语音 : 会话初始化协议 (SIP)

在IOS SIP网关和CallManager之间的SIP-TLS配置示例

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2014 年 9 月 26 日) | 反馈


目录


简介

本文为SIP信令加密(在传输层安全的SIP提供一配置示例)在Cisco IOS 网关和Cisco Unified CallManager之间。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • Cisco IOS网关:思科2821,与先进的企业服务特性组的Cisco IOS软件Release12.4(15)T1

  • Cisco CallManager 5.1.2

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

网络图

本文档使用以下网络设置:

/image/gif/paws/98746/ios_ccm_sip_tls-1.gif

配置

本文档使用以下配置:

下载Cisco CallManager自签名证书

完成这些步骤:

  1. 登录在Cisco CallManager的Cisco Unified OS管理页面在https:// <ccm IP地址>/platform_gui/,并且选择安全> Certificate Management >下载Certificate/CTL

    /image/gif/paws/98746/ios_ccm_sip_tls-2.gif

  2. 点击下载拥有Cert

    /image/gif/paws/98746/ios_ccm_sip_tls-3.gif

  3. 单击CallManager作为现有的证书类型。

    /image/gif/paws/98746/ios_ccm_sip_tls-4.gif

  4. 点击验证名称

    /image/gif/paws/98746/ios_ccm_sip_tls-5.gif

  5. 单击 Continue

    ios_ccm_sip_tls-6.gif

  6. 用鼠标右键单击CallManager.pem链路,并且选择Savelink和为了下载证书。

    /image/gif/paws/98746/ios_ccm_sip_tls-7.gif

Cisco IOS SIP网关配置

IOS SIP网关配置
maui-soho-01#


!--- Enable IP TCP MTU Path Discovery.


 ip tcp path-mtu-discovery 


!--- Configure NTP Server.


 ntp server 172.18.108.15 


!--- Upload the CCM Certificate to Cisco IOS Gateway.


crypto pki trustpoint CCM-Cert

 enrollment terminal

 revocation-check none

 
!--- Download the Cisco CallManager certificate, and paste 
 !--- the contents of the certificate, pem format.

 
Router(config)#crypto ca authenticate CCM-Cert 

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself 

-----BEGIN CERTIFICATE-----
MIICIjCCAYugAwIBAgIIS4xQN3bIZUowDQYJKoZIhvcNAQEFBQAwFzEVMBMGA1UE
AxMMUlRQTVMtQ0NNLTUxMB4XDTA3MDcyMzIzMjI0OVoXDTEyMDcyMzIzMjI0OVow
FzEVMBMGA1UEAxMMUlRQTVMtQ0NNLTUxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQD6HIRcgDXQmO/EWosnaMBaoqjzARIR0erx31uR9WOiaZqsgRY+Am5/E3FG
n1nJ/4NVmA45z1Q54vK0WULXgMBGANGHnBZFCNiJOiNeBfiEh1LGGMreVTLFqKB/
lNAMtTppc0AVyYFjAAcJtZfUGxolZCanY5TWfmlwGBMIDhnqQQIDAQABo3cwdTAL
BgNVHQ8EBAMCArwwJwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEF
BQcDBTAeBgNVHREEFzAVhhNzaXA6Q049UlRQTVMtQ0NNLTUxMB0GA1UdDgQWBBQr
pCXbwcRZ09AkO7V0HgHihiKpZzANBgkqhkiG9w0BAQUFAAOBgQAvNQqaVKKoZxUD
HCBIA292qZSsOht859FY3UJkWfGD+kjlGhjgjlxEQcaJOa7pDlorzH+HQIjFpcv6
1cl0tOdOrs2L6IAGd9e5DQ3qDwWxaB7TIsBPTkv9FLVURnKtJtVHbqjMd+AAtsDl
/DV5TbDUdre6Org1mn4uaMdrYzt1kQ==
-----END CERTIFICATE-----
 

Certificate has the following attributes:
       Fingerprint MD5: 1EF154E3 70E40379 1C7003B9 B29E111B 
      Fingerprint SHA1: CAFA0F83 B04B2E65 71104B73 64BF6AEB ABE9EED9
 

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
 


!--- Configure a trustpoint in order to generate the self-signed 
!--- certificate of the Gateway.


