Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: updated @ 2022-11-10T11:47:31.882428
HTML
headtrue
encodingUTF-8
<!DOCTYPE html
  SYSTEM "about:legacy-compat">
<html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta charset="UTF-8"><meta name="copyright" content="(C) Copyright 2022"><meta name="DC.rights.owner" content="(C) Copyright 2022"><meta name="DC.type" content="concept"><meta name="description" content="This document describes the steps required to configure a Mediatrix unit loaded with the DGW firmware for secure SIP signalling and secure media (SRTP) operation."><meta name="prodname" content="All Mediatrix Units"><meta name="version" content="DGW 4849.50.27182809"><meta name="platform" content=""><meta name="DC.date.modified" content="2022-0511-0410"><meta name="DC.date.issued" content="2022-0511-0410"><meta name="DC.date.available" content="2022-0511-0410"><meta name="ChapterNumbering" content="no"><meta name="DC.format" content="HTML5"><meta name="DC.identifier" content="concept_wvm_clk_ls"><link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet"><link rel="stylesheet" type="text/css" href="https://documentation.media5corp.com/download/attachments/45482024/commonltr.css"><link rel="stylesheet" type="text/css" href="https://documentation.media5corp.com/download/attachments/45482024/custom.css"><title>Enabling Security Features in Dgw</title></head><body><header role="banner"><div class="topicmeta title">Enabling Security Features in Dgw</div><div class="topicmeta date">2022-0511-04<10</div><div class="topicmeta product">All Mediatrix Units</div><div class="topicmeta version">DGW 4849.50.2718<2809</div><div class="topicmeta pdf"><a href="https://documentation.media5corp.com/download/attachments/45482024/Enabling%20Security%20Features%20in%20Dgw%20Firmware.pdf" rel="nofollow">Download PDF Document</a></div><hr><span style="float: inline-end;"></span></header><nav role="toc"><ul><li><a href="#concept_wvm_clk_ls">Enable Security Features in DGW </a></li><li><a href="#concept_c2k_rvl_ls">TLS-Enabled Server/Proxy Installation with openSIPS</a></li><li><a href="#concept_bxv_zxl_ls">Certificates</a></li><li><a href="#concept_ibt_nvk_ls">Basics of Security Exchanges</a></li><li><a href="#topic_title_Enabling_Security_Features_d1e18">Enabling Security Features</a><ul><li><a href="#task_fqx_v1m_ls">Importing Certificates on the Mediatrix Unit</a></li><li><a href="#task_q4b_b5r_2s">Adding the OpenSIPS Gateway</a></li><li><a href="#task_ozm_q4s_ls">Assigning a Specific Registrar Server to the OpenSIPS Gateway</a></li><li><a href="#task_u2v_5cc_gs">Assigning a Specific Proxy Server to the OpenSIPS Gateway</a></li><li><a href="#task_fth_kjs_ls">Enabling Secure Signaling (TLS)</a></li><li><a href="#task_tqz_gct_ls">Enabling Secure Media (SRTP) on All Endpoints</a></li><li><a href="#unique_929149503829769458">Enabling Secure Media (SRTP) on a Specific Endpoint</a></li></ul></li><li><a href="#topic_title_Troubleshooting_d1e26">Troubleshooting</a><ul><li><a href="#task_mfv_4qf_ms">Enabling TLS Debugging on Wireshark</a></li><li><a href="#concept_ayr_rhg_ms">REGISTER Messages Not Being Answered</a></li><li><a href="#concept_plg_gmg_ms">Server Internal Error (or Similar Messages)</a><ul><li><a href="#task_jfr_hgh_ms">Enabling Interop Variables</a></li></ul></li><li><a href="#concept_zcd_4pg_ms">Mikey and SDES Mismatch</a></li><li><a href="#unique_1459269312665145364">Audio Issues with Secured Media (SRTP)</a></li></ul></li><li><a href="#reference_nvm_vqg_ms">Annexes</a></li><li><a href="#reference_j4g_nbv_gfb">Online Help</a></li><li><a href="#concept_v4k_q3h_1r">DGW Documentation</a></li><li><a href="#concept_fqm_rv4_k4">Copyright Notice</a></li></ul></nav><main role="main"><article role="article" aria-labelledby="ariaid-title1"><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="nested0" aria-labelledby="ariaid-title1" id="concept_wvm_clk_ls">
 <h1 class="title topictitle1" id="ariaid-title1">Enable Security Features in DGW </h1>
 
 <div class="body conbody"><p class="shortdesc">This document describes the steps required to configure a Mediatrix unit loaded with the
  DGW firmware for secure SIP signalling and secure media (SRTP) operation.</p>
  <p class="p">This is not a complete key-exchange, TLS or general security tutorial. For more information on
   these topics, please see the links section.</p>
  <p class="p">In this scenario, the endpoints used are a Mediatrix 41XX and a Mediatrix 4402 BRI Gateway
   units. Both Mediatrix units must be loaded with DGW. We will use the freely available openSIPS
    (<a class="xref" href="http://www.opensips.org" target="_blank">http://www.opensips.org</a>) as the SIP proxy and
   configure it for TLS operation.</p>
   <br><img class="image" id="concept_wvm_clk_ls__image_i2y_nsl_ls" src="https://documentation.media5corp.com/download/attachments/45482024/SetupDescription_SecurityFeaturesDgw.png" width="800"><br>
