Configure and Troubleshooting SIP TLS with

CUBE and CUCM

LABUCC-2010

Speakers:
Andres Salgado (ansalgad@cisco.com) – Engineer Customer
Support, Cisco.
Luis Ramirez (luirami2@cisco.com) – Engineer Customer
Support, Cisco.

1|Pa g e
Learning Objectives
This lab gives step-by-step instructions to configure CUBE SIP Trunk with TLS and SRTP with Cisco
Communications Manager (CUCM).

Upon completion of this lab, you will be able to:

 Import and export Certificates in CUCM and CUBE for SIP TLS
 Configure CUBE and CUCM for SIP TLS
 Configure CUBE and CUCM for SRTP
 Troubleshoot with basic commands and debugs the SIP TLS Trunk

Scenario
This lab demonstrates step by step instructions to change an existing SIP Trunk between CUCM
Server and a CUBE to a SIP TLS Trunk in order to encrypt the signalling and media.
In this demonstration, all components are connected to the same switch and are on the same
network.

2|Pa g e
Lab Access Information
 Using Cisco Anyconnect client establish connectivity to the POD.

Each individual will have access to his or her own pod in order to maximize the learning
experience. All pods are clones of the same master pod, and have the same IP addresses, phone
numbers, user names, and passwords.

Participants are provided a Cisco Live! Laptop to use during the session to connect to their
assigned pods. Lab proctors have already connected your VPN session, so there is no need to
adjust the AnyConnect configuration.

1. Start the AnyConnect client

2. Enter 173.37.192.227 and click the Connect button

3. Enter the login information to connect to your pod.

a. Username: Enter CiscoWISPLab
b. Password: Enter Ciscolive!234$
c. Click OK to connect

3|Pa g e
  Use a terminal client like putty, browser or Remote Desktop to login to following devices.

Component Hostname Domain IP Address Username Password

CUCM cucm1 ciscolive.com 192.168.199.101 admin ciscolive
POD 1

vCUBE vcube1 ciscolive.com 192.168.199.102 ciscolive

Remote Desktop/Jabber adminpc1 192.168.199.103 admin ciscolive

SIP Provider 192.192.199.111

Component Hostname Domain IP Address Username Password

POD 2

CUCM cucm2 ciscolive.com 192.168.199.21 admin ciscolive

vCUBE vcube2 ciscolive.com 192.168.199.22 ciscolive

Remote Desktop/Jabber adminpc2 192.168.199.23 admin ciscolive

SIP Provider 192.192.199.111

Component Hostname Domain IP Address Username Password

CUCM cucm3 ciscolive.com 192.168.199.31 admin ciscolive
POD 3

vCUBE vcube3 ciscolive.com 192.168.199.32 ciscolive

Remote Desktop/Jabber adminpc3 192.168.199.33 admin ciscolive

SIP Provider 192.192.199.111

Component Hostname Domain IP Address Username Password

CUCM cucm4 ciscolive.com 192.168.199.41 admin ciscolive
POD 4

vCUBE vcube4 ciscolive.com 192.168.199.42 ciscolive

Remote Desktop/Jabber adminpc4 192.168.199.43 admin ciscolive

SIP Provider 192.192.199.111

Component Hostname Domain IP Address Username Password

CUCM cucm5 ciscolive.com 192.168.199.51 admin ciscolive
POD 5

vCUBE vcube5 ciscolive.com 192.168.199.52 ciscolive

Remote Desktop/Jabber adminpc5 192.168.199.53 admin ciscolive

SIP Provider 192.192.199.111

Note: The l ab pod is not configured and sized according to SRND production requirements. These labs are
for i nstructional purposes only; please do not consider the deployment model and allocated hardware
res ources as a reference for a production system.

4|Pa g e
Pre-Configuration
CUCM
1 - CUCM Installation
2 - Configuration to mix mode
3 - Service Activation
4 - CUCM Group Configuration
5 - Region Configuration
6 - Partition and CCS Configuration
7 - Date/Time Group Configuration
8 - Device Pool Configuration
9 - Secure Jabber Phone Registration to CUCM
10 - SIP Trunks Configuration
11 - Route Pattern Configuration

CUBE
1 - IP addressing
2 - Enable Telnet
3 - Hostname Configuration
4 - Licensing
5 - Voice Service VoIP Configuration
- allow-connections sip to sip >>to allow CUBE functionality
- media bulk-stats >>for RTP counters to increment in show call active voice brief
6 - Dial-peer Configuration

Task 1: Generate CUBE Certificate and upload it to CUCM

This scenario demonstrates how to use CUBE to provision a self-signed certificate and the required
process to upload it to CUCM Server.

a) Configure NTP on the CUBE.