 

crypto pki trustpoint CCM-SIP-1
 enrollment selfsigned
 fqdn none
 subject-name CN=SIP-GW
 revocation-check none
 rsakeypair CCM-SIP-1
 

Router(config)#crypto ca enroll CCM-SIP-1 
% The fully-qualified domain name will not be included in the certificate
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
 


!— View the certificate in PEM format, and copy the Self-signed CA certificate
!--- (output starting from “----BEGIN” to “CERTIFICATE----“) to a file named SIP-GW.pem 
 

 

Router(config)#crypto pki export CCM-SIP-1 pem terminal 
% Self-signed CA certificate:
-----BEGIN CERTIFICATE-----
MIIBhDCCAS6gAwIBAgIBATANBgkqhkiG9w0BAQQFADARMQ8wDQYDVQQDEwZTSVAt
R1cwHhcNMDcwOTA1MjAwMTA3WhcNMjAwMTAxMDAwMDAwWjARMQ8wDQYDVQQDEwZT
SVAtR1cwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAzgvQDbs9BgdrxxXW1S/h4CZC
6JcMbBrhyO/VWOLWVe6BCFG+baJjUdYtyyvaMnlyeeVEh0/MuqCfsDo8TvJJKwID
AQABo3EwbzAPBgNVHRMBAf8EBTADAQH/MBwGA1UdEQQVMBOCEUYzNDAuMjguMjUt
MjgwMC0yMB8GA1UdIwQYMBaAFF6gnOpo7VY8BHL4mbSvwNxCKi62MB0GA1UdDgQW
BBReoJzqaO1WPARy+Jm0r8DcQioutjANBgkqhkiG9w0BAQQFAANBAHhnQS4EKcP6
IBVdtA4CM/74qCjhtsu/jciaIe90BXs56wrj7ZC4m1sIMzDAHfsl7dJlB2IOw9Sk
s980Np7dLJU=
-----END CERTIFICATE-----
 

% General Purpose Certificate:
-----BEGIN CERTIFICATE-----
MIIBhDCCAS6gAwIBAgIBATANBgkqhkiG9w0BAQQFADARMQ8wDQYDVQQDEwZTSVAt
R1cwHhcNMDcwOTA1MjAwMTA3WhcNMjAwMTAxMDAwMDAwWjARMQ8wDQYDVQQDEwZT
SVAtR1cwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAzgvQDbs9BgdrxxXW1S/h4CZC
6JcMbBrhyO/VWOLWVe6BCFG+baJjUdYtyyvaMnlyeeVEh0/MuqCfsDo8TvJJKwID
AQABo3EwbzAPBgNVHRMBAf8EBTADAQH/MBwGA1UdEQQVMBOCEUYzNDAuMjguMjUt
MjgwMC0yMB8GA1UdIwQYMBaAFF6gnOpo7VY8BHL4mbSvwNxCKi62MB0GA1UdDgQW
BBReoJzqaO1WPARy+Jm0r8DcQioutjANBgkqhkiG9w0BAQQFAANBAHhnQS4EKcP6
IBVdtA4CM/74qCjhtsu/jciaIe90BXs56wrj7ZC4m1sIMzDAHfsl7dJlB2IOw9Sk
s980Np7dLJU=
-----END CERTIFICATE----- 

 


!--- Configure the SIP stack in the Cisco IOS GW to use the self-signed 
!--- certificate of the router in order to establish a SIP TLS connection from/to 
!--- Cisco CallManager.


 
sip-ua 
 crypto signaling remote-addr 172.18.110.84 255.255.255.255 trustpoint CCM-SIP-1 strict-cipher
 


!--- Configure the T1 PRI.


 
controller T1 1/0/0
 framing esf
 linecode b8zs
 pri-group timeslots 1-24
 


!--- Configure the ISDN switch type and incoming-voice under the D-channel 
!--- interface.


 
interface Serial1/0/0:23
 no ip address
 encapsulation hdlc
 isdn switch-type primary-ni
 isdn incoming-voice voice
 no cdp enable
 