 </div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title2" id="concept_c2k_rvl_ls">
  <h1 class="title topictitle1" id="ariaid-title2">TLS-Enabled Server/Proxy Installation with openSIPS</h1>
  <div class="body conbody">
    <p class="p">Using two Mediatrix gateways connected back-to-back using a SIP trunk would be sufficient to
      demonstrate the use of the new security features. However, we prefer to demonstrate the
      configuration of the units and test scenarios in a more real-world environment by using a
      separate TLS-enabled SIP proxy. For this purpose, we have chosen openSIPS as it is free and
      easy to configure for basic use.</p>
    <div class="p">For more information on setting up openSIPS, please refer to the openSIPS installation
      documentation at <a class="xref" href="http://www.opensips.org/docs" target="_blank">http://www.opensips.org/docs</a><div class="note note note_note"><span class="note__title">Note:</span> If already completed, skip this section. </div></div>
    <p class="p">Please note that at the moment of writing this, openSIPS is configured by default to keep the
      TLS links up for a period of 2 minutes. We have made a small code modification that allows the
      links to stay up for 120 minutes. See the annex for more information on how to procede.</p>
  </div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title3" id="concept_bxv_zxl_ls">
  <h1 class="title topictitle1" id="ariaid-title3">Certificates</h1>
  
  <div class="body conbody"><p class="shortdesc">The Mediatrix unit uses digital certificates, which are a collection of data used to
    verify the identity of individuals, computers, and other entities on a network. </p>
    <div class="p">Certificates contain:<ul class="ul" id="concept_bxv_zxl_ls__ul_wjn_v33_ns">
        <li class="li">the certificate's name</li>
        <li class="li">the issuer and issued to names </li>
        <li class="li">the validity period (the certificate is not valid before or after this period) </li>
        <li class="li">the use of certificates such as:<ul class="ul" id="concept_bxv_zxl_ls__ul_jyv_x33_ns">
            <li class="li">TlsClient: The certificate identifies a TLS client. A host authenticated by this
              kind of certificate can act as a client in a SIP over TLS connection when mutual
              authentication is required by the server.</li>
            <li class="li">TlsServer: The certificate identifies a TLS server. A host authenticated by this
              kind of certificate can serve files or web pages using the HTTPS protocol or can act
              as a server in a SIP over TLS connection.</li>
          </ul></li>
        <li class="li">whether or not the certificate is owned by a Certification Authority (CA)</li>
      </ul></div>
    <p class="p">Although certificates are factory-installed new ones can also be added. Since TLS
      certificates are validated in terms of time (certificate validation/expiration date, etc.),
      the use of NTP (Network Time Protocol) is mandatory when using the security features. </p>
    <div class="p">The Mediatrix unit uses two types of certificates: <ul class="ul" id="concept_bxv_zxl_ls__ul_bkm_gj3_ns">
        <li class="li">Host Certificates: used to certify the unit (e.g.: a web server with HTTPS requires a
          host certificate).</li>
        <li class="li">Others: Any other certificate including trusted CA certificates used to certify peers
          (e.g.: a SIP server with TLS).</li>
      </ul></div>
    <div class="p">The Conf, Cwmp, Eth, Fpu, Nlm, Sbc, and SipEp services are considered secure as they require
      certificate validation to establish a secure connection to a remote host. The following
      parameters, available by the CLI,  are used to determine whether or not the connection to the
      remote host should be validated with the service certificate. By default, the parameters are
      always set to a value requiring validation.<ul class="ul" id="concept_bxv_zxl_ls__ul_qs1_bnf_r3b">
        <li class="li">Conf.ScriptsTransferCertificateValidation</li>
        <li class="li">Cwmp.TransportCertificateValidation</li>
        <li class="li">Eth.Eap.CertificateValidation</li>
        <li class="li">Fpu.MfpTransferCertificateValidation</li>
        <li class="li">Nlm.PCaptureTransferCertificateValidation</li>
        <li class="li">Sbc.CertificateValidation</li>
        <li class="li">SipEp.InteropTlsCertificateValidation (also available in the DGW Web page under
          SIP/Interop)</li>
      </ul></div>
    <p class="p">The certificates must be uploaded to the Mediatrix units. They define how a Mediatrix unit
      will certify the remote host in order to mark it as secure and suitable for a TLS connection.
