Enabling Media Encryption on Avaya Aura CM 3

[bryankich]

We have a need to enable media encryption on all of our voice traffic that did not happen during the install of our new system. I am still learning the ropes and having trouble getting this enabled.

I have checked display system-parameters customer-options and found Media Encryption Over IP? set to y

So I went ahead and moved my extension to a test network region and set a new codec to use G.711MU with media encryption set to aes

Now when I pick up the handset I receive no dial tone and below is a list trace on the station. Any guidance on what im missing would be very helpful.

LIST TRACE

time            data

10:53:19 TRACE STARTED 10/01/2015 CM Release String cold-03.0.124.0-22450
10:53:22     denial event 1644: Orig block/invalid digits D1=0xa6 D2=0xb103a38
10:53:22     active station      1293 cid 0x3a38
10:53:22     denial event 3731: Incompatible caps for end D1=0x7f00007f D2=0xa6
10:53:22     denial event 2300: Ept capabilities mismatch D1=0x4 D2=0x4

 

[IPOthermia]

What about your link encryption settings on your media gateways?

 

[bryankich]

The media gateway's are set to Link Encryption Type: any-ptls/tls

 

[ZeroZeroOne]

How did you set your phone in the test region? Did you use the IP-Network-Map and assign your IP Address to the test region?

Make sure the test region is in the same location as your normal region. That way you will use the same AAR and ARS tables for when dialing.

If you set your station and the test region in a different location then you'll need to set up the ARS and AAR tables so you can dial out.

 

[bryankich]

Correct I set my region in ip-network-map by my ip address and my test region is set to the correct location and works perfect if I turn media encryption off.

 

[ZeroZeroOne]

Ah. What's probably happening is that you only have one encryption set for your test region, forcing all calls to the processor and other gateways to be encrypted.
That's exactly what you want, except the other network regions are using a different codec without any encryption. There is a problem with an encryption mismatch.

One way to fix it is to set the media encryption on your test codec to:

1: aes
2: none

and set the media encryption as the opposite on the codec used by the rest of the company:

1: none
2: aes

Now the phones in the normal region will be able to negotiate with the phone in the test region and should use aes while calls within the region will remain without encryption.

I'm making other assumptions, such as allowing Direct IP-IP audio and that the same "normal" codec is used everywhere else.

 

[bryankich]

I actually thought this also so I scheduled after hours to set all the codecs used to aes and same results across the board so now im resorting to playing with a single region since i can play with my test phone all hours of the day.

We use codec-set 1 g711MU primary, 2 g7.26a-32 for wan, 3 g711MU for testing and 5 g711MU for voicemail
We also have 5 media gateway's and 3 locations

Location 1 has 1 media gateway and is region 1 as well as test region 4
Location 2 has 2 media gateway and is region 2
Location 3 has 2 media gateway and is region 3

We have done all our testing from Location 1, when we changed all codecs to aes no dial tone in region 1 or 4.

One thing we noticed was under chang ip-network-map we have a network mapping for region 2, 3, and 4 but none for region 1 not sure if that would cause a problem.

Also yes both Inter/Intra-region IP-IP Direct Audio are set to yes

 

[ZeroZeroOne]

IP-Network-Map:
Any IP Ranges not defined will default to region 1. Your setup is not wrong if that works for you.

Here's some example settings.

IP-Network Regions:

Page 1: The Codec Set here defines what codec phones use talking within the region.

Regions 1 and 2 are set to use IP-Codec Set 1 for in-region calls.

display ip-network-region 1                                     Page   1 of  20
                               IP NETWORK REGION
  Region: 1
Location:         Authoritative Domain: company.com
    Name: Main Region           Stub Network Region: n
MEDIA PARAMETERS                Intra-region IP-IP Direct Audio: yes
      Codec Set: 1              Inter-region IP-IP Direct Audio: yes
   UDP Port Min: 2048                      IP Audio Hairpinning? n

Page 4 and on: The Codec set here defines how regions will talk to each other.

display ip-network-region 1                                     Page   4 of  20

 Source Region: 1     Inter Network Region Connection Management     I       M
                                                                     G  A    t
 dst codec direct   WAN-BW-limits   Video      Intervening      Dyn  A  G    c
 rgn  set   WAN  Units    Total Norm  Prio Shr Regions          CAC  R  L    e
 1    1                                                                all
 2    2     n                                   10:   :   :          n       t
 3    2     n                                   10:   :   :          n       t
 4    2     n                                   10:   :   :          n       t
 5    2     n                                   10:   :   :          n       t
 6    2     n                                   10:   :   :          n       t
 7    2     n                                   10:   :   :          n       t
 8    2     n                                   10:   :   :          n       t
 9    3     n                                   10:   :   :          n       t
 10   4     y    NoLimit                                             n       t