Vcube(config)#ntp server 192.168.199.3

b) Generate a Self-signed certificate

vcube1(config)#crypto pki trustpoint vcube-trust

vcube1(ca-trustpoint)#enrollment selfsigned
vcube1(ca-trustpoint)#fqdn none
vcube1(ca-trustpoint)# subject-name cn=vcube-trust
vcube1(ca-trustpoint)#revocation-check none
vcube1(ca-trustpoint)#rsakeypair vcube-trust
vcube1(ca-trustpoint)#exit

vcube1(config)#crypto pki enroll vcube-trust

% The fully-qualified domain name will not be included in the certificate
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

5|Pa g e
C) Copy certificate from CUBE to CUCM
Note: Copy onl y the Self-signed CA certificate text

vcube1(config)# crypto pki export vcube-trust pem terminal

% Self-signed CA certificate:
-----BEGIN CERTIFICATE-----
MIIBcDCCARqgAwIBAgIBATANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDEwt2Y3Vi
ZS10cnVzdDAeFw0xNzA1MTYyMjIyMjVaFw0yMDAxMDEwMDAwMDBaMBYxFDASBgNV
BAMTC3ZjdWJlLXRydXN0MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMgQcrgJY9dL
BidKVp6d/bYvuAT8+LknhAtiwdsBqx/xjmdICIiAaMmOx30DgFQoS+9ZHc5xlUhY
G4A4p7BGLxkCAwEAAaNTMFEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBT8
a78m11QXISYhgvdn+mtOJLSrDzAdBgNVHQ4EFgQU/Gu/JtdUFyEmIYL3Z/prTiS0
qw8wDQYJKoZIhvcNAQEFBQADQQA/n7wvJILHWagbcCqCq6gCSf2y+EsD3cjoCAbq
4cdrBMW9w5zVMdMoOHs2zS4tVMHBvJrsuq8xfWdCoVcUR3kD
-----END CERTIFICATE-----

Copy to notepad and save it in desktop like vcube-trust.pem

Note: Fi l e extension must be .pem, not .txt

Log into Cisco Unified Operating System Administration web page:

6|Pa g e
Browse to Security >> Certificate management:

Click on Upload Certificate/Certificate chain and choose the CUBE certificate that was saved in
desktop: ‘vcube-trust.pem’

Note: Certi fi cate must be uploaded to Publisher and this one will replicate it to the other Servers i n the
cl us ter. In our lab we a re only using one Server.

Browse to Cisco Unified Serviceability >> Tools >> Control Center – Feature Services

7|Pa g e
Restart Cisco Callmanager service and TFTP service

Task 2: Enroll CUCM Certificate into CUBE

A) Download CUCM Certificate

Login to Cisco Unified Operating System Administration web page:

Browse to Security >> Certificate management: same as in Task 1

8|Pa g e
Click on CallManager certificate, then download and save .PEM file as shown in this image.

B) Upload CUCM Certificate into CUBE

Configure a trustpoint in CUBE

vcube1(config)#crypto pki trustpoint cucm

vcube1(ca-trustpoint)#enrollment terminal
vcube1(ca-trustpoint)#revocation-check none
vcube1(ca-trustpoint)#exit

Import the CUCM certificate, open CallManager.pem and copy and paste the certificate:

vcube1(config)#crypto pki authenticate cucm

Enter the base 64 encoded CA certificate.

End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----

9|Pa g e
MIIDwzCCAqugAwIBAgIQVxk11Eu7NV3w7Fi9zeeCZzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEOMAwGA1UECgwFY2lzY28xDjAMBgNVBAsMBWNpc2NvMRww
GgYDVQQDDBNjdWNtMS5jaXNjb2xpdmUuY29tMQ8wDQYDVQQIDAZuZXZhZGExDjAM
BgNVBAcMBXZlZ2FzMB4XDTE3MDUxNjE5MzIyNloXDTIyMDUxNTE5MzIyNVowbDEL
MAkGA1UEBhMCVVMxDjAMBgNVBAoMBWNpc2NvMQ4wDAYDVQQLDAVjaXNjbzEcMBoG
A1UEAwwTY3VjbTEuY2lzY29saXZlLmNvbTEPMA0GA1UECAwGbmV2YWRhMQ4wDAYD
VQQHDAV2ZWdhczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALckXqd2
F66qHeHUtqjE0Ze4VX5BbKKz5xB+UCmX23kcuy9fHIrWGdCqbhr5l4lMSYbO+XIq
ykb8FOJgCIddGnQjIdsr1xZDUBALACvUTVpe1Rau+RQFNZNw2Dwc9Sz7iO4dEnBk
WOjVFYsBDfNkNtX9Wt4Zjr58sJCUd6ojXaK28ZeH+JRPNaEM9t1JnBUIc7bgZw89
cMtNMjWErliEK5/B/ORJLbUOnozZ7woBxg6Z40UHDMrJPGcgMcUnVh1e2qgzwcqF
bGqwHE0xRxDGuA7WWJrcoljpv8YeVLXb2rDixG/akSsbmnvELqyjMgyCKtyF66P+
2SwVNkuWUu+z5OkCAwEAAaNhMF8wCwYDVR0PBAQDAgK0MB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUn7gyoR0HfBsOXlrQlOvDWbP1MC8w
EgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAFH7Un8wU7Gyg
XnBhO34tqFByIt9dCvproD8P5qLMOp23Rr1aFt3ZmrkyROxcg2WjDJYf+ZVhGaHx
E5QJZBZk79Z5OPBfqIaa9GJB0PQz2D50iv+eOg4543r48T454+yyG71oOz/Cxm9u
Bne/290sbJf2TJl3zw84Ot19vxMk00XdS5e0+kdW0CudPk2ynpuBT4oHc5c/sa71
ja7MdNtH8WlfLyE64C4iJHtLJn17B7ztLA5uHevLKWykTw8SHRvt5l2O7U9otS+r
8RB1OR8TC6hvuh77467v4M0HTeKCYWOZmUryuQu1HrQQB5BJAK6g4XqKnBeerZhw
N+bL8ugvyA==
-----END CERTIFICATE-----

