RSA key pair
cube1(config)#crypto key generate rsa general-keys label cube1 modulus 2048
The name for the keys will be: cube1
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
KPItrustpoint
cube1(config)#crypto pki trustpoint cube1-certificate
cube1(ca-trustpoint)#enrollment terminal pem
cube1(ca-trustpoint)#subject-name CN=cube1.dcloud.cisco.com
cube1(ca-trustpoint)#revocation-check none
cube1(ca-trustpoint)#rsakeypair cube1
cube1(ca-trustpoint)#hash sha256
download root
![Microsoft Active Directory Certificate Services dcloud-CA
Download a CA Certificate Certificate Chain or CRL
To trust certificates issued from this certification authoriW, this CA certificate
To download a CA certificate, certificate chain, or CRI_, select the certificate and encoding method
certificate:
Current [dcloud-CA]
Encoding method:
ODER
• Base
nstall CA certificate
Download CA certificate
Download CAcertificate c ain
Download latest base CRL
Download latest delta CRL](https://lh6.googleusercontent.com/v1X375FNSSU0pbHUtAHSfl-AutDanDGGI1ulR3s4lB5-tyt4JeKoY8WdAr7CxVqS5Oaj1ZjbktXMqiasQMLVdsoh8exV1jojSKPEXKhco1vkNqy2jcsKnf6ouRxabU0jKznp0SVn)
open it on wordpad, copy
open aSSH session onCUBE, copy & paste
cube1(config)#crypto pki authenticate cube1-certificate
Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIDozCCAougAwIBAgIQM9+yOAbFS4ZDuwAiOVofnDANBgkqhkiG9w0BAQsFADBY
MRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFY2lzY28xFjAU
BgoJkiaJk/IsZAEZFgZkY2xvdWQxEjAQBgNVBAMTCWRjbG91ZC1DQTAeFw0xODEx
MTAxOTIyMThaFw0yODExMTAxOTMyMTdaMFgxEzARBgoJkiaJk/IsZAEZFgNjb20x
FTATBgoJkiaJk/IsZAEZFgVjaXNjbzEWMBQGCgmSJomT8ixkARkWBmRjbG91ZDES
MBAGA1UEAxMJZGNsb3VkLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAurm71uDcNgn3+CBxpRxRz1FjHpWjnJI2yhtTJqExMNrYqFbU2fi4F1SkGPIc
+knuFIsptAsf1hJ5wD9UVWqSCXF+v3Kxl9ZyxWPLTf6lnHSBjPpCrb0XxZqO/qj+
tjxoiFdirjYEmnFSPcSO/eulGSrhL2rrkifMnNnfNrqFk+JXCM4eICglGSvQ2VMF
x6yPALnK6zXwj422/bBzQ5XpWqVa8rjyGVasRwrnWgXVH9w0QlSgQ/IxlkhyEU9U
5YjUhtWaWqE2oSmHpGxgx/5/Lb+spEMIrntIMDTkdsYpZWYxdphQNc1uX3SMfOuF
XdSpe6A8NGH3SlBGqV/w6OHC3wIDAQABo2kwZzATBgkrBgEEAYI3FAIEBh4EAEMA
QTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPpa3
miD2TsTPAkAW05g1J94uztgwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEL
BQADggEBAGZo23oEnjcJi+Ixtu4zm3vk2H4QuBjJ+fwNaGe2E79ZvZpcYOjuKm3z
jwtcKxPgqC3Ocy26vJfHgGLYY1hkElIfhLO3Lbnqu7XHR9WzsJ9wdmpeF8rzYqNL
+4udiHeyTws/1aSzREn+tA9Lk54D31NAQwb+gGUUTtDwkbOTu3Xu4ZtBhHfzlnX6
Wbwwn5juhqLr0CXpoKxKFXLWrAyKSa2cDvEJ8EY5NsjSgXfJtCGBcBJM7ac0jwWM
8CXvWqB5LZjDja6coDvZx+AZf5YDxHl7ef//WkGLmINXdKFfyNTYoL6v4RsBV6aP
Qx29zrqqPgyywwwoK/sUpUVOAsK2pvU=
-----END CERTIFICATE-----
Certificate has the following attributes:
Fingerprint MD5: 9E9F2B6E 9B6D6FFA 345FF711 E8960550
Fingerprint SHA1: 4D26DA65 949245D6 11A7DE78 17B55EF0 A290D408
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported
generate CUBE CRS
cube1(config)#crypto pki enroll cube1-certificate
% Start certificate enrollment ..
