Document ID: 98746
Updated: Nov 29, 2007
Contents
Introduction
This document provides a sample configuration for SIP signaling encryption (SIP over Transport Layer Security) between a Cisco IOS® Gateway and Cisco Unified CallManager.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
-
Cisco IOS Gateway: Cisco 2821, Cisco IOS Software Release12.4(15)T1 with Advanced Enterprise Services Feature set
-
Cisco CallManager 5.1.2
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.
Network Diagram
This document uses this network setup:
Configurations
This document uses these configurations:
Download the Cisco CallManager Self-signed Certificate
Complete these steps:
-
Log into the Cisco Unified OS Administration Page in Cisco CallManager at https://<ccm ip address>/platform_gui/, and choose Security > Certificate Management > Download Certificate/CTL.
-
Click Download Own Cert.
-
Click CallManager as the Existing certificate type.
-
Click the Certificate Name.
-
Click Continue.
-
Right-click the CallManager.pem link, and select Save link as in order to download the certificate.
Cisco IOS SIP Gateway Configuration
| IOS SIP Gateway Configuration |
|---|
maui-soho-01#
!--- Enable IP TCP MTU Path Discovery.
ip tcp path-mtu-discovery
!--- Configure NTP Server.
ntp server 172.18.108.15
!--- Upload the CCM Certificate to Cisco IOS Gateway.
crypto pki trustpoint CCM-Cert
enrollment terminal
revocation-check none
!--- Download the Cisco CallManager certificate, and paste
!--- the contents of the certificate, pem format.
Router(config)#crypto ca authenticate CCM-Cert
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIICIjCCAYugAwIBAgIIS4xQN3bIZUowDQYJKoZIhvcNAQEFBQAwFzEVMBMGA1UE
AxMMUlRQTVMtQ0NNLTUxMB4XDTA3MDcyMzIzMjI0OVoXDTEyMDcyMzIzMjI0OVow
FzEVMBMGA1UEAxMMUlRQTVMtQ0NNLTUxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQD6HIRcgDXQmO/EWosnaMBaoqjzARIR0erx31uR9WOiaZqsgRY+Am5/E3FG
n1nJ/4NVmA45z1Q54vK0WULXgMBGANGHnBZFCNiJOiNeBfiEh1LGGMreVTLFqKB/
lNAMtTppc0AVyYFjAAcJtZfUGxolZCanY5TWfmlwGBMIDhnqQQIDAQABo3cwdTAL
BgNVHQ8EBAMCArwwJwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEF
BQcDBTAeBgNVHREEFzAVhhNzaXA6Q049UlRQTVMtQ0NNLTUxMB0GA1UdDgQWBBQr
pCXbwcRZ09AkO7V0HgHihiKpZzANBgkqhkiG9w0BAQUFAAOBgQAvNQqaVKKoZxUD
HCBIA292qZSsOht859FY3UJkWfGD+kjlGhjgjlxEQcaJOa7pDlorzH+HQIjFpcv6
1cl0tOdOrs2L6IAGd9e5DQ3qDwWxaB7TIsBPTkv9FLVURnKtJtVHbqjMd+AAtsDl
/DV5TbDUdre6Org1mn4uaMdrYzt1kQ==
-----END CERTIFICATE-----
Certificate has the following attributes:
Fingerprint MD5: 1EF154E3 70E40379 1C7003B9 B29E111B
Fingerprint SHA1: CAFA0F83 B04B2E65 71104B73 64BF6AEB ABE9EED9
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
!--- Configure a trustpoint in order to generate the self-signed
!--- certificate of the Gateway.