      If the Mediatrix unit does not trust the remote certificate (i.e. does not authenticate it
      with either one of the 3 methods: HostName, trustedCertificate, DnsSrv), then the Mediatrix
      unit will not establish the connection.</p>
    <div class="p">By default it is not possible to upload a Host certificate without first clicking on Activate
      unsecure certificate transfer. This is because the certificate upload will be done in clear
      text, which means the private key will be susceptible to interception. Establishing a
      connection without certificate validation, i.e. establishing an unsecure connection, should
      only be used :<ul class="ul" id="concept_bxv_zxl_ls__ul_cyh_b14_nkb">
        <li class="li">for testing purpose,</li>
        <li class="li">if one cannot identify the required CA cert, or </li>
        <li class="li">the CA cert has mismatched Common Name/Subject Alternate Name. (In this case there is no
          fallback, it will fail if the name does not match)</li>
      </ul></div>
    <div class="p">Certificates are used to secure the following connections:<ul class="ul" id="concept_bxv_zxl_ls__ul_i4n_mbb_br">
        <li class="li">SIP</li>
        <li class="li">Configuration Web pages</li>
        <li class="li">File transfers (scripts, firmwares, etc.) with HTTPS</li>
        <li class="li">Configuration using TR-069</li>
        <li class="li">Wired Ethernet Authentication with EAP (802.1x) </li>
      </ul></div>
    <p class="p">One common use of the host certificate is to allow HTTPS Web access to the unit (which in
      this case, the device is the TLS server). For more details refer to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Creating+a+Media5+Device+Host+Certificate+with+OpenSSL" target="_blank">Technical Bulletins - Creating a Media5 Host Certificate with
        Open SSL</a> document on the <a class="xref" href="https://documentation.media5corp.com/" target="_blank">Media5 Documentation Portal</a>.</p>
  </div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title4" id="concept_ibt_nvk_ls">
 <h1 class="title topictitle1" id="ariaid-title4">Basics of Security Exchanges</h1>
 <div class="body conbody">
  <p class="p">At the level at which we are working, establishing a TLS connection may seems fairly
   straightforward. However in practice, at a lower level, there are a lot of additional
   complications to consider to insure a protection against various possible attacks. </p>
  <div class="p">Here is an example of an overall exchange in order to build a TLS link and bring it
    "up"<ul class="ul" id="concept_ibt_nvk_ls__ul_mhn_sxk_ls">
    <li class="li">
     <ul class="ul" id="concept_ibt_nvk_ls__ul_a4h_txk_ls">
      <li class="li">The client (Mediatrix) initially connects to the server on a configured TCP port (16000 is
       the default source port, the destination port is the configured SIP proxy port ).</li>
      <li class="li">The client sends a “Client Hello” message with the supported TLS/SSL protocol version,
       cipher specifications and compression algorithms.</li>
      <li class="li">The server replies with a “Server Hello” message with the selected cipher and the server
       certificate. </li>
      <li class="li">The client verifies the server certificate (validations are configured via the
       TlsCertificateValidation variable).</li>
      <li class="li">The client generates a secret and encrypts it with the server’s public key. This encrypted
       secret is then sent to the server. </li>
      <li class="li">The client and the server use the secret to create the same symmetric encryption key.</li>
      <li class="li">The client and the server switch to encrypted communication by using the previously agreed
       cipher and the key just established</li>
     </ul>
    </li>
   </ul></div>
  <p class="p">This brief exchange can be seen in the follwing Wireshark capture.</p>
  <br><img class="image" id="concept_ibt_nvk_ls__image_otc_3ml_ls" src="https://documentation.media5corp.com/download/attachments/45482024/Wireshark_Capture.png" width="800"><br>
  <div class="p">When obtaining the server certificates during the early negotiation, the following information
   will be checked by the client:<ul class="ul" id="concept_ibt_nvk_ls__ul_ix4_yql_ls">
    <li class="li">
     <ul class="ul" id="concept_ibt_nvk_ls__ul_lcg_zql_ls">
      <li class="li">the server's signature,</li>
      <li class="li">the CA (Certification Authority) who signed the certificate,</li>
      <li class="li">validate that the server identified in the certificate is the same as the one that
       presented it,</li>
      <li class="li">the expiration date of the certificate.</li>
     </ul>
    </li>
   </ul></div>
  <p class="p">If any of these steps fail, the TLS link will not go "up". For those familiar with
   HTTPS, this is essentially the same procedure but using a SIP server/proxy instead of a HTTPS
   server. </p>
 </div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic nested0 nobody" aria-labelledby="ariaid-title5" id="topic_title_Enabling_Security_Features_d1e18">
   <h1 class="title topictitle1" id="ariaid-title5">Enabling Security Features</h1>
<article class="topic task nested1" aria-labelledby="ariaid-title6" id="task_fqx_v1m_ls">
    <h2 class="title topictitle2" id="ariaid-title6">Importing Certificates on the Mediatrix Unit</h2>
    <div class="body taskbody">
        <section class="section prereq"><div class="tasklabel"><strong class="sectiontitle tasklabel">Before you begin</strong></div>You must have an SNTP server for time tracking.</section>
        <section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
                <span class="ph cmd">Go to <span class="keyword wintitle">Management</span>/<span class="keyword wintitle">Certificates</span>.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Click<span class="keyword wintitle">Activate unsecure certificate
                transfer</span>.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">From the <span class="keyword wintitle">Type</span>
                    selection list, select <span class="keyword wintitle">Other</span>.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Click <span class="keyword wintitle">Browse</span>.</span>
                <div class="itemgroup info">
                    <div class="note note note_note"><span class="note__title">Note:</span> CA certificate files usually have a .crt extension, using format X.509. </div>
                </div>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Click <span class="ph uicontrol">restart required services</span>.
