Documente Academic
Documente Profesional
Documente Cultură
Speakers:
Andres Salgado (ansalgad@cisco.com) – Engineer Customer
Support, Cisco.
Luis Ramirez (luirami2@cisco.com) – Engineer Customer
Support, Cisco.
1|Pa g e
Learning Objectives
This lab gives step-by-step instructions to configure CUBE SIP Trunk with TLS and SRTP with Cisco
Communications Manager (CUCM).
Scenario
This lab demonstrates step by step instructions to change an existing SIP Trunk between CUCM
Server and a CUBE to a SIP TLS Trunk in order to encrypt the signalling and media.
In this demonstration, all components are connected to the same switch and are on the same
network.
2|Pa g e
Lab Access Information
Using Cisco Anyconnect client establish connectivity to the POD.
Each individual will have access to his or her own pod in order to maximize the learning
experience. All pods are clones of the same master pod, and have the same IP addresses, phone
numbers, user names, and passwords.
Participants are provided a Cisco Live! Laptop to use during the session to connect to their
assigned pods. Lab proctors have already connected your VPN session, so there is no need to
adjust the AnyConnect configuration.
3|Pa g e
Use a terminal client like putty, browser or Remote Desktop to login to following devices.
Note: The l ab pod is not configured and sized according to SRND production requirements. These labs are
for i nstructional purposes only; please do not consider the deployment model and allocated hardware
res ources as a reference for a production system.
4|Pa g e
Pre-Configuration
CUCM
1 - CUCM Installation
2 - Configuration to mix mode
3 - Service Activation
4 - CUCM Group Configuration
5 - Region Configuration
6 - Partition and CCS Configuration
7 - Date/Time Group Configuration
8 - Device Pool Configuration
9 - Secure Jabber Phone Registration to CUCM
10 - SIP Trunks Configuration
11 - Route Pattern Configuration
CUBE
1 - IP addressing
2 - Enable Telnet
3 - Hostname Configuration
4 - Licensing
5 - Voice Service VoIP Configuration
- allow-connections sip to sip >>to allow CUBE functionality
- media bulk-stats >>for RTP counters to increment in show call active voice brief
6 - Dial-peer Configuration
5|Pa g e
C) Copy certificate from CUBE to CUCM
Note: Copy onl y the Self-signed CA certificate text
6|Pa g e
Browse to Security >> Certificate management:
Click on Upload Certificate/Certificate chain and choose the CUBE certificate that was saved in
desktop: ‘vcube-trust.pem’
Note: Certi fi cate must be uploaded to Publisher and this one will replicate it to the other Servers i n the
cl us ter. In our lab we a re only using one Server.
Browse to Cisco Unified Serviceability >> Tools >> Control Center – Feature Services
7|Pa g e
Restart Cisco Callmanager service and TFTP service
8|Pa g e
Click on CallManager certificate, then download and save .PEM file as shown in this image.
Import the CUCM certificate, open CallManager.pem and copy and paste the certificate:
-----BEGIN CERTIFICATE-----
9|Pa g e
MIIDwzCCAqugAwIBAgIQVxk11Eu7NV3w7Fi9zeeCZzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEOMAwGA1UECgwFY2lzY28xDjAMBgNVBAsMBWNpc2NvMRww
GgYDVQQDDBNjdWNtMS5jaXNjb2xpdmUuY29tMQ8wDQYDVQQIDAZuZXZhZGExDjAM
BgNVBAcMBXZlZ2FzMB4XDTE3MDUxNjE5MzIyNloXDTIyMDUxNTE5MzIyNVowbDEL
MAkGA1UEBhMCVVMxDjAMBgNVBAoMBWNpc2NvMQ4wDAYDVQQLDAVjaXNjbzEcMBoG
A1UEAwwTY3VjbTEuY2lzY29saXZlLmNvbTEPMA0GA1UECAwGbmV2YWRhMQ4wDAYD
VQQHDAV2ZWdhczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALckXqd2
F66qHeHUtqjE0Ze4VX5BbKKz5xB+UCmX23kcuy9fHIrWGdCqbhr5l4lMSYbO+XIq
ykb8FOJgCIddGnQjIdsr1xZDUBALACvUTVpe1Rau+RQFNZNw2Dwc9Sz7iO4dEnBk
