<!DOCTYPE html
SYSTEM "about:legacy-compat">
<html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta charset="UTF-8"><meta name="copyright" content="(C) Copyright 2023"><meta name="DC.rights.owner" content="(C) Copyright 2023"><meta name="DC.type" content="concept"><meta name="description" content="This document describes the steps required to configure a Mediatrix unit loaded with the DGW firmware for secure SIP signalling and secure media (SRTP) operation."><meta name="prodname" content="All Mediatrix Units"><meta name="version" content="DGW 49.12.28842941"><meta name="platform" content=""><meta name="DC.date.modified" content="2023-0308-2809"><meta name="DC.date.issued" content="2023-0308-2809"><meta name="DC.date.available" content="2023-0308-2809"><meta name="ChapterNumbering" content="no"><meta name="DC.format" content="HTML5"><meta name="DC.identifier" content="concept_wvm_clk_ls"><link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet"><link rel="stylesheet" type="text/css" href="https://documentation.media5corp.com/download/attachments/45482024/commonltr.css"><link rel="stylesheet" type="text/css" href="https://documentation.media5corp.com/download/attachments/45482024/custom.css"><title>Enabling Security Features in Dgw</title></head><body><header role="banner"><div class="topicmeta title">Enabling Security Features in Dgw</div><div class="topicmeta date">2023-0308-28<09</div><div class="topicmeta product">All Mediatrix Units</div><div class="topicmeta version">DGW 49.12.2884<2941</div><div class="topicmeta pdf"><a href="https://documentation.media5corp.com/download/attachments/45482024/Enabling%20Security%20Features%20in%20Dgw%20Firmware.pdf" rel="nofollow">Download PDF Document</a></div><hr><span style="float: inline-end;"></span></header><nav role="toc"><ul><li><a href="#concept_wvm_clk_ls">Enable Security Features in DGW </a></li><li><a href="#concept_c2k_rvl_ls">TLS-Enabled Server/Proxy Installation with openSIPS</a></li><li><a href="#concept_bxv_zxl_ls">Certificates</a></li><li><a href="#concept_ibt_nvk_ls">Basics of Security Exchanges</a></li><li><a href="#topic_title_Enabling_Security_Features_d1e18">Enabling Security Features</a><ul><li><a href="#task_fqx_v1m_ls">Importing Certificates on the Mediatrix Unit</a></li><li><a href="#task_q4b_b5r_2s">Adding the OpenSIPS Gateway</a></li><li><a href="#task_ozm_q4s_ls">Assigning a Specific Registrar Server to the OpenSIPS Gateway</a></li><li><a href="#task_u2v_5cc_gs">Assigning a Specific Proxy Server to the OpenSIPS Gateway</a></li><li><a href="#task_fth_kjs_ls">Enabling Secure Signaling (TLS)</a></li><li><a href="#task_tqz_gct_ls">Enabling Secure Media (SRTP) on All Endpoints</a></li><li><a href="#unique_1876218993230372626">Enabling Secure Media (SRTP) on a Specific Endpoint</a></li></ul></li><li><a href="#topic_title_Troubleshooting_d1e26">Troubleshooting</a><ul><li><a href="#task_mfv_4qf_ms">Enabling TLS Debugging on Wireshark</a></li><li><a href="#concept_ayr_rhg_ms">REGISTER Messages Not Being Answered</a></li><li><a href="#concept_plg_gmg_ms">Server Internal Error (or Similar Messages)</a><ul><li><a href="#task_jfr_hgh_ms">Enabling Interop Variables</a></li></ul></li><li><a href="#concept_zcd_4pg_ms">Mikey and SDES Mismatch</a></li><li><a href="#unique_1550171977730517531">Audio Issues with Secured Media (SRTP)</a></li></ul></li><li><a href="#reference_nvm_vqg_ms">Annexes</a></li><li><a href="#reference_j4g_nbv_gfb">Online Help</a></li><li><a href="#concept_v4k_q3h_1r">DGW Documentation</a></li><li><a href="#concept_fqm_rv4_k4">Copyright Notice</a></li></ul></nav><main role="main"><article role="article" aria-labelledby="ariaid-title1"><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="nested0" aria-labelledby="ariaid-title1" id="concept_wvm_clk_ls">
