Cisco Cisco IOS XE 3.13S
• H.323 call setup generates encryption keys are carried to the remote end.
• Once the OGW receives remote end capabilities indicating the TGW is secure capable, the call is secure.
If the previous behaviors do not occur, the call is not secure, and depending on the fallback policy configured, the call is disconnected.
Both IPSec and SRTP must be enabled for voice call security. Possible interactions of IPSec and SRTP and the resulting outcomes
are listed in
are listed in
Table 2: IPSec and SRTP Interactions, on page 5
.
Table 2: IPSec and SRTP Interactions
Result
SRTP
IPSec
Call signaling and media are both secure.
ON
ON
Media is secure; however, signaling is
not secure. Keys are visible in signaling
messages in clear text.
not secure. Keys are visible in signaling
messages in clear text.
ON
OFF
Signaling is protected; however, media
is not secure.
is not secure.
OFF
ON
Both media and signaling are not secure.
OFF
OFF
We strongly recommend that you first establish an IPSec connection between gateways before you configure
security using SRTP. Otherwise, media keys will be sent in clear text and your voice call will not be
considered secure.
security using SRTP. Otherwise, media keys will be sent in clear text and your voice call will not be
considered secure.
Note
Cisco IOS H.323 Gateway Behavior
In order to secure voice call control and signaling, IPSec is configured on both gateways and gatekeeper (GK), if any, with a preshared
key. Upon bootup, the gateway and GK, if any, authenticate each other by preshared key. After successful authentication, IPSec starts
secured traffic in tunnel mode. After IPSec is started, the gateway sends Registration, Admission, and Status (RAS) messages to the
GK through secured IPSec tunnel. H.225 call control messages between gateways flow through the secured IPSec channel established
between them. IPSec configuration on both gateways, OGW and TGW, is required before voice calls can be placed. Cisco recommends
hardware Virtual Private Network (VPN) on the gateway for improved performance. After the IPSec tunnel is established, all call
control signaling H.225 and H.245 packets between gateways go through the secured IPSec tunnel. OGW and TGW then determine
if an endpoint is SRTP and SRTCP capable and send this information to the other end.
key. Upon bootup, the gateway and GK, if any, authenticate each other by preshared key. After successful authentication, IPSec starts
secured traffic in tunnel mode. After IPSec is started, the gateway sends Registration, Admission, and Status (RAS) messages to the
GK through secured IPSec tunnel. H.225 call control messages between gateways flow through the secured IPSec channel established
between them. IPSec configuration on both gateways, OGW and TGW, is required before voice calls can be placed. Cisco recommends
hardware Virtual Private Network (VPN) on the gateway for improved performance. After the IPSec tunnel is established, all call
control signaling H.225 and H.245 packets between gateways go through the secured IPSec tunnel. OGW and TGW then determine
if an endpoint is SRTP and SRTCP capable and send this information to the other end.
Figure 1
shows a typical topology where voice security features are deployed.
5