Configure SRTP
Secure Real Time Protocol (SRTP) is first enabled on the physical node object. Once SRTP is enabled on the node it can then be enabled on the individual SIP channel groups. Before configuring the SRTP functionality on the IMG 2020, TLS security must first be configured to encrypt the SIP signaling messages. Refer to the Configure TLS topic for information on configuring TLS functionality.
Load Secure Communication License
TLS needs to have a license labeled Secure Communications loaded on the IMG 2020 to function. Verify that the Secure Communications license has been downloaded to the IMG 2020 by clicking on the License Info object in the Web GUI and confirming that the license is displayed in the Secure Communications field. If no Secure Communications license is installed, a new license file with the Secure Communications license added to it must be downloaded. Once the new license is acquired, refer to the Licensing (Gateway Mode) topic for information on how to download the new license.
Initial Configuration
Before configuring SRTP, the basic functionality must first be configured to the IMG 2020. Refer to the link Basic Configurations to configure the initial objects that need to be created before proceeding on with the configuration of the TLS and SRTP functionality. The Basic Configurations topic sets up objects such as T1/E1 Profiles, T1/E1 DS-1's and ANSI/ITU ISUP Group profiles needed prior to configuring these functions.
Configure TLS
SRTP cannot function without the Transport Layer Security (TLS) functionality being configured first. Before configuring SRTP, the TLS functionality must first be configured. Refer to the Configure TLS topic for information on how to configure TLS.
Enable SRTP in the SIP Profile
The SRTP mode needs to be configured in the SIP Profile (SGP) object. The procedure below describes this configuration.
Right click on the SIP Profiles object and select New SIP Profile. In theNamefield enter a name that identifies this SIP profile.
In the SRTP Mode field select whether SRTP will disabled, Mandatory, or RTP fallback as displayed below.
SRTP Mode description |
|
Create SRTP Crypto-Suite
Create and configure the SRTP Crypto-suite to identify the encryption that will be either offered on the outgoing SIP channel group or responded to on the incoming SIP channel group. More than one Crypto-suite can be configured in this object so that more than one Crypto-suite can be offered/responded to in the answer/offer SDP negotiations.
Right click on the SIP Profile (SGP) object and select New SIP SRTP Cryptosuite. Up to three Crypto-suites can be configured in this object. Each Cryptosuite can have its Window size modified and each Cryptosuite can have SRTCP enabled or disabled. When enabled, the Quality Of Service information will be encrypted also. Refer to the screen capture below.
For information on configuring the fields, refer to the topic.
Link SIP Profile (SGP) with External Gateway using TLS/SRTP
The external gateway object configures certain parameters used to communicate with an external gateway. Each external gateway that employs TLS and SRTP will need the SIP profile configured for TLS and SRTP linked to it. In this example, the gateway that was initially configured in the Configure TLS topic will be modified to add the SRTP secure profile to it.
Click on the external gateway object that has the TLS configuration on it. In the SIP Profile field, select the SIP Profile that has the SIP SRTP Support object just configured above. See screen capture below.
Add External Network Element to SIP Channel Group
Add the gateway configured above to a SIP Channel Group through the External Network Element object. This will be one of the channel groups that will have the TLS and SRTP functionality passing through it. In the procedure below, a new SIP channel group is being created. If the Configure TLS procedure in this online WebHelp was initially followed, the SIP channel group configured in that procedure could be used also.
Right click on the Dialogic object and select New Routing Configuration. The Routing configuration object is a container or parent object and no configuration is needed here. Refer to the Routing Configuration topic for more information on this object.
Right click on the Routing Configuration object just created and select New Channel Groups. The Channel Groups object is a container object also and no configuration is needed here. Refer to the Channel Groups topic for more information on this object.
Right click on the Channel Groups object and select New Channel Group. Enter a name in the Name field that identifies this channel group.
Select SIP from the drop down menu of the Signaling Type field. Refer to the Channel Group topic for more information on configuring the remaining fields.
Right click on the Channel Group object and select New IP Network Element. Select gateway object configured earlier that has the TLS and SRTP profiles linked to it. See screen capture below
Once the External Network Element has been configured, there will be a yellow exclamation point in front of the Channel Groups Icon. This indicates the configuration has not been sent to the IMG 2020. Click on the Channel Groups object and click the Download Resource Tables button. This will send the configuration to the IMG 2020.
Execute the above procedure for all Incoming/Outgoing channel groups that the TLS/SRTP encryption will be configured on.