IP Regions are not Direct WAN connected to keep resources separate: Phones in Region 1 will not use DSP resources on the gateway in Region 2.
Region 10 is a "virtual" region or can be considered the WAN: All Regions are directly connected to the WAN that acts as the intervening region.
Direct WAN connections are fine, too, if you don't worry about gateway resources.

display ip-codec-set 1                                          Page   1 of   2

                          IP CODEC SET

    Codec Set: 1

    Audio        Silence      Frames   Packet
    Codec        Suppression  Per Pkt  Size(ms)
 1: G.711MU           n         2        20
 2:
 3:
 4:
 5:
 6:
 7:


     Media Encryption
 1: none
 2: aea
 3:

display ip-codec-set 2                                          Page   1 of   2

                          IP CODEC SET

    Codec Set: 2

    Audio        Silence      Frames   Packet
    Codec        Suppression  Per Pkt  Size(ms)
 1: G.726A-32K        n         2        20 
 2:
 3:
 4:
 5:
 6:
 7:


     Media Encryption
 1: aea
 2: none
 3:

Region 1 phone to Region 1 phone: G711 and no encryption (IP-Codec set 1)
Region 2 phone to Region 2 phone: G711 and no encryption (IP-Codec set 1)
Region 1 phone to Region 2 phone: G726 and aea encryption (IP-Codec set 2)

You can status station X to see what codec is used during a call:

status station 104                                              Page   7 of   8
                      SRC PORT TO DEST PORT TALKPATH
src port: S30017
S30017:TX:172.30.98.32:65496/g711u/20ms/1-srtp-aescm128-hmac80
S04449:RX:172.30.98.11:2472/g711u/20ms/1-srtp-aescm128-hmac80

This call is using G711 and 1-srtp-aescm128-hmac80 encryption.

I hope this points you in the right direction.

 

[bryankich]

Here are my settings for network region 1

isplay ip-network-region 1                                     Page   1 of  20
                               IP NETWORK REGION
  Region: 1
Location: 1       Authoritative Domain: ironport.npci.com
    Name: Headquarters          Stub Network Region: n
MEDIA PARAMETERS                Intra-region IP-IP Direct Audio: yes
      Codec Set: 1              Inter-region IP-IP Direct Audio: yes
   UDP Port Min: 2048                      IP Audio Hairpinning? n

display ip-network-region 1                                     Page   4 of  20

 Source Region: 1     Inter Network Region Connection Management     I       M
                                                                     G  A    t
 dst codec direct   WAN-BW-limits   Video      Intervening      Dyn  A  G    c
 rgn  set   WAN  Units    Total Norm  Prio Shr Regions          CAC  R  L    e
 1    1                                                              n all
 2    4     y    NoLimit                                             n       t
 3    2     y    NoLimit                                             n       t
 4    3     y    NoLimit                                             n       t
 5    4     y    NoLimit                                             n       t
 6
 7
 8
 9
 10   1     y    NoLimit                                             n       t
 11

Below are my codecs I set them to reflect your example

display ip-codec-set 1                                          Page   1 of   2

                          IP CODEC SET

    Codec Set: 1

    Audio        Silence      Frames   Packet
    Codec        Suppression  Per Pkt  Size(ms)
 1: G.711MU           n         2        20
 2:
 3:
 4:
 5:
 6:
 7:


     Media Encryption
 1: none
 2: aea

isplay ip-codec-set 3                                          Page   1 of   2

                          IP CODEC SET

    Codec Set: 3

    Audio        Silence      Frames   Packet
    Codec        Suppression  Per Pkt  Size(ms)
 1: G.711MU           n         2        20
 2:
 3:
 4:
 5:
 6:
 7:


     Media Encryption
 1: aes
 2: none

Here is a test call from my station 1293 in network region 1 and 1184 which is in network region 4 i have dial tone with the codec's set your way but i show no encryption

status station 1293                                             Page   7 of   8
                      SRC PORT TO DEST PORT TALKPATH
src port: S00127
S00127:TX:172.20.51.5:2612/g711u/20ms
S00064:RX:172.20.50.173:2202/g711u/20ms

 

[ZeroZeroOne]

Huh.
So I'm playing around now and I'm getting mixed results.

