Secure TLS SIP Trunk between DMA and Cisco CUCM

SOLVED
Tomique341
Occasional Advisor

Secure TLS SIP Trunk between DMA and Cisco CUCM

Hi Community,

I would like to ask if anybody was succesful with creating Secure SIP Trunk between DMA and Cisco CUCM ?

I was able to create SIP trunk and also secure calls between DMA registered endpoint (GS300) and CUCM registered endpoint (HDX4k5).

But as you know if you dont have secure sip trunk you can find / pull out crypto keys from signaling messages, where they are in clear text form.


When i tried to set SIP TLS trunk between DMA and CUCM calls always failed because of "Unsupported URI scheme". It looks like CUCM does not understand of DMA sip form.

 

DMA version: 6.0.4_Build_1

CUCM version: 9.1.2

 

Thanks for any advice

--------------------------
Best regards
Tomique341
Message 1 of 6
1 ACCEPTED SOLUTION

Accepted Solutions
simons
Polycom Employee

Re: Secure TLS SIP Trunk between DMA and Cisco CUCM

Tom,

 

I have never tried to set this up. But I might have some pointers for you to try. I am assuming you are using port 5061 and the transport type set to TLS in your DMA SIP Peer configuration for the CUCM server. I also assume you have certificates installed on both CUCM and DMA which are trusted by each other.

 

Edit the external SIP peer configuration on the DMA (network, external SIP peer). Go to Postliminary. Click the radio button for Use customized script. Scroll down to the bottom where it has the following line.

 

DIAL_STRING = 'sip:' + phost + ':' + pport + ';transport=' + ptransport; // change the Request-URI

 

Change this to match what you want to send, for example:

 

DIAL_STRING = 'sip:' + phost + ':' + '5061' + ';transport=TLS;Ir'; // change the Request-URI

 

Also check our documentation here.

 

S.

 

View solution in original post

Message 3 of 6
5 REPLIES 5
Tomique341
Occasional Advisor

Re: Secure TLS SIP Trunk between DMA and Cisco CUCM

I have collected logs from CUCM (as attachment of this post) where i can see few error messages in sip signalization.

First error point to problem with ReqURI Scheme verification (//SIP/Stack/Error/0x0/act_idle_new_message: Failed ReqURI Scheme verification) and second to problem with transport layer (//SIP/Stack/Transport/0xfa5fb58/sipSPISendErrorResponse: Sending ERROR Response to the transport layer). I think both of them are depended each other.


If i compared logs from calls placed through secure and unsecure SIP Trunk, i have seen in logs from call via secure SIP Trunk, that in Route: <sips:10.24.14.100:5061;lr> transport protocol is missing. In call placed through unsecure SIP Trunk  route form is Route: <sip:10.24.14.100:5060;transport=TCP;lr>. Is it mandatory, or it can be main reason that call fail ?

 

Can i somehow change sip messages form on DMA ?

Or does someone experience with setting of SIP TLS Trunk on DMA to CUCM ?

 

Thanks for any advice

--------------------------
Best regards
Tomique341
Message 2 of 6
simons
Polycom Employee

Re: Secure TLS SIP Trunk between DMA and Cisco CUCM

Tom,

 

I have never tried to set this up. But I might have some pointers for you to try. I am assuming you are using port 5061 and the transport type set to TLS in your DMA SIP Peer configuration for the CUCM server. I also assume you have certificates installed on both CUCM and DMA which are trusted by each other.

 

Edit the external SIP peer configuration on the DMA (network, external SIP peer). Go to Postliminary. Click the radio button for Use customized script. Scroll down to the bottom where it has the following line.

 

DIAL_STRING = 'sip:' + phost + ':' + pport + ';transport=' + ptransport; // change the Request-URI

 

Change this to match what you want to send, for example:

 

DIAL_STRING = 'sip:' + phost + ':' + '5061' + ';transport=TLS;Ir'; // change the Request-URI

 

Also check our documentation here.

 

S.

 

Message 3 of 6
Tomique341
Occasional Advisor

Re: Secure TLS SIP Trunk between DMA and Cisco CUCM

Hi Simons,

Thanks for reply. As you mentioned all of your first suggestions i already have configured (port, transport type and also certificates signed by our trusted CA uploaded to DMA and CUCM).

I will try your suggestion about script and then i will let you know if it help.

 

T.

--------------------------
Best regards
Tomique341
Message 4 of 6
Tomique341
Occasional Advisor

Re: Secure TLS SIP Trunk between DMA and Cisco CUCM

Hi Simons,

I have tried your suggestion with postliminary script but without effect. In log i can see now  "SIP/2.0 Bad Request - 'Malformed / Missing URL ' ". I will try to play with it in more detail tomorrow.

 

Another question to you: Is it possible to set something on DMA to block direct calls between registered endpoints ? I want to ensure, that all calls originated on DMA have to go to CUCM and CUCM will make necessary digit manipulation to route call back to DMA. The reason is to simulate Multitenant environment.

 

Thanks for soon answer

 

 

--------------------------
Best regards
Tomique341
Message 5 of 6
Tomique341
Occasional Advisor

Re: Secure TLS SIP Trunk between DMA and Cisco CUCM

Hi Simons,

Finally i set it up :)
One problem was just bad syntax of dial string in postliminary tab.

When i set it like (see below) it started to work:

DIAL_STRING = 'sip:'+ oruser+ '@' + 'FQDN/CUCM_IP' + ':' + '5061' + ';transport=TLS;Ir'; // Customized Request-URI
 
Thanks for cooperation. I need to solve only problem with DTMF its not working right now, so i am not able to call to Cisco VMR via IVR.
 
 
--------------------------
Best regards
Tomique341
Message 6 of 6