                </span>
            </li></ol></section>
        <section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
            <br><img class="image" id="task_fqx_v1m_ls__image_qpy_csr_ls" src="https://documentation.media5corp.com/download/attachments/45482024/HostCertificates_OtherCertificates_CertificateTransfer.png" width="800"><br>
        </section>
    </div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title7" id="task_q4b_b5r_2s">
    <h2 class="title topictitle2" id="ariaid-title7">Adding the OpenSIPS Gateway</h2>
    <div class="body taskbody">
        <section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step">
                <span class="ph cmd">Go to <span class="keyword wintitle">SIP</span>/<span class="keyword wintitle">Gateways</span>.</span>
            </li><li class="li step">
                <span class="ph cmd">In the <span class="keyword wintitle">Gateway Configuration</span> table,
                    in the <span class="keyword wintitle">Name</span> field,
                    enter <span class="keyword wintitle">OpenSIPS</span> .</span>
            </li><li class="li step">
                <span class="ph cmd"> Click <img class="image" id="task_q4b_b5r_2s__image_ms3_wyr_2s" src="https://documentation.media5corp.com/download/attachments/45482024/Plusbleu.jpg" width="15">. </span>
            </li><li class="li step">
                <span class="ph cmd">Complete the fields as follows: </span>
                <ul class="ul choices" id="task_q4b_b5r_2s__choices_qzw_wyr_2s">
                    <li class="li choice">From the <span class="keyword wintitle">Type</span>
                        selection list, select <span class="keyword wintitle">Trunk</span>.</li>
                    <li class="li choice">From the <span class="keyword wintitle">Signaling Network</span>
                        selection list, select <span class="keyword wintitle">Uplink</span>.</li>
                    <li class="li choice">In the <span class="keyword wintitle">Port</span>
                        field, enter 5062.</li>
                    <li class="li choice">In the <span class="keyword wintitle">Secure Port</span> port field,
                        enter 5061.</li>
                </ul>
            </li><li class="li step">
                <span class="ph cmd">Click <span class="keyword wintitle">Apply</span>.</span>
            </li></ol></section>
        <section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
            <p class="p">The <span class="keyword wintitle">OpenSIPS</span> gateway will
                be available under the <span class="keyword wintitle">SIP</span>
                &gt; <span class="keyword wintitle">Servers</span> page.</p>
            <br><img class="image" id="task_q4b_b5r_2s__image_opz_524_ms" src="https://documentation.media5corp.com/download/attachments/45482024/GatewayConfiguration_OpenSIPS.png" width="800"><br>
        </section>
    </div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title8" id="task_ozm_q4s_ls">
    <h2 class="title topictitle2" id="ariaid-title8">Assigning a Specific Registrar Server to the OpenSIPS Gateway</h2>
    <div class="body taskbody">
        <section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
                <span class="ph cmd">Go to <span class="keyword wintitle">SIP</span>/<span class="keyword wintitle">Servers</span>.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">In the <span class="keyword wintitle">Registrar Servers</span> table, from the <span class="keyword wintitle">Gateway Specific</span> drop box,
                    select <span class="keyword wintitle">Yes</span>.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">In the <span class="keyword wintitle">Registrar Host</span>
                    field, enter the server IP address or FQDN.</span>
                <div class="itemgroup info">
                    <div class="note note note_note"><span class="note__title">Note:</span> For gateway-specific settings, use the <span class="keyword wintitle">Gateway Specific</span>
                        sections.</div>
                </div>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Click <span class="ph uicontrol">Submit</span></span>
            </li></ol></section>
        <section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
            <br><img class="image" id="task_ozm_q4s_ls__image_ic1_crs_ls" src="https://documentation.media5corp.com/download/attachments/45482024/RegistrarServers_OpenSIPS.png" width="800"><br>
        </section>
    </div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title9" id="task_u2v_5cc_gs">
    <h2 class="title topictitle2" id="ariaid-title9">Assigning a Specific Proxy Server to the OpenSIPS Gateway</h2>
    <div class="body taskbody">
        <section id="task_u2v_5cc_gs__steps_e2n_ycc_gs"><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps" id="task_u2v_5cc_gs__steps_e2n_ycc_gs"><li class="li step stepexpand">
                <span class="ph cmd">Go to <span class="keyword wintitle">SIP</span>/<span class="keyword wintitle">Servers</span>.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">In the <span class="keyword wintitle">Proxy Servers</span>
                    table, from the <span class="keyword wintitle">Gateway Specific</span> drop box,
                    select <span class="keyword wintitle">Yes</span>.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">In the <span class="keyword wintitle">Proxy Host</span>
                    field, enter the server IP address or FQDN. </span>
                <div class="itemgroup info">
                    <div class="note note note_note"><span class="note__title">Note:</span> For gateway-specific settings, use the <span class="keyword wintitle">Gateway Specific</span>
                        sections. </div>
                </div>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Click <span class="ph uicontrol">Submit</span></span>
            </li></ol></section>
        <section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
            <br><img class="image" id="task_u2v_5cc_gs__image_dxk_d4s_ls" src="https://documentation.media5corp.com/download/attachments/45482024/ProxyServers_OpenSIPS.png" width="800"><br>
        </section>
    </div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title10" id="task_fth_kjs_ls">
    <h2 class="title topictitle2" id="ariaid-title10">Enabling Secure Signaling (TLS)</h2>