<h1 class="title topictitle1" id="ariaid-title1">Enable Security Features in DGW </h1>
<div class="body conbody"><p class="shortdesc">This document describes the steps required to configure a Mediatrix unit loaded with the
DGW firmware for secure SIP signalling and secure media (SRTP) operation.</p>
<p class="p">This is not a complete key-exchange, TLS or general security tutorial. For more information on
these topics, please see the links section.</p>
<p class="p">In this scenario, the endpoints used are a Mediatrix 4102 and a Mediatrix C740 BRI Gateway
units. Both Mediatrix units must be loaded with DGW. We will use the freely available openSIPS
(<a class="xref" href="http://www.opensips.org" target="_blank">http://www.opensips.org</a>) as the SIP proxy and
configure it for TLS operation.</p>
<br><img class="image" id="concept_wvm_clk_ls__image_i2y_nsl_ls" src="https://documentation.media5corp.com/download/attachments/45482024/SetupDescription_SecurityFeaturesDgw.png" width="800"><br>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title2" id="concept_c2k_rvl_ls">
<h1 class="title topictitle1" id="ariaid-title2">TLS-Enabled Server/Proxy Installation with openSIPS</h1>
<div class="body conbody">
<p class="p">Using two Mediatrix gateways connected back-to-back using a SIP trunk would be sufficient to
demonstrate the use of the new security features. However, we prefer to demonstrate the
configuration of the units and test scenarios in a more real-world environment by using a
separate TLS-enabled SIP proxy. For this purpose, we have chosen openSIPS as it is free and
easy to configure for basic use.</p>
<div class="p">For more information on setting up openSIPS, please refer to the openSIPS installation
documentation at <a class="xref" href="http://www.opensips.org/docs" target="_blank">http://www.opensips.org/docs</a><div class="note note note_note"><span class="note__title">Note:</span> If already completed, skip this section. </div></div>
<p class="p">Please note that at the moment of writing this, openSIPS is configured by default to keep the
TLS links up for a period of 2 minutes. We have made a small code modification that allows the
links to stay up for 120 minutes. See the annex for more information on how to procede.</p>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title3" id="concept_bxv_zxl_ls">
<h1 class="title topictitle1" id="ariaid-title3">Certificates</h1>
<div class="body conbody"><p class="shortdesc">The Mediatrix unit uses digital certificates, which are a collection of data used to
verify the identity of individuals, computers, and other entities on a network. </p>
<div class="p">Certificates contain:<ul class="ul" id="concept_bxv_zxl_ls__ul_wjn_v33_ns">
<li class="li">the certificate's name</li>
<li class="li">the issuer and issued to names </li>
<li class="li">the validity period (the certificate is not valid before or after this period) </li>
<li class="li">the use of certificates such as:<ul class="ul" id="concept_bxv_zxl_ls__ul_jyv_x33_ns">
<li class="li">TlsClient: The certificate identifies a TLS client. A host authenticated by this
kind of certificate can act as a client in a SIP over TLS connection when mutual
authentication is required by the server.</li>
<li class="li">TlsServer: The certificate identifies a TLS server. A host authenticated by this
kind of certificate can serve files or web pages using the HTTPS protocol or can act
as a server in a SIP over TLS connection.</li>
</ul></li>
<li class="li">whether or not the certificate is owned by a Certification Authority (CA)</li>
</ul></div>
<p class="p">Although certificates are factory-installed new ones can also be added. Since TLS
certificates are validated in terms of time (certificate validation/expiration date, etc.),
the use of NTP (Network Time Protocol) is mandatory when using the security features. </p>