Certificate has the following attributes:

Fingerprint MD5: B7B8DC17 A5FB1D64 52473F7A E2CF7040
Fingerprint SHA1: 40875081 FA6759EA C3395BCF B06CD5D8 65F385F3

% Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.
% Certificate successfully imported

Note: Fol low same procedure for other CUCM Servers in the cl uster. In this lab we only use one CUCM
s erver so it is not necessary.

Task 3: Configure CUBE to use SIP TLS and SRTP with CUCM

A) Define trustpoint in sip-ua, this trustpoint is used for all SIP signalling between CUBE and CUCM

sip-ua
crypto signaling remote-addr <cucm pub ip address> 255.255.255.255 trustpoint vcube-trust

B) Configure dial-peer for TLS and SRTP

vcube1(config-dial-peer)#dial-peer voice 2
vcube1(config-dial-peer)#session transport tcp tls
vcube1(config-dial-peer)#srtp fallback

10 | P a g e
Task 4: Configure CUCM SIP Trunk to use SIP TLS and SRTP with CUBE
A) Create a SIP Trunk Secure Profile

Browse in Cisco Unified CM Administration page to System >> Security >> Phone Security Profile

Click in No Secure SIP Trunk Profile

Copy the profile to create a new one, rename it and change the settings to Encrypted, TLS and
configure the Subject Name of the CUBE Certificate (vcube-trust) in the X.509 Subject Name field.

11 | P a g e
B) Edit existing SIP Trunk to use the secure profile, SRTP and destination port 5061

Browse to Device >> Trunk

Click on the existing Trunk

Check the SRTP Allowed checkbox, select the Secure SIP Trunk Profile on the SIP Trunk Security
Profile option and change the Destination Port to 5061 then save and reset the SIP Trunk.

12 | P a g e
Task 5: Set up a call to the SIP Provider and make sure it is secure
A) In the Remote Desktop, dial from jabber to 918001001111, this call will automatically connect to
the Provider Phone.

In the Search or call box, enter the destination number 918001001111 and click in the green
handset

Call will automatically connect and will show you a lock representing a secure call.

B) Check in the CUBE with a show call active voice brief that the leg to CUCM has SRTP and that TX
and RX RTP/SRTP packets are increasing.

13 | P a g e
C) Check the SIP TLS connection using show sip-ua connections tcp tls brief.

Task 6: Troubleshooting
A) Check TLS negotiation on CUBE

Enable the following debugs on the CUBE.

debug ssl openssl errors

debug ssl openssl msg
debug ssl openssl states
debug crypto pki messages
debug crypto pki transactions
debug crypto pki validation
debug crypto pki api
debug crypto pki server
debug ip tcp transactions
debug ccsip messages

Enter clear log on CUBE and try a call, after the call has connected enter show log to see the output
Note: If you previously made a call, reset CUCM SIP Trunk in order to see the TLS negotiation in
debugs.

Check the TCP establishment on Secure TCP port 5061

14 | P a g e
Check the TLS negotiation happens as follow
Note: The order of the events may change based on the direction of the call.

B) Check SIP signalling on the CUBE and make sure it uses TLS

URI header will have destination port 5061

Via header will show TLS
Contact header will show transport=tls

15 | P a g e
C) Check the SDPs to confirm it is negotiating SRTP in INVITE and 200 OK

The SDP will show all the media attributes for encryption.

D) Log into RTMT (Installed in the Remote Desktop) in order to check CUCM signalling

Click in Voice/Video >> Real Time Data

Adjust the time frame you want to search for and click in Run

16 | P a g e
Double click in the call that shows up and it will bring up a call diagram

Click in any message and it will show the message from the CUCM Trace in order to check the SIP
signalling with TLS and the SDP encryption attributes

17 | P a g e