    <div class="body taskbody">
        <section class="section context"><div class="tasklabel"><strong class="sectiontitle tasklabel">Context</strong></div>.</section>
        <section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
                <span class="ph cmd">Go to <span class="keyword wintitle">SIP</span>/<span class="keyword wintitle">Transport</span> tab.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">In the <span class="keyword wintitle">Protocol Configuration</span> table,
                    from the <span class="keyword wintitle">TLS</span> dropbox,
                    select <span class="keyword wintitle">Enable</span>.</span>
                <div class="itemgroup info">
                    <div class="note important note_important"><span class="note__title">IMPORTANT:</span> The Mediatrix unit does not support a mix of both TLS and
                        non-TLS links. Once TLS is enabled, it is enabled for all configured SIP
                        gateways</div>
                </div>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Click <span class="keyword wintitle">Apply</span>.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Follow the link located at the top of the Web page to start the appropriate
                    service. </span>
            </li></ol></section>
        <section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
            <br><img class="image" id="task_fth_kjs_ls__image_kfd_d1t_ls" src="https://documentation.media5corp.com/download/attachments/45482024/ProtocolConfiguration.png" width="800"><br>
            <p class="p">The Ready LED will turn to a steady green. The SipEp Notification messages #303 and
                #310 are sent once the TLS connection is established. For example:
                <p class="lines"><code class="ph codeph">Syslog message: USER.INFO: SipEp: 1400-SIP Endpoint: 303-TLS connection with remote host 10.5.128.14:5063 is now ready to be used for SIP gateway default.</code></p><p class="lines"><code class="ph codeph">Syslog message: USER.INFO: SipEp: 1400-SIP Endpoint: 310-Server 10.5.128.14:5063 is now reachable for SIP gateway default.</code></p></p>
        </section>
    </div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title11" id="task_tqz_gct_ls">
    <h2 class="title topictitle2" id="ariaid-title11">Enabling Secure Media (SRTP) on All Endpoints</h2>
    <div class="body taskbody">
        <section class="section prereq"><div class="tasklabel"><strong class="sectiontitle tasklabel">Before you begin</strong></div>Encrypted/secure signaling must be configured.</section>
        <section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
                <span class="ph cmd">Go to <span class="keyword wintitle">Media</span>/<span class="keyword wintitle">Security</span>.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">From the <span class="keyword wintitle">Select Endpoint</span> selection list, choose <span class="keyword wintitle">Default</span>.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">In the <span class="keyword wintitle">Security</span> table,</span>
                <ol type="a" class="ol substeps" id="task_tqz_gct_ls__substeps_ct1_kpj_lpb">
                    <li class="li substep substepexpand">
                        <span class="ph cmd">From the <span class="keyword wintitle">Mode</span> drop box, select <span class="keyword wintitle">Secure</span> or <span class="keyword wintitle">Secure with fallback</span>.</span>
                    </li>
                    <li class="li substep substepexpand">
                        <span class="ph cmd">From the <span class="keyword wintitle">Key Management Protocol</span> drop box, select the protocol.</span>
                        <div class="itemgroup info">
                            <div class="note note note_note"><span class="note__title">Note:</span> Enabling <span class="keyword wintitle">SDES</span> instead of
                                    <span class="keyword wintitle">MIKEY</span>
                                will make the SIP INVITEs slightly different. Choosing the <span class="keyword wintitle">SDES</span> protocol
                                will add the <samp class="ph msgph">a=crypto</samp> line within the SDP Media
                                Attributes while choosing the <span class="keyword wintitle">MIKEY</span> protocol
                                will add the <samp class="ph msgph">a=key-mgmt:mikey</samp> line within the SDP
                                Session Attributes.</div>
                        </div>
                    </li>
                    <li class="li substep substepexpand">
                        <span class="ph cmd">From the  drop box,
                            select the <var class="keyword varname">AES_CM_128</var> encryption algorithm.</span>
                    </li>
                    <li class="li substep substepexpand">
                        <span class="ph cmd">From the <span class="keyword wintitle">Allow Unsecure T.38 with Secure RTP</span> selection, choose if unsecure <span class="ph uicontrol">T.38</span> is allowed with
                            RTP.</span>
                        <div class="itemgroup info">
                            <div class="note note note_note"><span class="note__title">Note:</span> <span class="ph uicontrol">T.38</span>
                                packets will never be encrypted. The setting <span class="keyword wintitle">Allow Unsecure T.38 with Secure RTP</span> will make possible to use <span class="ph uicontrol">T.38</span>, otherwise
                                it will be rejected. If not using <span class="ph uicontrol">T.38</span> for faxing,
                                to avoid an impact on the number of simultaneous calls a Mediatrix
                                unit can handle in SRTP, set the <span class="keyword wintitle">Allow Unsecure T.38 with Secure RTP</span> parameter to <span class="keyword wintitle">No</span> and refer to
                                the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Standard+Fax+Configuration" target="_blank">Standard Fax Configuration</a>
                                document to disable <span class="ph uicontrol">T.38</span> Fax
                                Transmission.</div>
                        </div>
                    </li>