<div class="p">The Mediatrix unit uses two types of certificates: <ul class="ul" id="concept_bxv_zxl_ls__ul_bkm_gj3_ns">
<li class="li">Host Certificates: used to certify the unit (e.g.: a web server with HTTPS requires a
host certificate).</li>
<li class="li">Others: Any other certificate including trusted CA certificates used to certify peers
(e.g.: a SIP server with TLS).</li>
</ul></div>
<div class="p">The Conf, Cwmp, Eth, Fpu, Nlm, Sbc, and SipEp services are considered secure as they require
certificate validation to establish a secure connection to a remote host. The following
parameters, available by the CLI, are used to determine whether or not the connection to the
remote host should be validated with the service certificate. By default, the parameters are
always set to a value requiring validation.<ul class="ul" id="concept_bxv_zxl_ls__ul_qs1_bnf_r3b">
<li class="li">Conf.ScriptsTransferCertificateValidation</li>
<li class="li">Cwmp.TransportCertificateValidation</li>
<li class="li">Eth.Eap.CertificateValidation</li>
<li class="li">Fpu.MfpTransferCertificateValidation</li>
<li class="li">Nlm.PCaptureTransferCertificateValidation</li>
<li class="li">Sbc.CertificateValidation</li>
<li class="li">SipEp.InteropTlsCertificateValidation (also available in the DGW Web page under
SIP/Interop)</li>
</ul></div>
<p class="p">The certificates must be uploaded to the Mediatrix units. They define how a Mediatrix unit
will certify the remote host in order to mark it as secure and suitable for a TLS connection.
If the Mediatrix unit does not trust the remote certificate (i.e. does not authenticate it
with either one of the 3 methods: HostName, trustedCertificate, DnsSrv), then the Mediatrix
unit will not establish the connection.</p>
<div class="p">By default it is not possible to upload a Host certificate without first clicking on Activate
unsecure certificate transfer. This is because the certificate upload will be done in clear
text, which means the private key will be susceptible to interception. Establishing a
connection without certificate validation, i.e. establishing an unsecure connection, should
only be used :<ul class="ul" id="concept_bxv_zxl_ls__ul_cyh_b14_nkb">
<li class="li">for testing purpose,</li>
<li class="li">if one cannot identify the required CA cert, or </li>
<li class="li">the CA cert has mismatched Common Name/Subject Alternate Name. (In this case there is no
fallback, it will fail if the name does not match)</li>
</ul></div>
<div class="p">Certificates are used to secure the following connections:<ul class="ul" id="concept_bxv_zxl_ls__ul_i4n_mbb_br">
<li class="li">SIP</li>
<li class="li">Configuration Web pages</li>
<li class="li">File transfers (scripts, firmwares, etc.) with HTTPS</li>
<li class="li">Configuration using TR-069</li>
<li class="li">Wired Ethernet Authentication with EAP (802.1x) </li>
</ul></div>
<p class="p">One common use of the host certificate is to allow HTTPS Web access to the unit (which in
this case, the device is the TLS server). For more details refer to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Creating+a+Media5+Device+Host+Certificate+with+OpenSSL" target="_blank">Technical Bulletins - Creating a Media5 Host Certificate with
Open SSL</a> document on the <a class="xref" href="https://documentation.media5corp.com/" target="_blank">Media5 Documentation Portal</a>.</p>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title4" id="concept_ibt_nvk_ls">
<h1 class="title topictitle1" id="ariaid-title4">Basics of Security Exchanges</h1>
<div class="body conbody">
<p class="p">At the level at which we are working, establishing a TLS connection may seems fairly
straightforward. However in practice, at a lower level, there are a lot of additional
