- Cisco Unified Border Element Enterprise Protocol-Independent Features and Setup
- SIP-to-SIP Extended Feature Functionality for Session Border Controllers
- Bandwidth-Based Call Admission Control
- Interworking Between RSVP Capable and RSVP Incapable Networks
- Cisco Resource Reservation Protocol Agent
- SIP INFO Method for DTMF Tone Generation
- DTMF Events through SIP Signaling
- Call Progress Analysis Over IP-to-IP Media Session
- Codec Preference Lists
- AAC-LD MP4A-LATM Codec Support on Cisco UBE
- Multicast Music-on-Hold Support on Cisco UBE
- Network-Based Recording
- Video Recording - Additional Configurations
- TDoS Attack Mitigation
- Cisco Unified Communications Gateway Services--Extended Media Forking
- Dynamic Payload Type Interworking for DTMF and Codec Packets for SIP-to-SIP Calls
- iLBC Support for SIP and H.323
- DSP-Based Functionality on the Cisco UBE Enterprise Including Transcoding and Transrating
- Acoustic Shock Protection
- Noise Reduction
- SIP Ability to Send a SIP Registration Message on a Border Element
- SIP Profiles
- Session Refresh with Reinvites
- SIP Stack Portability
- VoIP for IPv6
- Interworking of Secure RTP calls for SIP and H.323
- Cisco UBE Support for SRTP-RTP Internetworking
- Support for SRTP Termination
- WebEx Telepresence Media Support Over Single SIP Session
- SIP SRTP Fallback to Nonsecure RTP
- Support for Software Media Termination Point
- Cisco Unified Communication Trusted Firewall Control
- Cisco Unified Communication Trusted Firewall Control-Version II
- Finding Feature Information
- Domain-Based Routing Support on the Cisco UBE
- URI-Based Dialing Enhancements
- Additional References
- Glossary
- Finding Feature Information
- Information About Support for SRTP Termination
- How to Configure Support for SRTP Termination
Support for SRTP Termination
This Support for SRTP Termination feature enables Cisco Unified Border Element (Cisco UBE) support for Secure Real-time Transport Protocol (SRTP) on the Session Initiation Protocol (SIP) Trunk interface.
- Finding Feature Information
- Information About Support for SRTP Termination
- How to Configure Support for SRTP Termination
- Verifying Support for SRTP Termination
- Configuration Examples for Support for SRTP Termination
- Additional References for Support for SRTP Termination
- Feature Information for Support for SRTP Termination
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Support for SRTP Termination
Prior to the Support for SRTP Termination feature, Cisco UBE could support an SRTP connection using the AES_CM_128_HMAC_SHA1_32 crypto suite. This crypto suite is still used by default, unless Cisco UBE is configured to use AES_CM_128_HMAC_SHA1_80 crypto suite.
Cisco UBE SRTP termination can be implemented in the following ways:
-
SRTP-RTP interworking—This method is used with devices (CUCM or IP Phone devices) that still support AES_CM_128_HMAC_SHA1_32 crypto suite only.
-
SRTP-SRTP pass-through—This method is used with devices that support AES_CM_128_HMAC_SHA1_80 crypto suite.
Note
This method of implementation is currently supported by non-CUCM end devices like Microsoft Link. This method can also be used when CUCM or IP phone devices support AES_CM_128_HMAC_SHA1_80 crypto suite.
- For End Devices Supporting AES_CM_128_HMAC_SHA1_80 Crypto Suite
- For End Devices Supporting AES_CM_128_HMAC_SHA1_32 Crypto Suite
For End Devices Supporting AES_CM_128_HMAC_SHA1_80 Crypto Suite
This method is used between Cisco Unified Border Element (Cisco UBE), IP Phones, and other Cisco Unified Call Manager (CUCM ) devices that support AES_CM_128_HMAC_SHA1_80 crypto suite.
-
CUCM or IP Phones side—A Secure Real-time Transport Protocol (SRTP) connection using the AES_CM_128_HMAC_SHA1_80 crypto suite exists here. In the figure below, IP Phone and CUBE within the customer network connect with an SRTP connection using AES_CM_128_HMAC_SHA1_80 crypto suite.
