I am using CUCM 7.1 and a 2821 ISR with the c2800nm-advipservicesk9-mz.124-24.T3.bin IOS.
I'm trying to make it so that I can place secure calls from my phones to my MGCP gateway. The phones can already place secure calls to each other and to the voicemail server.
Here are what I think are the relavant configurations.
crypto isakmp policy 1
crypto isakmp key cisco address 192.168.1.8
crypto isakmp key cisco address 192.168.1.9
crypto ipsec transform-set CM esp-3des esp-sha-hmac
crypto map CM 1 ipsec-isakmp
set peer 192.168.1.8
set transform-set CM
match address 101
crypto map CM 2 ipsec-isakmp
set peer 192.168.1.9
set transform-set CM
match address 102
ip address 192.168.1.225 255.255.255.255
crypto map CM
ip address 192.168.1.202 255.255.255.252
ip address 192.168.1.206 255.255.255.252
access-list 101 permit ip host 192.168.1.225 host 192.168.1.8
access-list 102 permit ip host 192.168.1.225 host 192.168.1.9
no ccm-manager fax protocol cisco
ccm-manager config server 192.168.1.8
mgcp call-agent 192.168.1.9 2427 service-type mgcp version 0.1
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
mgcp default-package fxr-package
no mgcp package-capability res-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 ecm
mgcp bind control source-interface Loopback0
mgcp bind media source-interface Loopback0
mgcp profile default
When I do the following commands, I get the output listed below...
debug crypto isakmp
*Aug 24 20:01:14.895: No peer struct to get peer description
show crypto session
Session status: DOWN
Peer: 172.16.72.9 port 500
IPSEC FLOW: permit ip host 172.16.72.225 host 172.16.72.9
Active SAs: 0, origin: crypto map
...so it looks like it's not working.
There's really precious little information about this anywhere. If someone can help, I think it will help a lot of other people too.
One last point, the key in the line "crypto isakmp key cisco" is not really "cisco". What should it be? I have the platform administrator password. Is that correct?
It's been a while since I had to configure this stuff; but basically the IPSEC tunnel is configured on both GW and the CCM; you configure it via CM Platform Admin (https://server/cmplatform) under one of the menus.
I hit a LOT of bugs on 6.1 code when I was setting this up..
Please rate helpful posts...