                </ol>
            </li><li class="li step stepexpand">
                <span class="ph cmd">In the <span class="keyword wintitle">SRTP Preferences</span> table,</span>
                <ol type="a" class="ol substeps" id="task_tqz_gct_ls__substeps_sg1_1qj_lpb">
                    <li class="li substep"><span class="ph cmd">From the <span class="keyword wintitle">Crypto Mode When Sending Offer</span> drop
                            box, select the preferred mode.</span></li>
                    <li class="li substep"><span class="ph cmd">From the <span class="keyword wintitle">Crypto Mode When Sending Answer</span>
                            drop box, select the preferred mode.</span></li>
                    <li class="li substep"><span class="ph cmd">From the <span class="keyword wintitle">Crypto Context Behavior</span> drop 
                            box, select the preferred behavior.</span></li>
                </ol>
                <div class="itemgroup info">
                    <div class="note note note_note"><span class="note__title">Note:</span> For more information about the recommended <span class="keyword wintitle">SRTP Preferences</span>, please refer
                        to <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Setting+the+Security+Parameters+of+the+RTP+Stream#reference_fmk_ynh_npb" target="_blank">Recommended SRTP Preferences for a Typical VoIP Network</a> section of the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Setting+the+Security+Parameters+of+the+RTP+Stream" target="_blank">Setting the Security Parameters of the RTP Stream</a> document.</div>
                </div>
                <div class="itemgroup info">
                    <div class="note note note_note"><span class="note__title">Note:</span> For troubleshooting the SRTP interoperability, please refer to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/SRTP+Troubleshooting" target="_blank">SRTP Troubleshooting</a> document.</div>
                </div>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Click <span class="keyword wintitle">Apply</span>.</span>
            </li></ol></section>
        <section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
            <p class="p">All new SIP exchanges will contain RTP/SAVP negotiation elements.</p>
            <br><img class="image" id="task_tqz_gct_ls__image_pcj_vkf_ms" src="https://documentation.media5corp.com/download/attachments/45482024/Security_endpointDefault.png"><br>
        </section>
    </div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title12" id="unique_929149503829769458">
    <h2 class="title topictitle2" id="ariaid-title12">Enabling Secure Media (SRTP) on a Specific Endpoint</h2>
    <div class="body taskbody">
        <section class="section prereq"><div class="tasklabel"><strong class="sectiontitle tasklabel">Before you begin</strong></div>Encrypted/secure signaling must be configured.</section>
        <section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
                <span class="ph cmd">Go to <span class="keyword wintitle">Media</span>/<span class="keyword wintitle">Security</span>.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">From the <span class="keyword wintitle">Select Endpoint</span> selection list, choose an endpoint. </span>
                <div class="itemgroup info">
                    <div class="note note note_note"><span class="note__title">Note:</span> The list of available endpoints will vary depending on the type of unit
                        being used.</div>
                </div>
            </li><li class="li step stepexpand">
                <span class="ph cmd">In the <span class="keyword wintitle">Security</span>
                    table, from the <span class="keyword wintitle">Mode</span>
                    drop box, select <span class="keyword wintitle">Secure</span> or <span class="keyword wintitle">Secure with fallback</span>.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">From the <span class="keyword wintitle">Key Management Protocol</span> drop
                    box, select the protocol. </span>
                <div class="itemgroup info">
                    <div class="note note note_note"><span class="note__title">Note:</span> Enabling <span class="keyword wintitle">SDES</span>
                        instead of <span class="keyword wintitle">MIKEY</span>
                        will make the SIP INVITEs slightly different. Choosing the <span class="keyword wintitle">SDES</span> protocol will add
                        the <samp class="ph msgph">a=crypto</samp> line within the SDP Media Attributes while
                        choosing the <span class="keyword wintitle">MIKEY</span>
                        protocol will add the <samp class="ph msgph">a=key-mgmt:mikey</samp> line within the SDP
                        Session Attributes.</div>
                </div>
            </li><li class="li step stepexpand">
                <span class="ph cmd">From the 
                    drop box, select the <var class="keyword varname">AES_CM_128</var> encryption algorithm.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Click <span class="keyword wintitle">Apply</span>.</span>
            </li></ol></section>
        <section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
            <p class="p">All new SIP exchanges going through the specified endpoint will contain RTP/SAVP negotiation elements.</p>
            <br><img class="image" id="unique_929149503829769458__image_ppc_gnl_fhb" src="https://documentation.media5corp.com/download/attachments/45482024/Security_endpointSpecific.png"><br>
        </section>
    </div>
</article></article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic nested0 nobody" aria-labelledby="ariaid-title13" id="topic_title_Troubleshooting_d1e26">
   <h1 class="title topictitle1" id="ariaid-title13">Troubleshooting</h1>
<article class="topic task nested1" aria-labelledby="ariaid-title14" id="task_mfv_4qf_ms">
    <h2 class="title topictitle2" id="ariaid-title14">Enabling TLS Debugging on Wireshark</h2>
    <div class="body taskbody">
        <section class="section prereq"><div class="tasklabel"><strong class="sectiontitle tasklabel">Before you begin</strong></div>To configure Wireshark for TLS packet capture, the private key associated with the
            server certificate are needed to decrypt TLS packets.</section>
