SPA3102: SRTP + Non standard port for TLS

Unanswered Question
Dec 3rd, 2009


Hi! 

I want to run a secure voip setup and need some information about the following.  I am connecting the SPA3102 to FreeSwitch which uses normal standards for TLS and SRTP.

1. How do enable and ensure that the SPA3102 uses SRTP? 
2. I am required to run TLS on a non-standard port.  If I use 5061 then I can get registered.  When I configure the SPA3102 to use the other port, it does not register.   There are no firewalls etc in the way at the moment while I am testing.   How do I do this and what is the supported port range?  I have tried SIP-Port and EXT-SIP-Port.

I have the latest firmware 5.1.10(GW)

Thanks




I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mcampbellsmith Thu, 12/03/2009 - 04:14

I enabled syslog and when I set the server to work with TLS port 5061 but set port 442 on the SPA3102 (under tab Line 1, Sip Port:), I see the following:
Dec  3 23:02:09 192.168.1.141 SIP:TLS Port 442
Dec  3 23:02:09 192.168.1.141 SIP:TLS Port 442
:
:
Dec  3 23:02:17 192.168.1.141 [0:0]SIP/TLS:Connect=0
Dec  3 23:02:17 192.168.1.141 [0:0]SIP/TLS:Connect=0
Dec  3 23:02:17 192.168.1.141 [0:0]SIP/TLS:Connect OK
Dec  3 23:02:17 192.168.1.141 [0:0]SIP/TLS:Connect OK
Dec  3 23:02:17 192.168.1.141 [0]->192.168.1.120:5061(525)
Dec  3 23:02:17 192.168.1.141 [0]->192.168.1.120:5061(525)
Dec  3 23:02:17 192.168.1.141 REGISTER sip:192.168.1.120 SIP/2.0

Why does the SPA use 5061 when it is configured to use 442?

When I change the server to use port 442, I only see this:

Dec  3 23:09:24 192.168.1.141 [0:0]SIP/TCP:Connecting(4)
Dec  3 23:09:24 192.168.1.141 [0:0]SIP/TCP:Connecting(4)
Dec  3 23:09:24 192.168.1.141 [0:0]SIP/TCP:Connect=-1
Dec  3 23:09:24 192.168.1.141 [0:0]SIP/TCP:Connect=-1



By the way, what is [0]SIP/TCP LocalPort and how would that affect this?

EDIT:
Registration works if I put domain.com:port, so that is great.

Now just onto SRTP.  Tips on how to set this up would be appreciated...

mcampbellsmith Thu, 12/03/2009 - 14:31

Hi Again,

I noted this comment on the FreeSwitch mailing list.  Is this correct?  Will the SPA3102 or SPA2102 ever support STANDARD SRTP?

AFAIK, the Cisco/Linksys SPA series ATAs do not support SDES key
exchange to appropriately support SRTP and FreeSWITCH. They do their
proprietary Sipura key exchange only, not sure if Cisco plans on
upgrading the firmware to ever support SDES on the ATAs. They added
support for SDES to their IP Phones about 1 year ago, but nothing has
happened with the ATAs as of yet.

Alberto Montilla Fri, 12/04/2009 - 03:09

Dear Sir;

Comment is right. Standard key exchange for SRTP is not supported on SPA2102 and SPA3102, but on the SPA9X2 and SPA500 phones. Current key exchange for SPA2102 and SPA3102 is proprietary and works between SPA ATAs or with a gateway that implement the SPA key exchange. Admin guide provides further info on how to generate the SRTP key (there is a SRTP key generator tool on the community).

On the TLS SIP port issue I would recommend you check the configuration. What port would you like to change? Internal (device) port or the external (proxy) UDP port?

- If it is the internal, you need to go to the Line X tab and modify the SIP port parameter (default for line 1 is 5060 and line 2 is 5061).

- If it is the external, you need to add ":" to the proxies (e.g. myproxy.com:)

Regards
Alberto

mcampbellsmith Fri, 12/04/2009 - 03:34

amontill wrote:

Comment is right. Standard key exchange for SRTP is not supported on SPA2102 and SPA3102, but on the SPA9X2 and SPA500 phones. Current key exchange for SPA2102 and SPA3102 is proprietary and works between SPA ATAs or with a gateway that implement the SPA key exchange.

Thanks Alberto.

Are there any plans to include standard key exchange in the SPA3102/SPA2102 in a future firmware release?  I understand the SPA9X2 and SPA500 phones have had the support for over one year...

Thanks

Regards

Mark

mcampbellsmith Sat, 12/12/2009 - 23:38

Hi Alberto,

Did you get any response from engineering regarding standard SRTP support?

Thanks!

lnemchev Mon, 04/12/2010 - 02:25

Hello Alberto ,

I couldn't find the key generator, could you please provide a link to donwload it.

Thanks a lot

Alberto Montilla Mon, 04/12/2010 - 02:30

Dear Sir;

Which country are you located? I would need to refer you to our AM/SE to provide you with the tool based on the country you are located.

regards
Alberto

lnemchev Mon, 04/12/2010 - 03:11

Hello Alberto ,

My customer is located in Germany.Which are the differencies between the versions for different countries?

Thanks!

Luba

anzzvvered Sat, 07/28/2012 - 02:21

Please get back Alberto.

This has caused too much pain for enough of us.

andyholland Tue, 03/22/2011 - 07:26

Hello,

I've a requirement for a *lot* of ATA's that support TLS and sRTP - and I came accross this thread.

Is there any news on standard support for TLS and sRTP ?

Thanks

Adam

anzzvvered Sat, 07/28/2012 - 02:20

Any news on this ???

The rep said its on their roadmap but no development schedule. That was 2 years back.

Looks like cisco really stinks here.

Actions

This Discussion