Cisco Unified Survivable Remote Site Telephony

Table Of Contents

Configuring SIP/TLS/TCP Secure Call Signaling and SRTP Media Encryption with Cisco SRST

Finding Feature Information

Contents

Prerequisites

Information About Configuring SIP/TLS/TCP Secure Call Signaling and SRTP Media Encryption with Cisco SRST

How to Configure Secure Call Signaling

Configuring Cisco Unified Communications Manager

Configuring SRTP

Configuring Secure Mode

Configuring TLS

Configuring Strict Encryption

Verifying the Configuration

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

Feature Information for SIP/TLS/TCP Secure Call Signaling and SRTP Media Encryption with Cisco SRST

Glossary

Configuring SIP/TLS/TCP Secure Call Signaling and SRTP Media Encryption with Cisco SRST

---

First Published: October 7, 2009, OL-20685-01

This feature adds Session Initiation Protocol/Transport Layer Security/Transmission Control Protocol (SIP/TLS/TCP) support for secure call signaling and Secure Real-time Transport Protocol (SRTP) for media encryption to establish a secure, encrypted connection between Cisco Unified IP Phones and a failover device using Cisco Unified Survivable Remote Site Telephony (Cisco SRST).

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for SIP/TLS/TCP Secure Call Signaling and SRTP Media Encryption with Cisco SRST" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

•Prerequisites

•Information About Configuring SIP/TLS/TCP Secure Call Signaling and SRTP Media Encryption with Cisco SRST

•How to Configure Secure Call Signaling

•Verifying the Configuration

•Additional References

•Command Reference

•Feature Information for SIP/TLS/TCP Secure Call Signaling and SRTP Media Encryption with Cisco SRST

•Glossary

Prerequisites

•Cisco IOS Release 15.0(1)XA or later

•Cisco Unified IP Phone firmware release 8.5(3) or later

Information About Configuring SIP/TLS/TCP Secure Call Signaling and SRTP Media Encryption with Cisco SRST

Beginning with Cisco IP Phone firmware update 8.5(3) and Cisco IOS Release 15.0(1)XA, Cisco SRST now supports SIP/UDP and SIP/TLS/TCP connections. Cisco SRST also now supports RTP and SRTP media connections, based on the security settings of the IP phone.

Cisco SRST SIP-to-SIP and SIP-to-PSTN support includes the following features:

•Basic calling

•Hold/resume

•Conference

•Transfer

•Blind transfer

•Call forward

Cisco SRST SIP-to-other supports only basic calling, although other features may work.

How to Configure Secure Call Signaling

This section contains the following tasks:

•Configuring Cisco Unified Communications Manager

•Configuring SRTP

•Configuring Secure Mode

•Configuring TLS

Configuring Cisco Unified Communications Manager

In Cisco Unified Communications Manager, secure endpoints and non-secure endpoints must each have their own separate SRST reference configuration and device pool.

In Cisco Unified Communications Manager Administration, under System > SRST:

•For the secure SRST profile, Is SRST Secure? must be checked. The SIP port must be 5061.

•For the non-secure SRST profile, Is SRST Secure? can be checked or not, depending on your Skinny Call Control Protocol (SCCP) configuration. The SIP port must be 5060 (the default).

Under Device > Phone:

•Secure phones must belong to the pool that uses the secure SRST profile.

•Non-secure phones must belong to the pool that uses the non-secure SRST profile.

Configuring SRTP

This section explains how to configure SRTP on Cisco SRST.

SUMMARY STEPS

1. enable

2. configure terminal

3. service voip

4. srtp fallback

5. allow-connections sip to h323

6. allow-connections sip to sip

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	voice service voip Example:: Router(config)# voice service voip	Enters voice service configuration mode.
Step 4	srtp fallback Example:: Router(config-voi-serv)# srtp fallback	Specifies that SRTP be used to enable secure calls and call fallback.
Step 5	allow-connections sip to h323 Example: Router(config-voi-serv)# allow-connections sip to h323	Allows connections from SIP endpoints to H.323 endpoints.
Step 6	allow-connections sip to sip Example: Router(config-voi-serv)# allow-connections sip to sip	Allows connections from SIP endpoints to SIP endpoints.

