I have to encrypt the voice stream in our voice domain which includes the connections between the H.323 gateway (to/from PSTN) and the phones and configured it on a per dial-peer base.
To secure both directions - incoming and outgoing calls - I have to enable SRTP (fallback) at the outgoing voip dial-peer to CUCM for incoming calls from PSTN and at the incoming dial-peer from CUCM for outgoing calls to PSTN.
Works fine! But......
......if a directory number in CUCM is forwarded to an external number, the call interrupts.
I dicovered how the call flow looks for this scenario after the connection is established regarding dial-peers and RTP connections (using the commands show voice call status and show voip rtp connections)
PSTN --> incoming pots dial-peer --> outgoing voip dial-peer --> incoming voip dial-peer --> outgoing pots dial-peer --> PSTN
With the show voip rtp connections command you can see two connections with source and destination IP of the gateway. It is like a gateway-to-gateway connection between two independet gateways even though it is the same device.
I tested different variations for SRTP at the voip dial-peers:
non-secure outgoing dial-peer --> non-secure incoming dial-peer : OK
secure outgoing dial-peer --> non-secure incoming dial-peer : OK
non-secure outgoing dial-peer --> secure incoming dial-peer : OK
secure outgoing dial-peer --> secure incoming dial-peer : fail
Unfortunately in normal configuration the incoming dial-peer is the same to use for outgoing external calls from the phones. And as described above I have to secure it.
So forwarded calls to an external number nerver will be established.
Is there any other configuration or feature for the gateway and/or CUCM to make this scenario possible?