Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192

SRTP to H.323 gateways is supported by CUCM Release 5 and later and has the following
characteristics:
• The H.323 devices generate encryption keys and send them to CUCM through the
signaling path.
• This key exchange is not protected. The keys are sent in cleartext. Therefore, if the
network between CUCM and the H.323 device is not trusted, IPsec should be used to
encrypt H.323 signaling traffic.
448 Chapter 16: Implementing Security in CUCM
SRTP support for H.323 gateways or trunks is not enabled by default. It must be enabled
by checking the SRTP Allowed check box in the Device Configuration window in CUCM
Administration. In the H.323 Gateway, this is performed in the H.225 Trunk (Gatekeeper
Controlled) or Inter-Cluster Trunk (Gatekeeper Controlled) configuration window. If this
option is not checked, CUCM uses RTP to communicate with the device. If the option is
checked, CUCM allows secure and insecure calls to occur, depending on whether SRTP is
configured at both endpoints.
H.323 SRTP CUCM
To implement SRTP support for an H.323 gateway in CUCM, select the SRTP Allowed
check box, as shown in Figure 16-28. Choose Device > Gateway and select an existing
H.323 gateway.
Figure 16-28 H.323 SRTP CUCM Configuration
Note that if SRTP for an H.323 gateway is enabled, the outbound FastStart feature cannot
be chosen and is dimmed, because these two features cannot be combined.
Example 16-1 shows how to implement SRTP support for a Cisco IOS H.323 gateway.
Example 16-1 H.323 SRTP Gateway Configuration
v o i c e service voip
s r t p f a l l b a ck
j
d i a l - p e e r voice 1 voip
incoming called-number 9T
no s r tp
i
•
d i a l - p e e r voice 2 voip
Secure Media Transmission to H.323 and MGCP Gateways 449
Example 16-1 H.323 SRTP Gateway Configuration (Continued)
incoming called-number 915125552001
s r tp
i
•
d i a l - p e e r voice 3 voip
incoming called-number 91552
s r t p system
The example shows an H.323 gateway that is configured for SRTP with three dial peers:
• Dial peer 1 is not configured with the command srtp. The default is no srtp, which is
shown in the configuration as an example. This means that calls that use this dial peer
do not use SRTP.
• Dial peer 2 is configured with the srtp command. This means that calls that use this
dial peer use SRTP. Because the fallback keyword is not specified, a fallback to nonsecure
calls is not permitted. In other words, the use of SRTP is mandatory for this dial
peer.
• Dial peer 3 is configured with the srtp system command. This means that calls use the
system setting for SRTP. The system setting (no srtp, srtp, or srtp fallback) is
configured under voice service voip.
Cisco IOS Release 12.4(6)T or later is required for H.323 SRTP. SRTP can be used with
any of the following modules:
• PVDM2
• AIM-VOICE-30
• AIM-ATM-VOICE-30
• NM-HDV2 (all types)
• NM-HDV (all types)
• NM-HD-1V/2V/2VE
When Digital Signal Processor (DSP) 549 or 5421-based modules are used, the following
command is required to support SRTP:
voice-card card-number
codec complexity secure
450 Chapter 16: Implementing Security in CUCM
SRTP to MGCP Gateways
SRTP to H.323 gateways is supported in CUCM Release 4 and later, and has the following
characteristics:
• When SRTP to an MGCP gateway is used, CUCM generates the SRTP session keys
and sends them to the MGCP gateway in signaling messages.
• This key exchange is not protected; the keys are sent in cleartext. Therefore, if the
network between CUCM and the MGCP gateway is not trusted, IPsec should be used
to encrypt MGCP signaling traffic.
To support SRTP to an MGCP gateway, the gateway has to support the SRTP MGCP
package. The security capabilities of the gateway and the other device such as a Cisco IP
Phone are exchanged in signaling messages. The security mode that is best supported by
both devices is then automatically used. The result can be a nonsecure call, an authenticated
call (if the device security mode of the IP Phone is set to authenticated), or an encrypted
call if the gateway supports the SRTP package and the device security mode of the IP Phone
is set to encrypted. No further configuration is required.
NOTE If the gateway does not support the SRTP package and the device security mode
of the IP Phone is set to authenticated or encrypted, only the signaling messages between
the IP Phone and CUCM are authenticated (TLS SHA-1), and no SRTP is used.
Nevertheless, the call is considered to be an authenticated call at the IP Phone. On the IP
Phone, the shield symbol is displayed.