complications to consider to insure a protection against various possible attacks. </p>
<div class="p">Here is an example of an overall exchange in order to build a TLS link and bring it
"up"<ul class="ul" id="concept_ibt_nvk_ls__ul_mhn_sxk_ls">
<li class="li">
<ul class="ul" id="concept_ibt_nvk_ls__ul_a4h_txk_ls">
<li class="li">The client (Mediatrix) initially connects to the server on a configured TCP port (16000 is
the default source port, the destination port is the configured SIP proxy port ).</li>
<li class="li">The client sends a “Client Hello” message with the supported TLS/SSL protocol version,
cipher specifications and compression algorithms.</li>
<li class="li">The server replies with a “Server Hello” message with the selected cipher and the server
certificate. </li>
<li class="li">The client verifies the server certificate (validations are configured via the
TlsCertificateValidation variable).</li>
<li class="li">The client generates a secret and encrypts it with the server’s public key. This encrypted
secret is then sent to the server. </li>
<li class="li">The client and the server use the secret to create the same symmetric encryption key.</li>
<li class="li">The client and the server switch to encrypted communication by using the previously agreed
cipher and the key just established</li>
</ul>
</li>
</ul></div>
<p class="p">This brief exchange can be seen in the follwing Wireshark capture.</p>
<br><img class="image" id="concept_ibt_nvk_ls__image_otc_3ml_ls" src="https://documentation.media5corp.com/download/attachments/45482024/Wireshark_Capture.png" width="800"><br>
<div class="p">When obtaining the server certificates during the early negotiation, the following information
will be checked by the client:<ul class="ul" id="concept_ibt_nvk_ls__ul_ix4_yql_ls">
<li class="li">
<ul class="ul" id="concept_ibt_nvk_ls__ul_lcg_zql_ls">
<li class="li">the server's signature,</li>
<li class="li">the CA (Certification Authority) who signed the certificate,</li>
<li class="li">validate that the server identified in the certificate is the same as the one that
presented it,</li>
<li class="li">the expiration date of the certificate.</li>
</ul>
</li>
</ul></div>
<p class="p">If any of these steps fail, the TLS link will not go "up". For those familiar with
HTTPS, this is essentially the same procedure but using a SIP server/proxy instead of a HTTPS
server. </p>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic nested0 nobody" aria-labelledby="ariaid-title5" id="topic_title_Enabling_Security_Features_d1e18">
<h1 class="title topictitle1" id="ariaid-title5">Enabling Security Features</h1>
<article class="topic task nested1" aria-labelledby="ariaid-title6" id="task_fqx_v1m_ls">
<h2 class="title topictitle2" id="ariaid-title6">Importing Certificates on the Mediatrix Unit</h2>
<div class="body taskbody">
<section class="section prereq"><div class="tasklabel"><strong class="sectiontitle tasklabel">Before you begin</strong></div>You must have an SNTP server for time tracking.</section>
<section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
<span class="ph cmd">Go to <span class="keyword wintitle">Management</span>/<span class="keyword wintitle">Certificates</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Click<span class="keyword wintitle">Activate unsecure certificate
transfer</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">From the <span class="keyword wintitle">Type</span>
selection list, select <span class="keyword wintitle">Other</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Browse</span>.</span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> CA certificate files usually have a .crt extension, using format X.509. </div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="ph uicontrol">restart required services</span>.