-
Session Initiation Protocol (SIP) Trunk side—An SRTP connection using the AES_CM_128_HMAC_SHA1_80 crypto suite. In the figure below, CUBE on the Customer Network and SBC on the Service Provider Network connect with an SRTP connection using the AES_CM_128_HMAC_SHA1_80 crypto suite.
For End Devices Supporting AES_CM_128_HMAC_SHA1_32 Crypto Suite
A single Cisco Unified Call Manager (Cisco UBE) device cannot terminate a Secure Real-time Transport Protocol (SRTP) connection with an IP Phone using the AES_CM_128_HMAC_SHA1_32 crypto suite and initiate an SRTP connection with an external Cisco UBE device with the AES_CM_128_HMAC_SHA1_80 crypto suite at the same time.
For Cisco Unified Call Manager (CUCM) and IP Phone devices that support only AES_CM_128_HMAC_SHA1_32 crypto suite, the interim SRTP-RTP interworking solution that is described below can be implemented.
-
CUCM or IP Phone side:
-
SIP trunk side—An SRTP connection using the AES_CM_128_HMAC_SHA1_80 crypto suite is initiated by CUBE2 here. In the image below, CUBE2 is the border element on the Customer Network and SBC is the border element on the Service Provider Network.
How to Configure Support for SRTP Termination
Configuring Crypto Authentication
Configuring Crypto Authentication (Global Level)
1.
enable
2.
configure
terminal
3.
voice
service
voip
4.
sip
5.
srtp-auth
{sha1-32
|
sha1-80}
6.
end
DETAILED STEPS
Configuring Crypto Authentication (Dial Peer Level)
1.
enable
2.
configure
terminal
3.
dial-peer
voice
tag
voip
4.
voice-class
sip
srtp-auth
{sha1-32
|
sha1-80
|
system}
5.
end
DETAILED STEPS
Verifying Support for SRTP Termination
Perform this task to verify the configuration of an SRTP connection on Cisco Unified Border Element using the AES_CM_128_HMAC_SHA1_80 crypto suite. The show commands can be entered in any order.
1.
show
sip-ua
calls
2.
show
sip-ua
srtp
DETAILED STEPS
Configuration Examples for Support for SRTP Termination
Example: Configuring Crypto Authentication
- Example: Configuring Crypto Authentication (Global Level)
- Example: Configuring Crypto Authentication (Dial Peer Level)
Example: Configuring Crypto Authentication (Global Level)
The following example shows how to configure Cisco UBE to support an SRTP connection using the AES_CM_128_HMAC_SHA1_80 crypto suite at the global level:
Device> enable Device# configure terminal Device(config)# voice service voip Device(conf-voi-serv)# sip Device(conf-serv-sip)# srtp-auth sha1-80 Device(conf-serv-sip)# end
Example: Configuring Crypto Authentication (Dial Peer Level)
The following example shows how to configure Cisco UBE to support an SRTP connection using the AES_CM_128_HMAC_SHA1_80 crypto suite at the dial peer level:
Device> enable Device# configure terminal Device(config)# dial-peer voice 15 voip Device(config-dial-peer)# voice-class sip srtp-auth sha1-80 Device(config-dial-peer)# end
Additional References for Support for SRTP Termination
Related Documents
Related Topic | Document Title |
---|---|
Voice commands | Cisco IOS Voice Command Reference |
Cisco IOS commands | Cisco IOS Master Command List, All Releases |
SIP configuration tasks | SIP Configuration Guide, Cisco IOS Release 15M&T |
Technical Assistance
Description | Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for Support for SRTP Termination
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Support for SRTP Termination |
Cisco IOS XE Release 3.11S |
The Support for SRTP Termination feature describes how to configure Cisco Unified Border Element to support AES_CM_128_HMAC_SHA1_80 crypto suite on the Session Initiation Protocol (SIP) Trunk interface. The following commands were introduced or modified: show sip-ua srtp, srtp-auth and voice-class sip srtp-auth. |