CM8 - TLS Works on SIP Line to SM, trying to get SRTP to work

[RyanEOD]

Greetings!

I've got a SIP line that I have TLS working to, and I can get regular RTP working to, but I'm trying to get it to use SRTP. I've set up the codec's in my CM -

The SIP line is connected to the SM, so I was wondering is there anything I need to check in the Session Manager to get SRTP to work? I looked through all my setting on the CM side and I feel it should work? The response back I get is a 488 Not Acceptable Here (No Matching Codec or Encryption Algo) and an inbound invite from the device doesn't offer SRTP as a possible media type. Thoughts?

Check out my professional profile and connect with me on LinkedIn.

http://lnkd.in/S4JdV3

 

[dialtonebone]

Session Manager doesn't build/modify SDPs - the SIP entities connected do.
Does your far end device (wherever this "SIP Line" is) support SRTP?

 

[RyanEOD]

The end devices do, in both directions. I mean, the invite is coming from the Session Manager, are you saying it just passes on whatever it gets for SDP's? What if it is anchoring the media and it's going out to the PSTN? (or in my case another switch in my office, yes I have a few)

Check out my professional profile and connect with me on LinkedIn.

http://lnkd.in/S4JdV3

 

[kyle555]

SM can't anchor media.

Check in CM in the routes used to go out - is 'secure sip' enabled? Ideally, you'd want that enabled. It'll make CM send a call out with the SIPS uri scheme. SIPS should only be used on TLS and should make the call fail if any leg is TCP. Just because you're going out a TLS trunk doesn't mean you're using the SIPS URI scheme.

Is "enforce SIPS for SRTP enabled" in the sig group? To be secure, it should be, but try turning it off. Suppose you had a situation where everything trunked together TLS except 1 TCP hop. If the SDP specified SRTP, then yuo'd get your 488.

Are you using SIP stations? h323 will use the srtp settings in the NR. SIP phones need it defined in the settings file.