crypto pki trustpoint CCM-SIP-1
enrollment selfsigned
fqdn none
subject-name CN=SIP-GW
revocation-check none
rsakeypair CCM-SIP-1
Router(config)#crypto ca enroll CCM-SIP-1
% The fully-qualified domain name will not be included in the certificate
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
Router Self Signed Certificate successfully created
!— View the certificate in PEM format, and copy the Self-signed CA certificate
!--- (output starting from “----BEGIN” to “CERTIFICATE----“) to a file named SIP-GW.pem
Router(config)#crypto pki export CCM-SIP-1 pem terminal
% Self-signed CA certificate:
-----BEGIN CERTIFICATE-----
MIIBhDCCAS6gAwIBAgIBATANBgkqhkiG9w0BAQQFADARMQ8wDQYDVQQDEwZTSVAt
R1cwHhcNMDcwOTA1MjAwMTA3WhcNMjAwMTAxMDAwMDAwWjARMQ8wDQYDVQQDEwZT
SVAtR1cwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAzgvQDbs9BgdrxxXW1S/h4CZC
6JcMbBrhyO/VWOLWVe6BCFG+baJjUdYtyyvaMnlyeeVEh0/MuqCfsDo8TvJJKwID
AQABo3EwbzAPBgNVHRMBAf8EBTADAQH/MBwGA1UdEQQVMBOCEUYzNDAuMjguMjUt
MjgwMC0yMB8GA1UdIwQYMBaAFF6gnOpo7VY8BHL4mbSvwNxCKi62MB0GA1UdDgQW
BBReoJzqaO1WPARy+Jm0r8DcQioutjANBgkqhkiG9w0BAQQFAANBAHhnQS4EKcP6
IBVdtA4CM/74qCjhtsu/jciaIe90BXs56wrj7ZC4m1sIMzDAHfsl7dJlB2IOw9Sk
s980Np7dLJU=
-----END CERTIFICATE-----
% General Purpose Certificate:
-----BEGIN CERTIFICATE-----
MIIBhDCCAS6gAwIBAgIBATANBgkqhkiG9w0BAQQFADARMQ8wDQYDVQQDEwZTSVAt
R1cwHhcNMDcwOTA1MjAwMTA3WhcNMjAwMTAxMDAwMDAwWjARMQ8wDQYDVQQDEwZT
SVAtR1cwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAzgvQDbs9BgdrxxXW1S/h4CZC
6JcMbBrhyO/VWOLWVe6BCFG+baJjUdYtyyvaMnlyeeVEh0/MuqCfsDo8TvJJKwID
AQABo3EwbzAPBgNVHRMBAf8EBTADAQH/MBwGA1UdEQQVMBOCEUYzNDAuMjguMjUt
MjgwMC0yMB8GA1UdIwQYMBaAFF6gnOpo7VY8BHL4mbSvwNxCKi62MB0GA1UdDgQW
BBReoJzqaO1WPARy+Jm0r8DcQioutjANBgkqhkiG9w0BAQQFAANBAHhnQS4EKcP6
IBVdtA4CM/74qCjhtsu/jciaIe90BXs56wrj7ZC4m1sIMzDAHfsl7dJlB2IOw9Sk
s980Np7dLJU=
-----END CERTIFICATE-----
!--- Configure the SIP stack in the Cisco IOS GW to use the self-signed
!--- certificate of the router in order to establish a SIP TLS connection from/to
!--- Cisco CallManager.
sip-ua
crypto signaling remote-addr 172.18.110.84 255.255.255.255 trustpoint CCM-SIP-1 strict-cipher
!--- Configure the T1 PRI.
controller T1 1/0/0
framing esf
linecode b8zs
pri-group timeslots 1-24
!--- Configure the ISDN switch type and incoming-voice under the D-channel
!--- interface.
interface Serial1/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
no cdp enable
!--- Configure a POTS dial-peer that is used as an inbound dial-peer for calls
!--- that come in across the T1 PRI line.
dial-peer voice 2 pots
description PSTN PRI Circuit
destination-pattern 9T
incoming called-number .
direct-inward-dial
port 1/0/0:23
!--- Configure an outbound voip dial-peer in order to route calls to the
!--- Cisco CallManager.
dial-peer voice 3 voip
destination-pattern 75...
session protocol sipv2
session target ipv4:172.18.110.84:5061
session transport tcp tls
dtmf-relay rtp-nte
codec g711ulaw
|
Upload Cisco IOS SIP Gateway’s Certificate to Cisco Unified CallManager
Complete these steps:
-
Log into the Cisco Unified OS Administration Page in Cisco CallManager at https://<ccm ip address>/platform_gui/, and choose Security > Certificate Management > Upload Certificate/CTL.
-
Click Upload Trust Cert.
-
Click CallManager-trust.
-
Enter or browse to the location of the Cisco IOS Certificate, the.pem file, and click Upload.
-
Verify the upload result.
SIP Trunk Configuration in Cisco CallManager
Complete these steps:
-
Log into the Cisco Unified OS Administration Page in CallManager at https://<ccm ip address>/ccmadmin/. Configure a SIP Trunk Security Profile:
-
Choose System > Security Profile > SIP Trunk Security Profile.
-
Click the Add New button with the parameters shown in this figure:
-
-
Configure a SIP Trunk:
-
Choose Device > Trunk.
-
Click the Add New button.
-
Select SIP Trunk for Trunk Type, as shown:
-
-
Configure a Route pattern:
-
Choose Call Routing > Route/Hunt > Route Pattern.
-
Click the Add New button, as shown:
-
Verify
Use this section in order to confirm that your configuration works properly at the Cisco IOS SIP Gateway.
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT in order to view an analysis of show command output.