</span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
<br><img class="image" id="task_fqx_v1m_ls__image_qpy_csr_ls" src="https://documentation.media5corp.com/download/attachments/45482024/HostCertificates_OtherCertificates_CertificateTransfer.png" width="800"><br>
</section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title7" id="task_q4b_b5r_2s">
<h2 class="title topictitle2" id="ariaid-title7">Adding the OpenSIPS Gateway</h2>
<div class="body taskbody">
<section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step">
<span class="ph cmd">Go to <span class="keyword wintitle">SIP</span>/<span class="keyword wintitle">Gateways</span>.</span>
</li><li class="li step">
<span class="ph cmd">In the <span class="keyword wintitle">Gateway Configuration</span> table,
in the <span class="keyword wintitle">Name</span> field,
enter <span class="keyword wintitle">OpenSIPS</span> .</span>
</li><li class="li step">
<span class="ph cmd"> Click <img class="image" id="task_q4b_b5r_2s__image_ms3_wyr_2s" src="https://documentation.media5corp.com/download/attachments/45482024/Plusbleu.jpg" width="15">. </span>
</li><li class="li step">
<span class="ph cmd">Complete the fields as follows: </span>
<ul class="ul choices" id="task_q4b_b5r_2s__choices_qzw_wyr_2s">
<li class="li choice">From the <span class="keyword wintitle">Type</span>
selection list, select <span class="keyword wintitle">Trunk</span>.</li>
<li class="li choice">From the <span class="keyword wintitle">Signaling Network</span>
selection list, select <span class="keyword wintitle">Uplink</span>.</li>
<li class="li choice">In the <span class="keyword wintitle">Port</span>
field, enter 5062.</li>
<li class="li choice">In the <span class="keyword wintitle">Secure Port</span> port field,
enter 5061.</li>
</ul>
</li><li class="li step">
<span class="ph cmd">Click <span class="keyword wintitle">Apply</span>.</span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
<p class="p">The <span class="keyword wintitle">OpenSIPS</span> gateway will
be available under the <span class="keyword wintitle">SIP</span>
> <span class="keyword wintitle">Servers</span> page.</p>
<br><img class="image" id="task_q4b_b5r_2s__image_opz_524_ms" src="https://documentation.media5corp.com/download/attachments/45482024/GatewayConfiguration_OpenSIPS.png" width="800"><br>
</section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title8" id="task_ozm_q4s_ls">
<h2 class="title topictitle2" id="ariaid-title8">Assigning a Specific Registrar Server to the OpenSIPS Gateway</h2>
<div class="body taskbody">
<section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
<span class="ph cmd">Go to <span class="keyword wintitle">SIP</span>/<span class="keyword wintitle">Servers</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">In the <span class="keyword wintitle">Registrar Servers</span> table, from the <span class="keyword wintitle">Gateway Specific</span> drop box,
select <span class="keyword wintitle">Yes</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">In the <span class="keyword wintitle">Registrar Host</span>
field, enter the server IP address or FQDN.</span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> For gateway-specific settings, use the <span class="keyword wintitle">Gateway Specific</span>
sections.</div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="ph uicontrol">Submit</span></span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
<br><img class="image" id="task_ozm_q4s_ls__image_ic1_crs_ls" src="https://documentation.media5corp.com/download/attachments/45482024/RegistrarServers_OpenSIPS.png" width="800"><br>
</section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title9" id="task_u2v_5cc_gs">
<h2 class="title topictitle2" id="ariaid-title9">Assigning a Specific Proxy Server to the OpenSIPS Gateway</h2>
<div class="body taskbody">
<section id="task_u2v_5cc_gs__steps_e2n_ycc_gs"><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps" id="task_u2v_5cc_gs__steps_e2n_ycc_gs"><li class="li step stepexpand">
<span class="ph cmd">Go to <span class="keyword wintitle">SIP</span>/<span class="keyword wintitle">Servers</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">In the <span class="keyword wintitle">Proxy Servers</span>
table, from the <span class="keyword wintitle">Gateway Specific</span> drop box,
select <span class="keyword wintitle">Yes</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">In the <span class="keyword wintitle">Proxy Host</span>
field, enter the server IP address or FQDN. </span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> For gateway-specific settings, use the <span class="keyword wintitle">Gateway Specific</span>