Configuring Secure Mode

This section explains how to configure secure mode on Cisco SRST.

SUMMARY STEPS

1. sip

2. url sip | sips

3. srtp negotiate cisco

4. exit

5. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	sip Example: Router(config-voi-serv)# sip	Enters SIP configuration mode.
Step 2	url sip | sips Example: Router(conf-serv-sip)# url sips	To configure secure mode, use the sips keyword to generate URLs in SIP secure (SIPS) format for VoIP calls. To configure device-default mode, use the sip keyword to generate URLs in SIP format for VoIP calls.
Step 3	srtp negotiate cisco Example: Router(conf-serv-sip)# srtp negotiate cisco	Enables a Cisco IOS SIP gateway to negotiate the sending and accepting of RTP profiles in response to SRTP offers.
Step 4	exit Example: Router(conf-serv-sip)# exit	Returns to voice service configuration mode.
Step 5	exit Example: Router(conf-voi-serv)# exit	Returns to global configuration mode.

Configuring TLS

This section explains how to configure TLS on Cisco SRST.

SUMMARY STEPS

1. voice register global

2. security-policy secure

3. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	voice register global Example: Router(config)# voice register global	Enters voice register global configuration mode.
Step 2	security-policy secure Example: Router(config-register-global)# security-policy secure	Configures SIP registration security policy so that only SIP/TLS/TCP connections are allowed. For device-default mode, use the no security-policy command.
Step 3	exit Example: Router(config-register-global)# exit	Returns to global configuration mode.

Configuring Strict Encryption

This section explains how to configure strict encryption on Cisco SRST.

SUMMARY STEPS

1. sip-ua

2. registrar ipv4:destination-address expires seconds

3. xfer target dial-peer

4. crypto signaling default trustpoint string [strict-cipher]

5. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	sip-ua Example: Router(config)# sip-ua	Enters SIP user-agent configuration mode.
Step 2	registrar ipv4:destination-address expires seconds Example: Router(config-sip-ua)# registrar ipv4:192.0.2.10 expires 3600	Enables the gateway to register E.164 telephone numbers with primary and secondary external SIP registrars. destination-address is the IP address of the primary SIP registrar server.
Step 3	xfer target dial-peer Example: Router(config-sip-ua)# refer target dial-peer	Specifies that SRST should use the dial-peer as a transfer target instead of what is in the message body.
Step 4	crypto signaling default trustpoint string [strict-cipher] Example: Router(config-sip-ua)# crypto signaling default trustpoint 3745-SRST strict-cipher	Identifies the trustpoint string keyword and argument used during the TLS handshake. The trustpoint string keyword and argument refer to the gateway's certificate generated as part of the enrollment process, using Cisco IOS public-key infrastructure (PKI) commands. The strict-cipher keyword restricts support to TLS RSA encryption with the Advanced Encryption Standard-128 (AES-128) cipher-block-chaining (CBC) Secure Hash Algorithm (SHA) (TLS_RSA_WITH_AES_128_CBC_SHA) cipher suite. To configure device-default mode, omit the strict-cipher keyword.
Step 5	end Example: Router(config-sip-ua)# end	Ends the current configuration session and returns to privileged EXEC mode.

Verifying the Configuration

The following examples show a sample configuration displayed by the show sip-ua status registrar command and the show voice register global command.