        <section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
                <span class="ph cmd">Go to <span class="keyword wintitle">Edit</span>/<span class="keyword wintitle">Preferences</span>. </span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Click + next to <span class="keyword wintitle">Protocols</span>.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Select SSL.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Fill the <span class="keyword wintitle">RSA keys list</span>
                    field. </span>
                <div class="itemgroup info">
                    <div class="note note note_note"><span class="note__title">Note:</span> The field specifies the binding between an IP address, a port, a protocol,
                        and a RSA decryption key. Enter the IP address of the server, the SIP port,
                        and the path to the file containing the server private key. Several such
                        bindings may be specified by separating them with a semi-colon
                        ";".</div>
                </div>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Start the Wireshark capture.</span>
                <div class="itemgroup info">
                    <div class="note note note_note"><span class="note__title">Note:</span> TLS sessions using Diffie-Hellman based ciphers (DHE, ECDH, ECDHE) cannot
                        be decrypted by Wireshark.</div>
                </div>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Restart the SipEp service on the Mediatrix unit or restart the unit.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Once the unit is restarted and the "Ready" LED is lit on the
                    Mediatrix unit, stop the packet capture.</span>
            </li><li class="li step stepexpand">
                <span class="ph cmd">Using the "ssl" filter in the capture should show the SIP packets
                    between the two endpoints. </span>
            </li></ol></section>
        <section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
            <br><img class="image" id="task_mfv_4qf_ms__image_evl_mhg_ms" src="https://documentation.media5corp.com/download/attachments/45482024/PacketCapture.png" width="800"><br>
        </section>
    </div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title15" id="concept_ayr_rhg_ms">
 <h2 class="title topictitle2" id="ariaid-title15">REGISTER Messages Not Being Answered</h2>
 
 <div class="body conbody"><p class="shortdesc">TLS is enabled on one of the Mediatrix gateways and not on the second
  gateway.</p>
  <p class="p">Issue: The REGISTER requests from the second gateway are not being answered. </p>
  <p class="p">Reason: The proxy is expecting the SIP message to be SSL encapsulated. </p>
  <p class="p">Procedures to solve the issue: Restart the Wireshark capture and enable TLS on the second
   gateway. Restart the required services.</p>
 </div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title16" id="concept_plg_gmg_ms">
  <h2 class="title topictitle2" id="ariaid-title16">Server Internal Error (or Similar Messages)</h2>
  
  <div class="body conbody"><p class="shortdesc">Some servers/proxies will require Interop variables to be enabled.</p>
    <p class="p">For example, the default openSIPS installation requires adding the SIP transport field in the
      registration and contact headers. </p>
  </div>
<hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested2" aria-labelledby="ariaid-title17" id="task_jfr_hgh_ms">
    <h3 class="title topictitle3" id="ariaid-title17">Enabling Interop Variables</h3>
    <div class="body taskbody">
        <section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step">
                <span class="ph cmd">Go to <span class="keyword wintitle">SIP</span>/<span class="keyword wintitle">Transport</span>.</span>
            </li><li class="li step">
                <span class="ph cmd">In the <span class="keyword wintitle">General Configuration</span> table,
                    set the <span class="keyword wintitle">Add SIP Transport in Registration</span> and <span class="keyword wintitle">Add SIP Transport in Contact
                Header</span> variables to <span class="keyword wintitle">Enable</span>.</span>
            </li><li class="li step">
                <span class="ph cmd">Click<span class="keyword wintitle">Apply</span>.</span>
            </li></ol></section>
        <section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
            <br><img class="image" id="task_jfr_hgh_ms__image_csf_mgh_ms" src="https://documentation.media5corp.com/download/attachments/45482024/GeneralConfiguration.png" width="800"><br>
        </section>
    </div>
</article></article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title18" id="concept_zcd_4pg_ms">
 <h2 class="title topictitle2" id="ariaid-title18">Mikey and SDES Mismatch</h2>
 
 <div class="body conbody"><p class="shortdesc">This document explains why it is highly recommended to choose only one single key
  management protocol.</p>
  <p class="p">In the following example, SDES is configured on endpoint 1 (192.168.120.30) and Mikey on
   endpoint 2 (192.168.120.12)</p>
  <p class="p">The gateway 192.168.120.12 returns a <span class="keyword wintitle">SIP 415 Unsupported Media</span> error because it is not
   configured to manage SDES. </p>
  <p class="p">The following Syslog message should also be seen: 
  <samp class="ph msgph">syslog: SdpTools [D3A2] Received the wrong key management protocol. Secure stream
   disabled.</samp></p>
  <br><img class="image" id="concept_zcd_4pg_ms__image_e1f_tqg_ms" src="https://documentation.media5corp.com/download/attachments/45482024/MickeyAndSDESMismatch.png" width="800"><br>
 </div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title19" id="unique_1459269312665145364">
 <h2 class="title topictitle2" id="ariaid-title19">Audio Issues with Secured Media (SRTP)</h2>
 
 <div class="body conbody"><p class="shortdesc">This document explains how to detect an audio issue with a Mediatrix gateway when the
  media is secured with SRTP.</p>
  <p class="p">In the following example, both gateways are configured with different <span class="keyword wintitle">SRTP Preferences</span> configurations. This situation
   may be encountered when the SRTP behaviors with different SIP devices are not compatible.</p>