WOjVFYsBDfNkNtX9Wt4Zjr58sJCUd6ojXaK28ZeH+JRPNaEM9t1JnBUIc7bgZw89
cMtNMjWErliEK5/B/ORJLbUOnozZ7woBxg6Z40UHDMrJPGcgMcUnVh1e2qgzwcqF
bGqwHE0xRxDGuA7WWJrcoljpv8YeVLXb2rDixG/akSsbmnvELqyjMgyCKtyF66P+
2SwVNkuWUu+z5OkCAwEAAaNhMF8wCwYDVR0PBAQDAgK0MB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUn7gyoR0HfBsOXlrQlOvDWbP1MC8w
EgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAFH7Un8wU7Gyg
XnBhO34tqFByIt9dCvproD8P5qLMOp23Rr1aFt3ZmrkyROxcg2WjDJYf+ZVhGaHx
E5QJZBZk79Z5OPBfqIaa9GJB0PQz2D50iv+eOg4543r48T454+yyG71oOz/Cxm9u
Bne/290sbJf2TJl3zw84Ot19vxMk00XdS5e0+kdW0CudPk2ynpuBT4oHc5c/sa71
ja7MdNtH8WlfLyE64C4iJHtLJn17B7ztLA5uHevLKWykTw8SHRvt5l2O7U9otS+r
8RB1OR8TC6hvuh77467v4M0HTeKCYWOZmUryuQu1HrQQB5BJAK6g4XqKnBeerZhw
N+bL8ugvyA==
-----END CERTIFICATE-----
Note: Fol low same procedure for other CUCM Servers in the cl uster. In this lab we only use one CUCM
s erver so it is not necessary.
Task 3: Configure CUBE to use SIP TLS and SRTP with CUCM
A) Define trustpoint in sip-ua, this trustpoint is used for all SIP signalling between CUBE and CUCM
sip-ua
crypto signaling remote-addr <cucm pub ip address> 255.255.255.255 trustpoint vcube-trust
vcube1(config-dial-peer)#dial-peer voice 2
vcube1(config-dial-peer)#session transport tcp tls
vcube1(config-dial-peer)#srtp fallback
10 | P a g e
Task 4: Configure CUCM SIP Trunk to use SIP TLS and SRTP with CUBE
A) Create a SIP Trunk Secure Profile
Browse in Cisco Unified CM Administration page to System >> Security >> Phone Security Profile
Copy the profile to create a new one, rename it and change the settings to Encrypted, TLS and
configure the Subject Name of the CUBE Certificate (vcube-trust) in the X.509 Subject Name field.
11 | P a g e
B) Edit existing SIP Trunk to use the secure profile, SRTP and destination port 5061
Check the SRTP Allowed checkbox, select the Secure SIP Trunk Profile on the SIP Trunk Security
Profile option and change the Destination Port to 5061 then save and reset the SIP Trunk.
12 | P a g e
Task 5: Set up a call to the SIP Provider and make sure it is secure
A) In the Remote Desktop, dial from jabber to 918001001111, this call will automatically connect to
the Provider Phone.
In the Search or call box, enter the destination number 918001001111 and click in the green
handset
Call will automatically connect and will show you a lock representing a secure call.
B) Check in the CUBE with a show call active voice brief that the leg to CUCM has SRTP and that TX
and RX RTP/SRTP packets are increasing.
13 | P a g e
C) Check the SIP TLS connection using show sip-ua connections tcp tls brief.
Task 6: Troubleshooting
A) Check TLS negotiation on CUBE
Enter clear log on CUBE and try a call, after the call has connected enter show log to see the output
Note: If you previously made a call, reset CUCM SIP Trunk in order to see the TLS negotiation in
debugs.
14 | P a g e
Check the TLS negotiation happens as follow
Note: The order of the events may change based on the direction of the call.
B) Check SIP signalling on the CUBE and make sure it uses TLS
15 | P a g e
C) Check the SDPs to confirm it is negotiating SRTP in INVITE and 200 OK
The SDP will show all the media attributes for encryption.
D) Log into RTMT (Installed in the Remote Desktop) in order to check CUCM signalling
Adjust the time frame you want to search for and click in Run
16 | P a g e
Double click in the call that shows up and it will bring up a call diagram
Click in any message and it will show the message from the CUCM Trace in order to check the SIP
signalling with TLS and the SDP encryption attributes
17 | P a g e