The show sip-ua status registrar command in privileged EXEC mode displays all SIP endpoints that are currently registered with the contact address:

Router# show sip-ua status registrar

Line          destination      expires(sec)  contact

transport     call-id 

              peer 

============  ===============  ============  =============== 

3029991       192.0.2.108    388           192.0.2.108 

TLS           00120014-4ae40064-f1a3e9fe-8d301072@192.0.2.1 

              40004 

3029993       192.0.2.103    382           192.0.2.103 

TCP           001bd433-1c840052-655cd596-4e992eed@192.0.2.1 

              40011 

3029982       192.0.2.106    406           192.0.2.106 

UDP           001d452c-dbba0056-0481d321-1f3f848d@192.0.2.1 

              40001 

3029983       192.0.2.106    406           192.0.2.106 

UDP           001d452c-dbba0057-1c69b699-d8dc6625@192.0.2.1 

              40003 

3029992       192.0.2.107    414           192.0.2.107 

TLS           001e7a25-50c9002c-48ef7663-50c71794@192.0.2.1 

              40005 

The show voice register global command in privileged EXEC mode displays all global configuration parameters associated with SIP phones:

Router# show voice register global 

CONFIG [Version=7.1] 

======================== 

Version 7.1 

Mode is srst 

Max-pool is 50 

Max-dn is 100 

Outbound-proxy is enabled and will use global configured value 

Security Policy: DEVICE-DEFAULT 

System message is Welcome to ALOA Secure Fallback 

timeout interdigit 10 

network-locale[0] US (This is the default network locale for this box) 

network-locale[1] US 

network-locale[2] US 

network-locale[3] US 

network-locale[4] US 

user-locale[0] US (This is the default user locale for this box) 

user-locale[1] US 

user-locale[2] US 

user-locale[3] US 

user-locale[4] US 

Router#

Additional References

The following sections provide references related to this feature.

Related Documents

Related Topic	Document Title
Cisco Unified SRST configuration	•Cisco Unified SIP SRST System Administrator Guide •Cisco Unified SRST System Administrator Guide •Cisco Unified SRST and SIP SRST Command Reference
Cisco IOS voice configuration	•Cisco IOS Voice Configuration Library •Cisco IOS Voice Command Reference

Standards

Standard	Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.	—

MIBs

MIB	MIBs Link
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFC	Title
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.	—

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Command Reference

The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Voice Command Reference at http://www.cisco.com/en/US/docs/ios/voice/command/reference/vr_book.html. For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or the Cisco IOS Master Command List, All Releases, at http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html.

•crypto signaling

•security-policy

•show sip ua status

•show voice register global

•srtp negotiate

•xfer target dial-peer

Feature Information for SIP/TLS/TCP Secure Call Signaling and SRTP Media Encryption with Cisco SRST

Table 1 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

---

Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

---

Table 1 Feature Information for SIP/TLS/TCP Secure Call Signaling and SRTP Media Encryption with Cisco SRST 

Feature Name	Releases	Feature Information
SIP/TLS/TCP Secure Call Signaling and SRTP Media Encryption with Cisco SRST	15.0(1)XA	Adds Session Initiation Protocol/Transport Layer Security/Transmission Control Protocol (SIP/TLS/TCP) support for secure call signaling and Secure Real-time Transport Protocol (SRTP) for media encryption to establish a secure, encrypted connection between Cisco Unified IP Phones and a failover device using Cisco Unified Survivable Remote Site Telephony (Cisco SRST). The following commands were introduced or modified: crypto signaling, security-policy, show sip ua status, show voice register global, srtp negotiate, xfer target dial-peer.

Glossary

RTP—Real-time Transport Protocol. Delivers real-time data over IP packet-switched networks.

SCCP—Skinny Call Control Protocol. A communications protocol between certain clients and Cisco Unified Communications Manager.

SIP—Session Initiation Protocol. An Internet protocol for setting up, maintaining, and terminating multimedia services such as voice calls.

SRST—Survivable Remote Site Telephony. Provides Cisco Unified Communications Manager with fallback support for Cisco Unified IP phones attached to a Cisco router on your local network.

SRTP—Secure Real-time Transport Protocol. Provides encryption and message authentication to RTP.

TCP—Transmission Control Protocol. A transport layer protocol, part of the TCP/IP suite of Internet protocols.

TLS—Transport Layer Security. A security protocol that uses public-key cryptography.

CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2009 Cisco Systems, Inc. All rights reserved.