% The subject name in the certificate will include: CN=cube1.dcloud.cisco.com
% The subject name in the certificate will include: cube1.dcloud.cisco.com
% Include the router serial number in the subject name? [yes/no]: yes
% The serial number in the certificate will be: 9R9DK9P4EBV
% Include an IP address in the subject name? [no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----
MIICwjCCAaoCAQAwXDEfMB0GA1UEAxMWY3ViZTEuZGNsb3VkLmNpc2NvLmNvbTE5
MBIGA1UEBRMLOVI5REs5UDRFQlYwIwYJKoZIhvcNAQkCFhZjdWJlMS5kY2xvdWQu
Y2lzY28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxG6ooWcs
w1k3O+L1uazKYtCp9N4rfay177VXY/GfOw00+fsuQubH/rJNqRIXb0F4GX82TfiR
dAbGA5mUQ2gVVz/c4xKTDXtg1/wNUKgpSCcebLwDN9L69nN+foj/SYIE092Tk7LH
5K4m625MCUBn82vyXEaE/9QmWFIGH8q2sw5GXI+HGPhtj20paeQTosk1/NsCNtGH
tLi5QJoyl/V3FXdsA8IANmj8J8ycFHiDKwm1WeI4ExbbRrwRLHAlodInDDPznxpK
pBYYmhdav6+d7SAh0dj12RU/Y197Y5ElzwNGaOSfVcXeMmpqXB3QONDTr23GUDGm
7cBnNAyLGmrH3wIDAQABoCEwHwYJKoZIhvcNAQkOMRIwEDAOBgNVHQ8BAf8EBAMC
BaAwDQYJKoZIhvcNAQELBQADggEBAEp10DkBWuot78zzfrf+RwKonRrq5x2aXXB7
9aiM24pBML4qp38EQI5Sdxbfrz7f5FxaTNksVpKlmQsnOH6uvUjVqirV5JUHPjSz
P86s6+jcWv813jlQMZPu220rT6+EUR8H++7/y/B3UXdOn3YUQeOurOf+MIBf1kZj
ElOMkcuqhpLZ3r3GjOcDf8n0fFpP68BcQGGNufGZ66BqG9qS7TblIQ2E/FjKZIcG
ARIyp/pflOcwEdDueb0/tFXiGRwHkIozzXr0EttmSsLqUWmi52iGAG9lx9ZzoP7m
CWjeKEBS4J7mFPfZ4evmWywgaooPG7lYUtFzyTkMaqxzM02NwGI=
-----END CERTIFICATE REQUEST-----
---End - This line not part of the certificate request---
Redisplay enrollment request? [yes/no]: no
copy CSR to CA webpage
wordpad openes CUBE.cer copy & paste to CUBE
cube1(config)#crypto pki import cube1-certificate certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIFdTCCBF2gAwIBAgITbgAAABt/5CHe1E+WggAAAAAAGzANBgkqhkiG9w0BAQsF
ADBYMRMwEQYKCZImiZPyLGQBGRYDY29tMRUwEwYKCZImiZPyLGQBGRYFY2lzY28x
FjAUBgoJkiaJk/IsZAEZFgZkY2xvdWQxEjAQBgNVBAMTCWRjbG91ZC1DQTAeFw0x
OTEyMDYyMzAyNDJaFw0yNDEyMDQyMzAyNDJaMCExHzAdBgNVBAMTFmN1YmUxLmRj
bG91ZC5jaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDE
bqihZyzDWTc74vW5rMpi0Kn03it9rLXvtVdj8Z87DTT5+y5C5sf+sk2pEhdvQXgZ
fzZN+JF0BsYDmZRDaBVXP9zjEpMNe2DX/A1QqClIJx5svAM30vr2c35+iP9JggTT
3ZOTssfkribrbkwJQGfza/JcRoT/1CZYUgYfyrazDkZcj4cY+G2PbSlp5BOiyTX8
2wI20Ye0uLlAmjKX9XcVd2wDwgA2aPwnzJwUeIMrCbVZ4jgTFttGvBEscCWh0icM
M/OfGkqkFhiaF1q/r53tICHR2PXZFT9jX3tjkSXPA0Zo5J9Vxd4yampcHdA40NOv
bcZQMabtwGc0DIsaasffAgMBAAGjggJtMIICaTAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0OBBYEFBO7mCnNjH6MetBPFfO/TAt4qSICMB8GA1UdIwQYMBaAFD6Wt5og9k7E
zwJAFtOYNSfeLs7YMIHKBgNVHR8EgcIwgb8wgbyggbmggbaGgbNsZGFwOi8vL0NO
PWRjbG91ZC1DQSxDTj1DQSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2Vydmlj
ZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1kY2xvdWQsREM9Y2lz
Y28sREM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RD
bGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBwwYIKwYBBQUHAQEEgbYwgbMwgbAG
CCsGAQUFBzAChoGjbGRhcDovLy9DTj1kY2xvdWQtQ0EsQ049QUlBLENOPVB1Ymxp
YyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24s
REM9ZGNsb3VkLERDPWNpc2NvLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2Jq
ZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTA8BgkrBgEEAYI3FQcELzAt
BiUrBgEEAYI3FQiDtZJPg8jodIf9kT2BpI00sY8dMIaCy1WE8roVAgFkAgEEMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAnBgkrBgEEAYI3FQoEGjAYMAoG
CCsGAQUFBwMBMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQA7Esjt0MGR
CWixwwX+fxxwhtM3WtvEVbsAjwqb4AYSnAZZYG9Xr1VlAdJUh0dRBFLZY5GWdPRQ
rrYJAq8L9D+mv3KoqJes/p6O20x3P2dSPgUaCaDE54IgkICzkQeY4BSTDa3dabob
sWMaBojwPIPowdrpTyxNmKDgif6uFoic2ADBTVCpcJCrTSTegu1L/dlSs2SPuULv
VMcH2M+0sP0c1DMvx1Bo9bi0rsBY1p5OzS0Vx/jlyY9L0M2M9z61Vg05uhhJDQhD
6iDMnJTebQxSv8A2huXTwK0YgfGIOuzTMxgryuN/oEy90RACJBgpRp44NAlPDWnf
VToXyidwOnJh
-----END CERTIFICATE-----
% Router Certificate successfully imported
enable signal encryption, IP is CUBE
cube1(config)#sip-ua
cube1(config-sip-ua)#crypto signaling remote-addr 198.18.133.3 255.255.255.255 trustpoint cube1-certificate
Dial-peer enable TLStransport
dial-peer voice 300 voip
description *** Inbound LAN side dial-peer ***
translation-profile incoming hairpin-trans
session protocol sipv2
session transport tcp tls
incoming called-number 9T
voice-class sip pass-thru content sdp
voice-class sip bind control source-interface GigabitEthernet1
voice-class sip bind media source-interface GigabitEthernet1
dtmf-relay rtp-nte
codec g711ulaw
!
dial-peer voice 400 voip
description *** Outbound LAN side dial-peer ***
destination-pattern 40855511..$
session protocol sipv2
session target ipv4:198.18.133.3
session transport tcp tls
voice-class sip bind control source-interface GigabitEthernet1
voice-class sip bind media source-interface GigabitEthernet1
dtmf-relay rtp-nte
codec g711ulaw
SRTP pass-thru media pass-throu
cube1(config)#voice service voip
cube1(conf-voi-serv)#srtp pass-thru
CUCM, SIP secure profiel
SIP TRUNK
![Trunk Configuration
Unattended Port
ZISRTP Allowed - whan this flag is checked, Encrypted TLS needs to be configured in the network to provide end to end security. Failure to do so "ill expose keys and other information,
Consider Traffic on This Trunk Secure
Route Class Signaling Enabled*
use Trusted Relay point*
C] PSTN Access
When usin both SRTP and TLS
Default
Default](https://lh4.googleusercontent.com/1Qf8OGuU3cIojx0NNsdz1AfFOQj1LQ5Gd_bMUtLX0iR4uvAY7a7fq9zZln-bpFcfUqRROVFqBt6kNzEaTFq74ycZovbJg0PjhWgBT6myER6i5-bqkHCZNggoKmmZNQ5FY9DZO8D2)
show sip-ua calls
show sip-ua connections tcp tls detail
show sip-ua srtp
No comments:
Post a Comment