    <p class="p">The gateway 192.168.121.5 is configured to keep the cryptographic elements while the the
      gateway 192.168.121.10 is configured to regenerate the cryptographic elements.</p>
  <p class="p">After some times, when the Mediatrix detects that the incoming SRTP stream cannot be decrypted,
      it will send the following notification message: <samp class="ph msgph">Mipt: 1600-Media IP Transport: 110-The
        call #### on endpoint XYZ detected an SRTP cryptographic error. The secured RTP stream is
        not properly decoded.</samp></p>
  <br><img class="image" src="https://documentation.media5corp.com/download/attachments/45482024/CaptureSrtpCryptoError.png" width="800"><br>
  <p class="p">This audio issue occurred after the sequence number of one of the SRTP streams had rolled over
      and the SRTP cryptographic contexts of both peers are desynchronised. This event may also
      happen when resuming a SIP call on hold.</p>
    <div class="note note note_note"><span class="note__title">Note:</span> When an audio issue related to SRTP streams occurred, please refer to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/SRTP+Troubleshooting" target="_blank">SRTP Troubleshooting</a> document.</div>
 </div>
</article></article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic reference nested0" aria-labelledby="ariaid-title20" id="reference_nvm_vqg_ms">
  <h1 class="title topictitle1" id="ariaid-title20">Annexes</h1>
  <div class="body refbody">
    <section class="section"><h2 class="title sectiontitle">Mediatrix Support Portal</h2><a class="xref" href="http://www.media5corp.com/support-portal" target="_blank">http://www.media5corp.com/support-portal</a></section>
    
  </div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic reference nested0" aria-labelledby="ariaid-title21" id="reference_j4g_nbv_gfb">
  <h1 class="title topictitle1" id="ariaid-title21">Online Help</h1>
  <p class="shortdesc"><span class="ph">If you are not familiar with the meaning of the fields and
                buttons, click <span class="keyword wintitle">Show Help</span>, located at the upper right corner of
                the Web page. When activated, the fields and buttons that offer online help will
                change to green and if you hover over them, the description will bedisplayed.</span></p>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title22" id="concept_v4k_q3h_1r">
 <h1 class="title topictitle1" id="ariaid-title22">DGW Documentation</h1>
 
 <div class="body conbody"><p class="shortdesc">Mediatrix devices are supplied with an exhaustive set of documentation. </p>
  <p class="p">Mediatrix user documentation is available on the <a class="xref" href="http://documentation.media5corp.com" target="_blank">Media5 Documentation
    Portal</a>.</p>
  <div class="p">Several types of documents were created to clearly present the information you are looking for.
   Our documentation includes:<ul class="ul" id="concept_v4k_q3h_1r__ul_bqy_cjh_1r">
    <li class="li"><strong class="ph b">Release notes</strong>: Generated at each GA release, this document includes the known and
     solved issues of the software. It also outlines the changes and the new features the release
     includes.</li>
    <li class="li"><strong class="ph b">Configuration notes</strong>: These documents are created to facilitate the configuration of a
     specific use case. They address a configuration aspect we consider that most users will need to
     perform. However, in some cases, a configuration note is created after receiving a question
     from a customer. They provide standard step-by-step procedures detailing the values of the
     parameters to use. They provide a means of validation and present some conceptual information.
     The configuration notes are specifically created to guide the user through an aspect of the
     configuration. </li>
    <li class="li"><strong class="ph b">Technical bulletins</strong>: These documents are created to facilitate the configuration of a
     specific technical action, such as performing a firmware upgrade.</li>
    <li class="li"><strong class="ph b">Hardware installation guide</strong>: They provide the detailed procedure on how to safely and
     adequately install the unit. It provides information on card installation, cable connections,
     and how to access for the first time the Management interface.</li>
    <li class="li"><strong class="ph b">User guide</strong>: The user guide explains how to customise to your needs the configuration
     of the unit. Although this document is task oriented, it provides conceptual information to
     help the user understand the purpose and impact of each task. The User Guide will provide
     information such as where and how TR-069 can be configured in the Management Interface, how to
     set firewalls, or how to use the CLI to configure parameters that are not available in the
     Management Interface.</li>
    <li class="li"><strong class="ph b">Reference guide</strong>: This exhaustive document has been created for advanced users. It
     includes a description of all the parameters used by all the services of the Mediatrix units.
     You will find, for example, scripts to configure a specific parameter, notification messages
     sent by a service, or an action description used to create Rulesets. This document includes
     reference information such as a dictionary, and it does not include any step-by-step
     procedures. </li>
   </ul></div>
 </div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title23" id="concept_fqm_rv4_k4">
 <h1 class="title topictitle1" id="ariaid-title23">Copyright Notice</h1>
 

 <div class="body conbody"><p class="shortdesc">Copyright © 2022 Media5 Corporation.</p>
  <p class="p">This document contains information that is proprietary to Media5 Corporation.</p>
  <p class="p">Media5 Corporation reserves all rights to this document as well as to the Intellectual Property
   of the document and the technology and know-how that it includes and represents.</p>
  <p class="p">This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever,
   without written prior approval by Media5 Corporation.</p>
  <p class="p">Media5 Corporation reserves the right to revise this publication and make changes at any time
   and without the obligation to notify any person and/or entity of such revisions and/or
   changes.</p>
 </div>
</article></article></main></body></html>