm_sip_tls-8.gif

  2. Click Upload Trust Cert.

    ios_ccm_sip_tls-9.gif

  3. Click CallManager-trust.

    ios_ccm_sip_tls-10.gif

  4. Enter or browse to the location of the Cisco IOS Certificate, the.pem file, and click Upload.

    ios_ccm_sip_tls-11.gif

  5. Verify the upload result.

    ios_ccm_sip_tls-12.gif

SIP Trunk Configuration in Cisco CallManager

Complete these steps:

  1. Log into the Cisco Unified OS Administration Page in CallManager at https://<ccm ip address>/ccmadmin/. Configure a SIP Trunk Security Profile:

    1. Choose System > Security Profile > SIP Trunk Security Profile.

    2. Click the Add New button with the parameters shown in this figure:

      ios_ccm_sip_tls-13.gif

  2. Configure a SIP Trunk:

    1. Choose Device > Trunk.

    2. Click the Add New button.

    3. Select SIP Trunk for Trunk Type, as shown:

      ios_ccm_sip_tls-14.gif

      ios_ccm_sip_tls-15.gif

  3. Configure a Route pattern:

    1. Choose Call Routing > Route/Hunt > Route Pattern.

    2. Click the Add New button, as shown:

      ios_ccm_sip_tls-16.gif

Verify

Use this section in order to confirm that your configuration works properly at the Cisco IOS SIP Gateway.

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT in order to view an analysis of show command output.

  • Show crypto pki certificate verbose CCM-SIP-1

    Router Self-Signed Certificate
    
      Status: Available
    
      Version: 3
    
      Certificate Serial Number: 0x1
    
      Certificate Usage: General Purpose
    
      Issuer: 
    
        cn=SIP-GW
    
      Subject:
    
        Name: SIP-GW
    
        cn=SIP-GW
    
      Validity Date: 
    
        start date: 16:01:07 EST Sep 5 2007
    
        end   date: 20:00:00 EST Dec 31 2019
    
      Subject Key Info:
    
        Public Key Algorithm: rsaEncryption
    
        RSA Public Key: (512 bit)
    
      Signature Algorithm: MD5 with RSA Encryption
    
      Fingerprint MD5: 3F9612FB C0E435F1 F445B5C4 0344E6A9 
    
      Fingerprint SHA1: E6520255 B799818F C1067042 1A7E2EE9 4DDFD0C8 
    
      X509v3 extensions:
    
        X509v3 Subject Key ID: 5EA09CEA 68ED563C 0472F899 B4AFC0DC 422A2EB6 
    
        X509v3 Basic Constraints:
    
            CA: TRUE
    
        X509v3 Subject Alternative Name:
    
            F340.28.25-2800-2
    
        X509v3 Authority Key ID: 5EA09CEA 68ED563C 0472F899 B4AFC0DC 422A2EB6 
    
        Authority Info Access:
    
      Associated Trustpoints: CCM-SIP-1
    
  • Show crypto pki certificate verbose CCM-Cert

    CA Certificate
    
      Status: Available
    
      Version: 3
    
      Certificate Serial Number: 0x4B8C503776C8654A
    
      Certificate Usage: General Purpose
    
      Issuer: 
    
        cn=RTPMS-CCM-51
    
      Subject: 
    
        cn=RTPMS-CCM-51
    
      Validity Date: 
    
        start date: 19:22:49 EST Jul 23 2007
    
        end   date: 19:22:49 EST Jul 23 2012
    
      Subject Key Info:
    
        Public Key Algorithm: rsaEncryption
    
        RSA Public Key: (1024 bit)
    
      Signature Algorithm: SHA1 with RSA Encryption
    
      Fingerprint MD5: 1EF154E3 70E40379 1C7003B9 B29E111B 
    
      Fingerprint SHA1: CAFA0F83 B04B2E65 71104B73 64BF6AEB ABE9EED9 
    
      X509v3 extensions:
    
        X509v3 Key Usage: BC000000
    
          Digital Signature
    
          Key Encipherment
    
          Data Encipherment
    
          Key Agreement
    
          Key Cert Sign
    
        X509v3 Subject Key ID: 2BA425DB C1C459D3 D0243BB5 741E01E2 8622A967 
    
        X509v3 Subject Alternative Name:
    
        Authority Info Access:
    
      Associated Trustpoints: CCM-Cert
    
  • Show sip-ua connection tcp tls detail

    Total active connections      : 2
    
    No. of send failures          : 0
    
    No. of remote closures        : 0
    
    No. of conn. failures         : 2
    
    No. of inactive conn. ageouts : 0
    
    Max. tls send msg queue size of 0, recorded for 0.0.0.0:0
    
    TLS client handshake failures : 2
    
    TLS server handshake failures : 0
    
     
    
    ---------Printing Detailed Connection Report---------
    
    Note:
    
     ** Tuples with no matching socket entry
    
        - Do 'clear sip <tcp[tls]/udp> conn t ipv4:<addr>:<port>'
    
          to overcome this error condition
    
     ++ Tuples with mismatched address/port entry
    
        - Do 'clear sip <tcp[tls]/udp> conn t ipv4:<addr>:<port> 
    	 
    	   id <connid>' to overcome this error condition
    
     
    
    Remote-Agent:172.18.110.84, Connections-Count:2
    
      Remote-Port Conn-Id Conn-State  WriteQ-Size
    
      =========== ======= =========== ===========
    
             5061       1 Established           0
    
            51180       2 Established           0
    
  • Show call active voice brief
    11F0 : 7 8990160ms.1 +2670 pid:20001 Answer 7960 active
    
     dur 00:00:10 tx:483/83076 rx:510/81600
    
     Tele 1/0/0:23 (228) [1/0/0.1] tx:9660/9660/0ms g711ulaw noise:0 acom:0  i/0:0/0 dBm
    
     
    
    11F0 : 8 8990980ms.1 +1840 pid:3 Originate 75001 active
    
     dur 00:00:10 tx:483/1246360336 rx:513/82080
    
     IP 14.50.202.26:28232 SRTP: off rtt:0ms pl:4720/1ms lost:0/0/0 delay:0/0/0ms 
     
     g711ulaw TextRelay: off media inactive detected:n media contrl rcvd:n/a 
     
     timestamp:n/a long duration call detected:n long duration call 
     
     duration:n/a timestamp:n/a
    
     
    
    Telephony call-legs: 1
    
    SIP call-legs: 1
    
    H323 call-legs: 0
    
    Call agent controlled call-legs: 0
    
    SCCP call-legs: 0
    
    Multicast call-legs: 0
    
    Media call-legs: 0
    
    Total call-legs: 2
    

Troubleshoot

This section provides information you can use in order to troubleshoot your configuration.

Debug Commands

The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT in order to view an analysis of show command output.

Configure the Cisco IOS Gateway to log the debugs in its logging buffer and disable logging console.

Note: Refer to Important Information on Debug Commands before you use debug commands.

These are the commands used in order to configure the Gateway to store the debugs in the logging buffer:

  • service timestamps debug datetime msec

  • service sequence

  • no logging console

  • logging buffered 5000000 debug

  • clear log

These are the commands used in order to debug the configuration in this document:

  • debug isdn q931

  • debug voip ccapi inout

  • debug ccsip all

  • debug ssl openssl errors

  • debug ssl openssl msg

  • debug ssl openssl states

Related Information

Updated: Nov 29, 2007
Document ID: 98746