sections. </div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="ph uicontrol">Submit</span></span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
<br><img class="image" id="task_u2v_5cc_gs__image_dxk_d4s_ls" src="https://documentation.media5corp.com/download/attachments/45482024/ProxyServers_OpenSIPS.png" width="800"><br>
</section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title10" id="task_fth_kjs_ls">
<h2 class="title topictitle2" id="ariaid-title10">Enabling Secure Signaling (TLS)</h2>
<div class="body taskbody">
<section class="section context"><div class="tasklabel"><strong class="sectiontitle tasklabel">Context</strong></div>.</section>
<section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
<span class="ph cmd">Go to <span class="keyword wintitle">SIP</span>/<span class="keyword wintitle">Transport</span> tab.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">In the <span class="keyword wintitle">Protocol Configuration</span> table,
from the <span class="keyword wintitle">TLS</span> dropbox,
select <span class="keyword wintitle">Enable</span>.</span>
<div class="itemgroup info">
<div class="note important note_important"><span class="note__title">IMPORTANT:</span> The Mediatrix unit does not support a mix of both TLS and
non-TLS links. Once TLS is enabled, it is enabled for all configured SIP
gateways</div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Apply</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Follow the link located at the top of the Web page to start the appropriate
service. </span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
<br><img class="image" id="task_fth_kjs_ls__image_kfd_d1t_ls" src="https://documentation.media5corp.com/download/attachments/45482024/ProtocolConfiguration.png" width="800"><br>
<p class="p">The Ready LED will turn to a steady green. The SipEp Notification messages #303 and
#310 are sent once the TLS connection is established. For example:
<p class="lines"><code class="ph codeph">Syslog message: USER.INFO: SipEp: 1400-SIP Endpoint: 303-TLS connection with remote host 10.5.128.14:5063 is now ready to be used for SIP gateway default.</code></p><p class="lines"><code class="ph codeph">Syslog message: USER.INFO: SipEp: 1400-SIP Endpoint: 310-Server 10.5.128.14:5063 is now reachable for SIP gateway default.</code></p></p>
</section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title11" id="task_tqz_gct_ls">
<h2 class="title topictitle2" id="ariaid-title11">Enabling Secure Media (SRTP) on All Endpoints</h2>
<div class="body taskbody">
<section class="section prereq"><div class="tasklabel"><strong class="sectiontitle tasklabel">Before you begin</strong></div>Encrypted/secure signaling must be configured.</section>
<section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
<span class="ph cmd">Go to <span class="keyword wintitle">Media</span>/<span class="keyword wintitle">Security</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">From the <span class="keyword wintitle">Select Endpoint</span> selection list, choose <span class="keyword wintitle">Default</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">In the <span class="keyword wintitle">Security</span> table,</span>
<ol type="a" class="ol substeps" id="task_tqz_gct_ls__substeps_ct1_kpj_lpb">
<li class="li substep substepexpand">
<span class="ph cmd">From the <span class="keyword wintitle">Mode</span> drop box, select <span class="keyword wintitle">Secure</span> or <span class="keyword wintitle">Secure with fallback</span>.</span>
</li>
<li class="li substep substepexpand">
<span class="ph cmd">From the <span class="keyword wintitle">Key Management Protocol</span> drop box, select the protocol.</span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> Enabling <span class="keyword wintitle">SDES</span> instead of
<span class="keyword wintitle">MIKEY</span>
will make the SIP INVITEs slightly different. Choosing the <span class="keyword wintitle">SDES</span> protocol
will add the <samp class="ph msgph">a=crypto</samp> line within the SDP Media
Attributes while choosing the <span class="keyword wintitle">MIKEY</span> protocol
will add the <samp class="ph msgph">a=key-mgmt:mikey</samp> line within the SDP
Session Attributes.</div>
</div>
</li>
<li class="li substep substepexpand">
<span class="ph cmd">From the drop box,
select the <var class="keyword varname">AES_CM_128</var> encryption algorithm.</span>
</li>
<li class="li substep substepexpand">
<span class="ph cmd">From the <span class="keyword wintitle">Allow Unsecure T.38 with Secure RTP</span> selection, choose if unsecure <span class="ph uicontrol">T.38</span> is allowed with
