Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
5
Helpful
2
Replies

IPSec CUCM 7.1 and MGCP Router, Part Deux

refram
Level 3
Level 3

‎08-25-2010 07:36 AM - edited ‎03-16-2019 12:28 AM

Unfortunately having to start this thread again because it wasn't as solved as I thought.

I am using CUCM 7.1 and a 2821 ISR with the c2800nm-advipservicesk9-mz.124-24.T3.bin IOS.


I'm trying to make it so that I can place secure calls from my phones to my MGCP gateway.  The phones can already place secure calls to each other and to the voicemail server.


Here are what I think are the relavant configurations.


crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 10800
crypto isakmp key cisco address 192.168.1.8
crypto isakmp key cisco address 192.168.1.9
!
!
crypto ipsec transform-set CM esp-3des esp-sha-hmac
mode transport
!
crypto map CM 1 ipsec-isakmp
set peer 192.168.1.8
set transform-set CM
match address 101
crypto map CM 2 ipsec-isakmp
set peer 192.168.1.9
set transform-set CM
match address 102
!
!
interface Loopback0
ip address 192.168.1.225 255.255.255.255
crypto map CM
!
interface GigabitEthernet0/0
ip address 192.168.1.202 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.1.206 255.255.255.252
duplex auto
speed auto
!
access-list 101 permit ip host 192.168.1.225 host 192.168.1.8
access-list 102 permit ip host 192.168.1.225 host 192.168.1.9
!
!
ccm-manager mgcp
no ccm-manager fax protocol cisco
ccm-manager music-on-hold
ccm-manager config server 192.168.1.8 
ccm-manager config
!
mgcp
mgcp call-agent 192.168.1.9 2427 service-type mgcp version 0.1
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
mgcp default-package fxr-package
no mgcp package-capability res-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 ecm
mgcp bind control source-interface Loopback0
mgcp bind media source-interface Loopback0
!
mgcp profile default
!

Output from show command...

Router2#show crypto session
Crypto session current status

Interface: Loopback0
Session status: DOWN
Peer: 192.168.1.8 port 500
  IPSEC FLOW: permit ip host 192.168.1.225 host 192.168.1.8
        Active SAs: 0, origin: crypto map

Interface: Loopback0
Session status: DOWN
Peer: 192.168.1.9 port 500
  IPSEC FLOW: permit ip host 192.168.1.225 host 192.168.1.9
        Active SAs: 0, origin: crypto map

Plus other "show" commands show no peers or associations.  Debugs turn up practically nothing.

Attached is the configuration on the CUCM side.

Tried restarting CAPF and CTL services for grins, didn't seem to help.

Driving me insane...thought it was fixed, hearbroken to find it wasn't...could use someone to talk me off the roof.

Labels:
Preview file
123 KB
0 Helpful
2 Replies 2

Aaron Harrison
VIP Alumni
VIP Alumni

‎08-25-2010 08:05 AM

Hi

Me again.. drip feeding you bits of info as per usual :-)

Another thing came back to me just now... there was a command that you'd expect CCM to push to the GW that I needed to manually configure:


mgcp package-capability srtp-package

Also I seem to recall it needing a specific IOS version; maybe try the command and see how you get on?

I'm trying to find the notes I took at the time, but it was kind of a two part thing.

Part 1) Get SRTP working; at this point you get enrypted calls

Part 2) IPSEC - that was required to protect some encryption keys or what have you that were sent to the GW in a not-very-secure way.

So basically you can get SRTP working, then come back to applying the IPSEC stuff. I had a a world of trouble getting the IPSEC stuff done.

Regards

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
0 Helpful

Aaron Harrison
VIP Alumni
VIP Alumni
In response to Aaron Harrison

‎08-25-2010 08:08 AM

Hi


From the security guide for CCM:

Facts about MGCP E1 PRI gateways:
–You must configure the MGCP gateway for SRTP encryption. Configure “mgcp package-capability srtp-package.”
–The MGCP gateway must have an Advanced IP Services or Advanced Enterprise Services image (for example, c3745-adventerprisek9-mz.124-6.T.bin).
–Protected status gets exchanged with the MGCP E1 PRI gateway by using proprietary FacilityIE in the MGCP PRI Setup, Alert, and Connect messages.
–Cisco Unified Communications Manager plays the secure-indication tone only to the Cisco Unified IP Phone. A PBX in the network plays the tone to the gateway end of the call.
–If the media between the Cisco Unified IP Phone and the MGCP E1 PRI gateway is not encrypted, the call gets dropped.

Like I say, add that command, check your IOS feature set, and remove the crypto map for now. If that works and encrypts, time to get your Security hat on.

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!
Customers Also Viewed These Support Documents