IPSec CUCM 7.1 and MGCP Router

Answered Question
Aug 24th, 2010
User Badges:

I am using CUCM 7.1 and a 2821 ISR with the c2800nm-advipservicesk9-mz.124-24.T3.bin IOS.


I'm trying to make it so that I can place secure calls from my phones to my MGCP gateway.  The phones can already place secure calls to each other and to the voicemail server.


Here are what I think are the relavant configurations.

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 10800
crypto isakmp key cisco address 192.168.1.8
crypto isakmp key cisco address 192.168.1.9
!
!
crypto ipsec transform-set CM esp-3des esp-sha-hmac
mode transport
!
crypto map CM 1 ipsec-isakmp
set peer 192.168.1.8
set transform-set CM
match address 101
crypto map CM 2 ipsec-isakmp
set peer 192.168.1.9
set transform-set CM
match address 102
!
interface Loopback0
ip address 192.168.1.225 255.255.255.255
crypto map CM
!
interface GigabitEthernet0/0
ip address 192.168.1.202 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.1.206 255.255.255.252
duplex auto
speed auto
!
access-list 101 permit ip host 192.168.1.225 host 192.168.1.8
access-list 102 permit ip host 192.168.1.225 host 192.168.1.9
!
!
ccm-manager mgcp
no ccm-manager fax protocol cisco
ccm-manager music-on-hold
ccm-manager config server 192.168.1.8 
ccm-manager config
!
mgcp
mgcp call-agent 192.168.1.9 2427 service-type mgcp version 0.1
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
mgcp default-package fxr-package
no mgcp package-capability res-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 ecm
mgcp bind control source-interface Loopback0
mgcp bind media source-interface Loopback0
!
mgcp profile default
!

When I do the following commands, I get the output listed below...


debug crypto isakmp

*Aug 24 20:01:14.895: No peer struct to get peer description



show crypto session

Interface: Loopback0
Session status: DOWN
Peer: 172.16.72.9 port 500
  IPSEC FLOW: permit ip host 172.16.72.225 host 172.16.72.9
        Active SAs: 0, origin: crypto map


...so it looks like it's not working.


There's really precious little information about this anywhere.  If someone can help, I think it will help a lot of other people too.


One last point, the key in the line "crypto isakmp key cisco" is not really "cisco".  What should it be?  I have the platform administrator password.  Is that correct?




 

Correct Answer by Aaron Harrison about 6 years 11 months ago

Hi


It's been a while since I had to configure this stuff; but basically the IPSEC tunnel is configured on both GW and the CCM; you configure it via CM Platform Admin (https://server/cmplatform) under one of the menus.


I hit a LOT of bugs on 6.1 code when I was setting this up..


Regards


Aaron

Please rate helpful posts...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Aaron Harrison Tue, 08/24/2010 - 13:25
User Badges:
  • Super Bronze, 10000 points or more
  • Community Spotlight Award,

    Member's Choice, May 2015

Hi


It's been a while since I had to configure this stuff; but basically the IPSEC tunnel is configured on both GW and the CCM; you configure it via CM Platform Admin (https://server/cmplatform) under one of the menus.


I hit a LOT of bugs on 6.1 code when I was setting this up..


Regards


Aaron

Please rate helpful posts...

refram Tue, 08/24/2010 - 13:49
User Badges:

That felt awful good, and it's probably a large part of the issue, but it's still not working.  I gave you an "answered" because you got the main disconnect, I think.  Still, there's something missing.  Any more place to go to look?

Aaron Harrison Tue, 08/24/2010 - 13:59
User Badges:
  • Super Bronze, 10000 points or more
  • Community Spotlight Award,

    Member's Choice, May 2015

Hi


So your config doesn't look too bad; but this snippet has random IP addresses in that don't seem to be this router or your CCM :


show crypto session

Interface: Loopback0
Session status: DOWN
Peer: 172.16.72.9 port 500
  IPSEC FLOW: permit ip host 172.16.72.225 host 172.16.72.9
        Active SAs: 0, origin: crypto map


What's that about?


Maybe post up your latest config, status of the VPNs on the gateway end, and screen grab your IPSEC config from CCM?


Aaron

refram Tue, 08/24/2010 - 14:38
User Badges:

Here you go.  By the way, the weird IPs in the last post were just a matter of me copying things incorrectly.  The correct output is below.


Thanks again.



crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 10800
crypto isakmp key cisco address 192.168.1.8
crypto isakmp key cisco address 192.168.1.9
!
!
crypto ipsec transform-set CM esp-3des esp-sha-hmac
mode transport
!
crypto map CM 1 ipsec-isakmp
set peer 192.168.1.8
set transform-set CM
match address 101
crypto map CM 2 ipsec-isakmp
set peer 192.168.1.9
set transform-set CM
match address 102
!
!
interface Loopback0
ip address 192.168.1.225 255.255.255.255
crypto map CM
!
interface GigabitEthernet0/0
ip address 192.168.1.202 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.1.206 255.255.255.252
duplex auto
speed auto
!
access-list 101 permit ip host 192.168.1.225 host 192.168.1.8
access-list 102 permit ip host 192.168.1.225 host 192.168.1.9
!
!
ccm-manager mgcp
no ccm-manager fax protocol cisco
ccm-manager music-on-hold
ccm-manager config server 192.168.1.8 
ccm-manager config
!
mgcp
mgcp call-agent 192.168.1.9 2427 service-type mgcp version 0.1
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
mgcp default-package fxr-package
no mgcp package-capability res-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 ecm
mgcp bind control source-interface Loopback0
mgcp bind media source-interface Loopback0
!
mgcp profile default
!
!

end



Router2#show crypto session
Crypto session current status

Interface: Loopback0
Session status: DOWN
Peer: 192.168.1.8 port 500
  IPSEC FLOW: permit ip host 192.168.1.225 host 192.168.1.8
        Active SAs: 0, origin: crypto map

Interface: Loopback0
Session status: DOWN
Peer: 192.168.1.9 port 500
  IPSEC FLOW: permit ip host 192.168.1.225 host 192.168.1.9
        Active SAs: 0, origin: crypto map

Attachment: 

Actions

This Discussion