RTP.</span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> <span class="ph uicontrol">T.38</span>
packets will never be encrypted. The setting <span class="keyword wintitle">Allow Unsecure T.38 with Secure RTP</span> will make possible to use <span class="ph uicontrol">T.38</span>, otherwise
it will be rejected. If not using <span class="ph uicontrol">T.38</span> for faxing,
to avoid an impact on the number of simultaneous calls a Mediatrix
unit can handle in SRTP, set the <span class="keyword wintitle">Allow Unsecure T.38 with Secure RTP</span> parameter to <span class="keyword wintitle">No</span> and refer to
the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Standard+Fax+Configuration" target="_blank">Standard Fax Configuration</a>
document to disable <span class="ph uicontrol">T.38</span> Fax
Transmission.</div>
</div>
</li>
</ol>
</li><li class="li step stepexpand">
<span class="ph cmd">In the <span class="keyword wintitle">SRTP Preferences</span> table,</span>
<ol type="a" class="ol substeps" id="task_tqz_gct_ls__substeps_sg1_1qj_lpb">
<li class="li substep"><span class="ph cmd">From the <span class="keyword wintitle">Crypto Mode When Sending Offer</span> drop
box, select the preferred mode.</span></li>
<li class="li substep"><span class="ph cmd">From the <span class="keyword wintitle">Crypto Mode When Sending Answer</span>
drop box, select the preferred mode.</span></li>
<li class="li substep"><span class="ph cmd">From the <span class="keyword wintitle">Crypto Context Behavior</span> drop
box, select the preferred behavior.</span></li>
</ol>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> For more information about the recommended <span class="keyword wintitle">SRTP Preferences</span>, please refer
to <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Setting+the+Security+Parameters+of+the+RTP+Stream#reference_fmk_ynh_npb" target="_blank">Recommended SRTP Preferences for a Typical VoIP Network</a> section of the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/Setting+the+Security+Parameters+of+the+RTP+Stream" target="_blank">Setting the Security Parameters of the RTP Stream</a> document.</div>
</div>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> For troubleshooting the SRTP interoperability, please refer to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/SRTP+Troubleshooting" target="_blank">SRTP Troubleshooting</a> document.</div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Apply</span>.</span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
<p class="p">All new SIP exchanges will contain RTP/SAVP negotiation elements.</p>
<br><img class="image" id="task_tqz_gct_ls__image_pcj_vkf_ms" src="https://documentation.media5corp.com/download/attachments/45482024/Security_endpointDefault.png"><br>
</section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested1" aria-labelledby="ariaid-title12" id="unique_1876218993230372626">
<h2 class="title topictitle2" id="ariaid-title12">Enabling Secure Media (SRTP) on a Specific Endpoint</h2>
<div class="body taskbody">
<section class="section prereq"><div class="tasklabel"><strong class="sectiontitle tasklabel">Before you begin</strong></div>Encrypted/secure signaling must be configured.</section>
<section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
<span class="ph cmd">Go to <span class="keyword wintitle">Media</span>/<span class="keyword wintitle">Security</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">From the <span class="keyword wintitle">Select Endpoint</span> selection list, choose an endpoint. </span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> The list of available endpoints will vary depending on the type of unit
being used.</div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">In the <span class="keyword wintitle">Security</span>
table, from the <span class="keyword wintitle">Mode</span>
drop box, select <span class="keyword wintitle">Secure</span> or <span class="keyword wintitle">Secure with fallback</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">From the <span class="keyword wintitle">Key Management Protocol</span> drop
box, select the protocol. </span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> Enabling <span class="keyword wintitle">SDES</span>
instead of <span class="keyword wintitle">MIKEY</span>
will make the SIP INVITEs slightly different. Choosing the <span class="keyword wintitle">SDES</span> protocol will add
the <samp class="ph msgph">a=crypto</samp> line within the SDP Media Attributes while
choosing the <span class="keyword wintitle">MIKEY</span>
protocol will add the <samp class="ph msgph">a=key-mgmt:mikey</samp> line within the SDP
