IMG 1010 - SRTP - Configuration

Owned by Kelli Higdon
Last updated: Mar 04, 2024
4 min read

Overview:

Software version 10.5.3 adds to the IMG the ability to configure SRTP/SRTCP over SIP. Follow the procedure below to configure SRTP.

To be able to configure SRTP/SRTCP on the IMG, the  cryptographic protocol TLS must first be configured. Before proceeding with configuration, verify that TLS has already been configured. See links below to first configure TLS if needed.

 

IMG 1010 - SIP Signaling Over TLS Overview 

IMG 1010 - TLS - Configuration

IMG 1010 - SIP SRTP CryptoSuite

Verify the Secure Communications License is loaded

Right Click on the IMG Name (Physical IMG) and select New License Info. Verify the Secure Communications License is loaded. See the IMG 1010 - License Info topic for more information. 

Create SIP SGP Pane with SRTP enabled

  • When initially configuring TLS, a SIP SGP pane was created for use with TLS. Since TLS is already configured on this profile, SRTP can be added to this SIP SGP pane. Within the SIP SGP Pane is the field SRTP Mode. Select from drop down menu whether SRTP encryption is disabled, Mandatory, or RTP fallback as displayed below:


    Disable: The crypto information within the RTP packets will be analyzed. Any crypto information within an SRTP packet will be rejected with 488 Unacceptable Media.
    Mandatory: The crypto information within the RTP packet will be rejected. Only crypto information within an SRTP packet will be analyzed.
    RTP fallback: The crypto information within the SRTP packet will be analyzed. If crypto information within the SRTP packet is not acceptable (No SRTP encryption), fall back to SDP information within the RTP packet

  • See IMG 1010 - SIP Profile - 10.5.3 for more information on this pane  

Create SRTP crypto-suite

  • Right Click on the SIP SGP Pane from above and select New SIP SRTP Cryptosuite. A SIP SRTP Cryptosuite Pane will get created. See below:

  • Configure the Crypto-suite, Window Size Hint, and SRTCP Encryption Fields. See IMG 1010 - SIP SRTP CryptoSuite for more information on configuring this pane.

Insert SIP SGP Pane into SIP Signaling Object

In the TLS configuration procedure a SIP signaling object was created for use with TLS. Open this SIP signaling object and in the Remote IMG's SIP Profile, select the SIP SGP Pane which was created for SIP TLS. See screen capture below:

Insert SIP SGP Pane into external Gateway created during the TLS configuration

Ensure the SIP SRTP encryption is going to a specific gateway. This gateway must have TLS Profile.

An External Gateway with TLS configured was created in the TLS configuration procedure accomplished earlier. Select this gateway. In the SIP Profile field select the SIP SGP Pane created earlier from drop down menu as displayed below. The SIP SGP profile with TLS/SRTP should be configured to all External Gateways that IMG will communicate with that needs the TLS/SRTP configured. See IMG 1010 - External Gateway for more information

Insert IP Bearer Profile into Incoming and Outgoing Channel Groups

The Incoming and Outgoing Channel Groups that communicate to the external gateways using TLS/SRTP need to have the IP bearer profile that has the SRTP configured on it selected. Follow procedure below to accomplish this.

  • Select the Channel Groups that has the TLS configured on them. Right Click on the Channel Group and select New IP Network Element. Select the gateway configured earlier which has the TLS and SRTP configured on it. See screen capture below:

  • Execute above procedure for all Incoming/Outgoing Channel groups that TLS/SRTP will get configured on.

  • The screen capture below displays the ClientView Tree after configuration of TLS/SRTP:

 

Return to Documentation Home I Return to Sangoma Support