IP Regions 10 (test) and 101 are Direct WAN, codec 7.

display ip-codec-set 7                                          Page   1 of   2

                          IP CODEC SET

    Codec Set: 7

    Audio        Silence      Frames   Packet
    Codec        Suppression  Per Pkt  Size(ms)
 1: G.711MU           n         2        20
 2:
 3:
 4:
 5:
 6:
 7:


     Media Encryption
 1: none
 2: 1-srtp-aescm128-hmac80
 3:

Call to test region 10 from 101:

                      SRC PORT TO DEST PORT TALKPATH
src port: S46586
S46586:TX:172.24.20.51:2200/g711u/20ms
S41728:RX:172.30.98.20:2698/g711u/20ms

No encryption, as expected.

Change IP-Codec 7 to

     Media Encryption
 1: 1-srtp-aescm128-hmac80
 2: 
 3

:

and the call looks like:

                      SRC PORT TO DEST PORT TALKPATH
src port: S46586
S46586:TX:172.24.20.51:2200/g711u/20ms/1-srtp-aescm128-hmac80
S41728:RX:172.30.98.20:2698/g711u/20ms/1-srtp-aescm128-hmac80

again, as expected. However, when changed to

     Media Encryption
 1: aea
 2: 
 3

:

The call fails. That was unexpected.

AES also works:

                      SRC PORT TO DEST PORT TALKPATH
src port: S46586
S46586:TX:172.24.20.51:2200/g711u/20ms/aes
S41728:RX:172.30.98.20:2698/g711u/20ms/aes

I think there's something about AEA that I don't understand. Why don't you try a different encryption and see if your results change?

 

[bryankich]

if I change ip-codec-set 3 to aes or 1-srtp-aescm128-hmac80 and remove none my phone in region 4 has no dial tone and when i try calling from my extension in network region 1 to 1184 in region 4 nothing happens and i receive the below in a list trace sta 1293. It seems something is missing entirely.

13:29:03     dial 1184
13:29:03     reorder station      1184 cid 0x8e7
13:29:03     denial event 3731: Incompatible caps for end D1=0x7f000040 D2=0x67
13:29:03     denial event 2300: Ept capabilities mismatch D1=0x4 D2=0x4
13:29:07     idle station      1293 cid 0x8e7
13:29:32     active station      1293 cid 0x8ed

 

[ZeroZeroOne]

Well, I'm stumped. I thought it was pretty easy...

We're probably overlooking something very simple but I can't figure it out.

 

[bryankich]

Yes it has me stumped as well. Every time i call Avaya for guidance they want to charge $200 an hour to reconfigure when i tell them I don't need them to reconfigure i just need to know what needs changed to enable this they respond with we don't know. I would just like to know what im doing wrong. We should not have to spend more money on top of what we already pay just to receive support. Also in my opinion "I don't know" should not be in support's vocabulary.

 

[bryankich]

Making some progress added none to ecryption now i get dial tone but its only encrypted one way.

Calls from region 1 to region 4 are encrypted
Calls from region 4 to region 1 are not encrypted
Calls from region 4 to region 4 are not encrypted

It seems like i have to leave none in there to receive dial tone.

 

[bryankich]

We where able to figure this out after a lot of tickets and jumping through a lot of help. I was going about setting this up correctly but we found through troubleshooting we where running firmware version S9608_11HALBR6_6_0_29U_V474 and that disables media encryption we upgraded the phones to S9608_11HALBR6_6_0_29_V474 and encryption now works as it should.

 

[ZeroZeroOne]

Hurrah! Thanks for the update.

Sorry I couldn't help you out but at least you have it working!

 

[jimbojimbo]

So did Avaya charge you $200/Hr to let you know they had a bug in their phone software?

 

[wallot]

Also, there is an issue with encryption and 9608/96x1 IP phones and firmware 6.6.0.29. There is a PSN or PCN that points to a fixed version 6.6.0.32.

 

[bryankich]

No we did not have to pay we went back to IBM who did the install and their support got it ironed out for us. I will have to look up the issue with 6.6.0.29 as we are still running it, but so far its been running solid without issue.

 

[wallot]

If you want to encrypt signaling as well as payload see:

https://downloads.avaya.com/css/P8/documents/101019211

Be prepared to learn about certificates.