In voip setup i want to secure my h323 traffic between gateway to gateway
without using ipsec tunnel (site-to-site vpn). I study about h235 security
but that is between gateway and gatekeeper. Please suggest me any technique
Thanks and Regards
Currently, an ipsec tunnel is the only way to secure h.323 signalling traffic. My understanding is that h.323 encryption is on the roadmap for a future version of IOS.
Hope this helps. If so, please rate the post.
I think the feature is that one:
released in 12.4(6)T. I've never tried it.
No sweat. Only, I'm puzzled by the reference in table 2:
IpSec ON / SRTP OFF
Signaling is protected; however, media is not secure.
Since one is putting media in the very ipsec or ipsec/gre tunnel, why is that, I guess only the document author knows.
Thank you for the link. I am already using SRTP for streaming As you know CRTP does not with IPSec. Now I have the same issue my h323 session is not secure. I have 25 sites and all have gateways so according to that document, i have to configure all 25 sites for IPSec tunnel. if a user A of site 1 will call user of site2, a tunnel will be establish for a single call and then same time mores of site1 call to users of other sites, it means ipsec tunnel will be establish per call. This will not eat all my router's resources. My all sites connected with each other like partial mesh.
Please suggest me what to do in this situation.
If I had scarce bandwidth, I would do the design with srtp only, and no ipsec Even if the keys are negotiated in clear, I'm not aware of any easily available tool that would let you wiretap calls.
If bandwidth is not a concern, I would set up a DMVPN. This way, a tunnel is established dynamically for branch-to-branch calls. The tunnel carries all calls and is not one per call. DMVPN is easy to administer as it doesn't require any change each time that you add a branch. In this case, I would not use SRTP as the crypted DMVPN offers already enough protection.
Bandwidth is not my concern. DMVPN is good in my situation but it cann't work without defining gre tunnels and it is not possible for me to add gre in network. I tried find the dmvpn solution without gre but couldn't.
GRE would be carried inside ipsec and terminated directly on the voice gateways, what prevents you from doing that ?
I appreciate your concern. Actually my network core (OSPF) is partial mesh and other 50% are connect back to back means site A connected to B and B then C etc. not purely hub and spoke concept thats why i confuse to design and plan dmvpn. Simple site-to-site vpn appeal me according to this topology since i have AIM-VPN/EPII Plus installed in my all routers so my routers are capable to handle multiple tunnels easily. If you have something to add, i will appreciate.
Hi, DMVPN does not need to have a hub and spoke physical topology, it is just done to simplify configuration to use one or two hub sites that can be virtually everywhere.
After a spoke registers with the hub, spoke-to-spoke communication dynamically opens new tunnels that will go over the shortest path.
However as I understand your network is built over physical circuits and not over the internet, so I would simply enable SRTP and that's it.