H.323 Security: Gateway to Gateway

Unanswered Question
Jan 31st, 2008
User Badges:

Friends,


In voip setup i want to secure my h323 traffic between gateway to gateway

without using ipsec tunnel (site-to-site vpn). I study about h235 security

but that is between gateway and gatekeeper. Please suggest me any technique

you know.


Thanks and Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Brandon Buffin Thu, 01/31/2008 - 11:32
User Badges:
  • Purple, 4500 points or more

Currently, an ipsec tunnel is the only way to secure h.323 signalling traffic. My understanding is that h.323 encryption is on the roadmap for a future version of IOS.


Hope this helps. If so, please rate the post.


Brandon

paolo bevilacqua Thu, 01/31/2008 - 14:27
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

No sweat. Only, I'm puzzled by the reference in table 2:


IpSec ON / SRTP OFF

Signaling is protected; however, media is not secure.


Since one is putting media in the very ipsec or ipsec/gre tunnel, why is that, I guess only the document author knows.

rameezsardar Thu, 01/31/2008 - 18:54
User Badges:

Friend,

Thank you for the link. I am already using SRTP for streaming As you know CRTP does not with IPSec. Now I have the same issue my h323 session is not secure. I have 25 sites and all have gateways so according to that document, i have to configure all 25 sites for IPSec tunnel. if a user A of site 1 will call user of site2, a tunnel will be establish for a single call and then same time mores of site1 call to users of other sites, it means ipsec tunnel will be establish per call. This will not eat all my router's resources. My all sites connected with each other like partial mesh.

Please suggest me what to do in this situation.


Regards

paolo bevilacqua Fri, 02/01/2008 - 01:31
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi,


If I had scarce bandwidth, I would do the design with srtp only, and no ipsec Even if the keys are negotiated in clear, I'm not aware of any easily available tool that would let you wiretap calls.


If bandwidth is not a concern, I would set up a DMVPN. This way, a tunnel is established dynamically for branch-to-branch calls. The tunnel carries all calls and is not one per call. DMVPN is easy to administer as it doesn't require any change each time that you add a branch. In this case, I would not use SRTP as the crypted DMVPN offers already enough protection.

rameezsardar Fri, 02/01/2008 - 05:11
User Badges:

Hi,

Bandwidth is not my concern. DMVPN is good in my situation but it cann't work without defining gre tunnels and it is not possible for me to add gre in network. I tried find the dmvpn solution without gre but couldn't.


Best Regards

paolo bevilacqua Fri, 02/01/2008 - 11:41
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

GRE would be carried inside ipsec and terminated directly on the voice gateways, what prevents you from doing that ?

rameezsardar Sat, 02/02/2008 - 08:39
User Badges:

I appreciate your concern. Actually my network core (OSPF) is partial mesh and other 50% are connect back to back means site A connected to B and B then C etc. not purely hub and spoke concept thats why i confuse to design and plan dmvpn. Simple site-to-site vpn appeal me according to this topology since i have AIM-VPN/EPII Plus installed in my all routers so my routers are capable to handle multiple tunnels easily. If you have something to add, i will appreciate.


Best Regards


paolo bevilacqua Sat, 02/02/2008 - 10:58
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi, DMVPN does not need to have a hub and spoke physical topology, it is just done to simplify configuration to use one or two hub sites that can be virtually everywhere.


After a spoke registers with the hub, spoke-to-spoke communication dynamically opens new tunnels that will go over the shortest path.


However as I understand your network is built over physical circuits and not over the internet, so I would simply enable SRTP and that's it.

Actions

This Discussion