-
Show crypto pki certificate verbose CCM-SIP-1
Router Self-Signed Certificate Status: Available Version: 3 Certificate Serial Number: 0x1 Certificate Usage: General Purpose Issuer: cn=SIP-GW Subject: Name: SIP-GW cn=SIP-GW Validity Date: start date: 16:01:07 EST Sep 5 2007 end date: 20:00:00 EST Dec 31 2019 Subject Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Signature Algorithm: MD5 with RSA Encryption Fingerprint MD5: 3F9612FB C0E435F1 F445B5C4 0344E6A9 Fingerprint SHA1: E6520255 B799818F C1067042 1A7E2EE9 4DDFD0C8 X509v3 extensions: X509v3 Subject Key ID: 5EA09CEA 68ED563C 0472F899 B4AFC0DC 422A2EB6 X509v3 Basic Constraints: CA: TRUE X509v3 Subject Alternative Name: F340.28.25-2800-2 X509v3 Authority Key ID: 5EA09CEA 68ED563C 0472F899 B4AFC0DC 422A2EB6 Authority Info Access: Associated Trustpoints: CCM-SIP-1 -
Show crypto pki certificate verbose CCM-Cert
CA Certificate Status: Available Version: 3 Certificate Serial Number: 0x4B8C503776C8654A Certificate Usage: General Purpose Issuer: cn=RTPMS-CCM-51 Subject: cn=RTPMS-CCM-51 Validity Date: start date: 19:22:49 EST Jul 23 2007 end date: 19:22:49 EST Jul 23 2012 Subject Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Signature Algorithm: SHA1 with RSA Encryption Fingerprint MD5: 1EF154E3 70E40379 1C7003B9 B29E111B Fingerprint SHA1: CAFA0F83 B04B2E65 71104B73 64BF6AEB ABE9EED9 X509v3 extensions: X509v3 Key Usage: BC000000 Digital Signature Key Encipherment Data Encipherment Key Agreement Key Cert Sign X509v3 Subject Key ID: 2BA425DB C1C459D3 D0243BB5 741E01E2 8622A967 X509v3 Subject Alternative Name: Authority Info Access: Associated Trustpoints: CCM-Cert -
Show sip-ua connection tcp tls detail
Total active connections : 2 No. of send failures : 0 No. of remote closures : 0 No. of conn. failures : 2 No. of inactive conn. ageouts : 0 Max. tls send msg queue size of 0, recorded for 0.0.0.0:0 TLS client handshake failures : 2 TLS server handshake failures : 0 ---------Printing Detailed Connection Report--------- Note: ** Tuples with no matching socket entry - Do 'clear sip <tcp[tls]/udp> conn t ipv4:<addr>:<port>' to overcome this error condition ++ Tuples with mismatched address/port entry - Do 'clear sip <tcp[tls]/udp> conn t ipv4:<addr>:<port> id <connid>' to overcome this error condition Remote-Agent:172.18.110.84, Connections-Count:2 Remote-Port Conn-Id Conn-State WriteQ-Size =========== ======= =========== =========== 5061 1 Established 0 51180 2 Established 0 -
Show call active voice brief
11F0 : 7 8990160ms.1 +2670 pid:20001 Answer 7960 active dur 00:00:10 tx:483/83076 rx:510/81600 Tele 1/0/0:23 (228) [1/0/0.1] tx:9660/9660/0ms g711ulaw noise:0 acom:0 i/0:0/0 dBm 11F0 : 8 8990980ms.1 +1840 pid:3 Originate 75001 active dur 00:00:10 tx:483/1246360336 rx:513/82080 IP 14.50.202.26:28232 SRTP: off rtt:0ms pl:4720/1ms lost:0/0/0 delay:0/0/0ms g711ulaw TextRelay: off media inactive detected:n media contrl rcvd:n/a timestamp:n/a long duration call detected:n long duration call duration:n/a timestamp:n/a Telephony call-legs: 1 SIP call-legs: 1 H323 call-legs: 0 Call agent controlled call-legs: 0 SCCP call-legs: 0 Multicast call-legs: 0 Media call-legs: 0 Total call-legs: 2
Troubleshoot
This section provides information you can use in order to troubleshoot your configuration.
Debug Commands
The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT in order to view an analysis of show command output.
Configure the Cisco IOS Gateway to log the debugs in its logging buffer and disable logging console.
Note: Refer to Important Information on Debug Commands before you use debug commands.
These are the commands used in order to configure the Gateway to store the debugs in the logging buffer:
-
service timestamps debug datetime msec
-
service sequence
-
no logging console
-
logging buffered 5000000 debug
-
clear log
These are the commands used in order to debug the configuration in this document:
-
debug isdn q931
-
debug voip ccapi inout
-
debug ccsip all
-
debug ssl openssl errors
-
debug ssl openssl msg
-
debug ssl openssl states
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.