[cisco-voip] Secure calls between CUCM and CUCME

Nick Matthews matthnick at gmail.com
Mon Jan 18 21:13:09 EST 2010


>From looking at a few documents it does look like TLS support is for SIP only.

-nick

On Mon, Jan 18, 2010 at 9:56 AM, Phil G <pgciscovoip at gmx.net> wrote:
> Thanks for your answer.
>
> But as far as i know TLS is only supported on CUCM with SIP-trunks (and
> SCCP/SIP-line side). CME does support TLS with SCCP-line side only, but not
> with H323. That means, we have to confige IPSec between CUCM and all CMEs?
>
>
>
> Nick Matthews wrote:
>>
>> I haven't personally done this, but it should work.  SRTP keys will be
>> negotiated in the H.225 exchange in H.323.  For H.323, CME won't even
>> know the difference between a CME and CUCM.  The GK isn't even
>> involved in anything but call routing/bandwidth, so the question is if
>> CME and CUCM support SRTP/TLS, which they do.
>>
>> -nick
>>
>> On Sun, Jan 17, 2010 at 5:52 AM, Phil G <pgciscovoip at gmx.net> wrote:
>>>
>>> Hi!
>>>
>>> Has anyone experience with secure calls between a CUCM-Cluster and a
>>> CUCME-deployment connected through a gatekeeper?
>>>
>>> Security-configuration (CTL-file, CAPFetc.) on CUCM-Cluster is obvious
>>> for
>>> me.
>>> Security-configuration (CTL-file,CAPF etc.) on CUCME is obvious for me.
>>>
>>> But are secure calls between CUCM and CUCME possible (i know that secure
>>> calls between 2 CUCMEs are possible)? In CUCM-Admin we have a
>>> GK-controlled
>>> Intercluster-Trunk pointing to the CUCMEs.
>>>
>>> How will the SRTP-keys be exchanged? BTW: How will the SRTP-keys be
>>> exchanged between 2 CUCMEs?
>>>
>>> Another question:
>>>
>>> Lets say we have a CUCME configured with security. In CUCME we do not
>>> have
>>> any security tokens, what if we have to replace the CUCME-router, how do
>>> we
>>> sign the CTL-file with the old security "tokens" (which are 2
>>> SAST-certificates),so that we do not have to delete the old CTL-file
>>> manually?
>>>
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>
>


More information about the cisco-voip mailing list