!--- Configure a POTS dial-peer that is used as an inbound dial-peer for calls 
!--- that come in across the T1 PRI line.


 
dial-peer voice 2 pots
 description PSTN PRI Circuit
 destination-pattern 9T
 incoming called-number .
 direct-inward-dial
 port 1/0/0:23
 


!--- Configure an outbound voip dial-peer in order to route calls to the 
!--- Cisco CallManager.


 
dial-peer voice 3 voip
 destination-pattern 75...
 session protocol sipv2
 session target ipv4:172.18.110.84:5061
 session transport tcp tls
 dtmf-relay rtp-nte
 codec g711ulaw 

加载Cisco IOS SIP对Cisco Unified CallManager的网关的证书

完成这些步骤:

  1. 登录在Cisco CallManager的Cisco Unified OS管理页面在https:// <ccm IP地址>/platform_gui/,并且选择安全> Certificate Management >加载Certificate/CTL

    ios_ccm_sip_tls-8.gif

  2. 点击加载托拉斯Cert

    /image/gif/paws/98746/ios_ccm_sip_tls-9.gif

  3. 点击CallManager托拉斯

    /image/gif/paws/98746/ios_ccm_sip_tls-10.gif

  4. 输入或浏览到Cisco IOS证书的位置, the.pem文件,并且点击加载

    /image/gif/paws/98746/ios_ccm_sip_tls-11.gif

  5. 验证加载结果。

    ios_ccm_sip_tls-12.gif

在Cisco CallManager的SIP中继配置

完成这些步骤:

  1. 登录在CallManager的Cisco Unified OS管理页面在https:// <ccm IP地址>/ccmadmin/。配置SIP中继安全配置文件:

    1. 选择系统> Security配置文件> SIP中继安全配置文件

    2. 点击与在此图表示的参数的添加新按钮

      ios_ccm_sip_tls-13.gif

  2. 配置SIP中继:

    1. 选择设备>中继

    2. 点击添加新按钮

    3. 选择中继线类型的SIP中继,如显示:

      ios_ccm_sip_tls-14.gif

      ios_ccm_sip_tls-15.gif

  3. 配置路由模式:

    1. 选择呼叫路由>路由/寻线>路由模式

    2. 单击添加新按钮,如显示:

      /image/gif/paws/98746/ios_ccm_sip_tls-16.gif

验证

请使用此部分为了确认您的配置适当地工作在Cisco IOS SIP网关。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

  • 显示crypto pki证书verbose CCM-SIP-1

    Router Self-Signed Certificate
    
      Status: Available
    
      Version: 3
    
      Certificate Serial Number: 0x1
    
      Certificate Usage: General Purpose
    
      Issuer: 
    
        cn=SIP-GW
    
      Subject:
    
        Name: SIP-GW
    
        cn=SIP-GW
    
      Validity Date: 
    
        start date: 16:01:07 EST Sep 5 2007
    
        end   date: 20:00:00 EST Dec 31 2019
    
      Subject Key Info:
    
        Public Key Algorithm: rsaEncryption
    
        RSA Public Key: (512 bit)
    
      Signature Algorithm: MD5 with RSA Encryption
    
      Fingerprint MD5: 3F9612FB C0E435F1 F445B5C4 0344E6A9 
    
      Fingerprint SHA1: E6520255 B799818F C1067042 1A7E2EE9 4DDFD0C8 
    
      X509v3 extensions:
    
        X509v3 Subject Key ID: 5EA09CEA 68ED563C 0472F899 B4AFC0DC 422A2EB6 
    
        X509v3 Basic Constraints:
    
            CA: TRUE
    
        X509v3 Subject Alternative Name:
    
            F340.28.25-2800-2
    
        X509v3 Authority Key ID: 5EA09CEA 68ED563C 0472F899 B4AFC0DC 422A2EB6 
    
        Authority Info Access:
    
      Associated Trustpoints: CCM-SIP-1
    
  • 显示crypto pki证书verbose Ccm CERT

    CA Certificate
    
      Status: Available
    
      Version: 3
    
      Certificate Serial Number: 0x4B8C503776C8654A
    
      Certificate Usage: General Purpose
    
      Issuer: 
    
        cn=RTPMS-CCM-51
    
      Subject: 
    
        cn=RTPMS-CCM-51
    
      Validity Date: 
    
        start date: 19:22:49 EST Jul 23 2007
    
        end   date: 19:22:49 EST Jul 23 2012
    
      Subject Key Info:
    
