Securing Nortel 1140e using SRTP 2

[sinnor]

Anyone with experience with enabling SRTP on Nortel 1140e on CS1000 system?

We are trying to enable or make our calls secure but from research it looks like we need to get an SMC 2650 box to do the securing. The 2650 box is a Secure Multimedia Controller. Is this box needed or can the Signalling Server do the securing?

Thanks,
Mo.

 

[dulfo666]

You need an MC32S card. On Rls 5.x

 

[PareshTC]

For IP Phone to IP Phone calls you would need to add the components to ISEC config, some commands in LD 117.

Then enable the MSEC in PARM and define the keys to be used by the IP phones.

Fianlly you need to enable the MSEC in the CLS for the individual IP phones.

You need to have the latest firmware and Phase2 Ip phones for this to work

 

[sinnor]

Thanks guys.

So you don't need an SMC 2650 box to handle the security?

 

[gwebster]

The SMC 2450 provides encryption of the signaling between the CS 1000 and the IP Phones. SRTP provides encryption of the media (voice) between two IP Phones or between and IP Phone and the MC32S.

 

[PareshTC]

@gwebster

Good point, I missed that fact.

 

[sinnor]

It has been a while but we finally got the SRTP encryption enabled with the latest firmware on sets, SS, Media Gateway cards but a weird problem is happening and that is randomly 1140e would lockup/freeze on an incoming call or even an outgoing and then make a really loud buzzing/humming noise, normaly a reboot fixes the problem but we are having a hard time fixing this problem.

- All devices have latest firmware
- Didn't happen prior to enabling encryption and we had the IP system about 2yrs before.
- There is a Nortel Bulletin about DOS attack but doesn't seem like it as a reboot fixes the problem and if it was a DOS after a reboot the same IP address would get hit but that is not the case.
- We have escalated this issue and we are told to get the new firmware fix from July/07/09.
- we also have about 150 I2004p2 and it doesn't happen with those sets only 1140e.

Questions
- Has anyone encountered this?
- Are people running CS1000 5.0 with 1140e and encryption enabled?
- What could cause this...I am thinking it has to do with some type of negotiation for security but that doesn't make sense as it freezes when calling a regular analog or digital line that can't do security.

Appreciate any response.

Regards,

Mo.

 

[cv8devil]

Hi Mo,
at the site I am at we are running 1120E, 1140E and 1150E handsets on rlse 5.5 with encryption. We aren't experiencing the issue you describe.

 

[sinnor]

Are you doing the encryption using the SMC 2450 box or just the srtp method?

Thanks.

 

[gwebster]

You are confusing two things.. Media encryption uses SRTP and the MC32S. Signalling encryption uses the SMC 2450.

 

[cv8devil]

Only media encryption, which as gwebster has indicated uses SRTP and the MC32S.

 

[shogaxx]

sinnor out of interest, what firmware are you using on your 1140e model phones? What release did nortel say would resolve this issue? Have you tried changing the SRTP-PSK payload type?

 

[sinnor]

We have all the latest firmware to date. We were behind on 1 firmware that came out a few days after we did the last update. Anyhow, we are running 0625C6R on the 1140e.

New Update
The issue is happening without security enabled so I am going to have to rule out security at this point causing the issue.

The techs think it's a bad port on the media card so I asked them if that was the cause why doesn't our 2004p2 have this problem as we have a higher chance of using all ports from I2004 due to the fact that we have more I2004 models than 1140e.

This issue is random with no pattern. I have not had this issue occur twice on the same phone. I will update once I get more information from the techs/engineer.

Mo.

 

[shogaxx]

I had a read through the bulletins and Nortel recently added the option to change the SRTP-PSK payload type because of potential conflicts with other protocols (from C6O I believe).

Perhaps changing this option on all the phones (so there are no miss matches). Two end points with different SRTP-PSK payload types wont set-up encryption.

I would also making sure the media cards`s patches are up to date (normal response from nortel).

 

[tdavey]

hi sinnor

Did you resolve the buzzing noise on the phones. We are having the exact same problems.

 

[kjones2020]

Same thing happened here and the phones were on firmware version c6o so I moved everyone back to 0625c6j and I haven't heard about the issue since which has been over a month.

 

[danielbernardibr]

forgot smc2450... no support.. a lot of issues...

ntvq01bb = mc = don´t support SRTP

smc2450 = firewall+unistim cript = cript signaling only, but a lot of issues with cs1k new releases.

mc32s = srtp / no cript signaling

cs1k 6.0 > cript singnaling with DTLS

you can mix cards. in release 6, you can define if call is secure, must be secure or no secure.