        Public Key Algorithm: rsaEncryption
    
        RSA Public Key: (1024 bit)
    
      Signature Algorithm: SHA1 with RSA Encryption
    
      Fingerprint MD5: 1EF154E3 70E40379 1C7003B9 B29E111B 
    
      Fingerprint SHA1: CAFA0F83 B04B2E65 71104B73 64BF6AEB ABE9EED9 
    
      X509v3 extensions:
    
        X509v3 Key Usage: BC000000
    
          Digital Signature
    
          Key Encipherment
    
          Data Encipherment
    
          Key Agreement
    
          Key Cert Sign
    
        X509v3 Subject Key ID: 2BA425DB C1C459D3 D0243BB5 741E01E2 8622A967 
    
        X509v3 Subject Alternative Name:
    
        Authority Info Access:
    
      Associated Trustpoints: CCM-Cert
    
  • Show sip-ua连接tcp tls详细信息

    Total active connections      : 2
    
    No. of send failures          : 0
    
    No. of remote closures        : 0
    
    No. of conn. failures         : 2
    
    No. of inactive conn. ageouts : 0
    
    Max. tls send msg queue size of 0, recorded for 0.0.0.0:0
    
    TLS client handshake failures : 2
    
    TLS server handshake failures : 0
    
     
    
    ---------Printing Detailed Connection Report---------
    
    Note:
    
     ** Tuples with no matching socket entry
    
        - Do 'clear sip <tcp[tls]/udp> conn t ipv4:<addr>:<port>'
    
          to overcome this error condition
    
     ++ Tuples with mismatched address/port entry
    
        - Do 'clear sip <tcp[tls]/udp> conn t ipv4:<addr>:<port> 
    	 
    	   id <connid>' to overcome this error condition
    
     
    
    Remote-Agent:172.18.110.84, Connections-Count:2
    
      Remote-Port Conn-Id Conn-State  WriteQ-Size
    
      =========== ======= =========== ===========
    
             5061       1 Established           0
    
            51180       2 Established           0
    
  • Show call active voice brief
    11F0 : 7 8990160ms.1 +2670 pid:20001 Answer 7960 active
    
     dur 00:00:10 tx:483/83076 rx:510/81600
    
     Tele 1/0/0:23 (228) [1/0/0.1] tx:9660/9660/0ms g711ulaw noise:0 acom:0  i/0:0/0 dBm
    
     
    
    11F0 : 8 8990980ms.1 +1840 pid:3 Originate 75001 active
    
     dur 00:00:10 tx:483/1246360336 rx:513/82080
    
     IP 14.50.202.26:28232 SRTP: off rtt:0ms pl:4720/1ms lost:0/0/0 delay:0/0/0ms 
     
     g711ulaw TextRelay: off media inactive detected:n media contrl rcvd:n/a 
     
     timestamp:n/a long duration call detected:n long duration call 
     
     duration:n/a timestamp:n/a
    
     
    
    Telephony call-legs: 1
    
    SIP call-legs: 1
    
    H323 call-legs: 0
    
    Call agent controlled call-legs: 0
    
    SCCP call-legs: 0
    
    Multicast call-legs: 0
    
    Media call-legs: 0
    
    Total call-legs: 2
    

故障排除

本部分提供了可用于对配置进行故障排除的信息。

debug 命令

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

配置Cisco IOS网关记录在其操作日志缓冲区的调试和禁用logging console

注意: 使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

这些是用于的命令为了配置网关存储在操作日志缓冲区的调试:

  • service timestamps debug datetime msec

  • 服务顺序

  • no logging console

  • logging buffered 5000000 debug

  • clear log

这些是用于的命令为了调试在本文的配置:

  • debug isdn q931

  • debug voip ccapi inout

  • 调试ccsip全部

  • 调试ssl openssl错误

  • 调试ssl openssl信息

  • 调试ssl openssl状态

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 98746