Session Attributes.</div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">From the
drop box, select the <var class="keyword varname">AES_CM_128</var> encryption algorithm.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Click <span class="keyword wintitle">Apply</span>.</span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
<p class="p">All new SIP exchanges going through the specified endpoint will contain RTP/SAVP negotiation elements.</p>
<br><img class="image" id="unique_1876218993230372626__image_ppc_gnl_fhb" src="https://documentation.media5corp.com/download/attachments/45482024/Security_endpointSpecific.png"><br>
</section>
</div>
</article></article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic nested0 nobody" aria-labelledby="ariaid-title13" id="topic_title_Troubleshooting_d1e26">
<h1 class="title topictitle1" id="ariaid-title13">Troubleshooting</h1>
<article class="topic task nested1" aria-labelledby="ariaid-title14" id="task_mfv_4qf_ms">
<h2 class="title topictitle2" id="ariaid-title14">Enabling TLS Debugging on Wireshark</h2>
<div class="body taskbody">
<section class="section prereq"><div class="tasklabel"><strong class="sectiontitle tasklabel">Before you begin</strong></div>To configure Wireshark for TLS packet capture, the private key associated with the
server certificate are needed to decrypt TLS packets.</section>
<section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step stepexpand">
<span class="ph cmd">Go to <span class="keyword wintitle">Edit</span>/<span class="keyword wintitle">Preferences</span>. </span>
</li><li class="li step stepexpand">
<span class="ph cmd">Click + next to <span class="keyword wintitle">Protocols</span>.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Select SSL.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Fill the <span class="keyword wintitle">RSA keys list</span>
field. </span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> The field specifies the binding between an IP address, a port, a protocol,
and a RSA decryption key. Enter the IP address of the server, the SIP port,
and the path to the file containing the server private key. Several such
bindings may be specified by separating them with a semi-colon
";".</div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Start the Wireshark capture.</span>
<div class="itemgroup info">
<div class="note note note_note"><span class="note__title">Note:</span> TLS sessions using Diffie-Hellman based ciphers (DHE, ECDH, ECDHE) cannot
be decrypted by Wireshark.</div>
</div>
</li><li class="li step stepexpand">
<span class="ph cmd">Restart the SipEp service on the Mediatrix unit or restart the unit.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Once the unit is restarted and the "Ready" LED is lit on the
Mediatrix unit, stop the packet capture.</span>
</li><li class="li step stepexpand">
<span class="ph cmd">Using the "ssl" filter in the capture should show the SIP packets
between the two endpoints. </span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
<br><img class="image" id="task_mfv_4qf_ms__image_evl_mhg_ms" src="https://documentation.media5corp.com/download/attachments/45482024/PacketCapture.png" width="800"><br>
</section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title15" id="concept_ayr_rhg_ms">
<h2 class="title topictitle2" id="ariaid-title15">REGISTER Messages Not Being Answered</h2>
<div class="body conbody"><p class="shortdesc">TLS is enabled on one of the Mediatrix gateways and not on the second
gateway.</p>
<p class="p">Issue: The REGISTER requests from the second gateway are not being answered. </p>
<p class="p">Reason: The proxy is expecting the SIP message to be SSL encapsulated. </p>
<p class="p">Procedures to solve the issue: Restart the Wireshark capture and enable TLS on the second
gateway. Restart the required services.</p>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title16" id="concept_plg_gmg_ms">
<h2 class="title topictitle2" id="ariaid-title16">Server Internal Error (or Similar Messages)</h2>
<div class="body conbody"><p class="shortdesc">Some servers/proxies will require Interop variables to be enabled.</p>
<p class="p">For example, the default openSIPS installation requires adding the SIP transport field in the
registration and contact headers. </p>
</div>
<hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic task nested2" aria-labelledby="ariaid-title17" id="task_jfr_hgh_ms">
<h3 class="title topictitle3" id="ariaid-title17">Enabling Interop Variables</h3>
<div class="body taskbody">
<section><div class="tasklabel"><strong class="sectiontitle tasklabel">Steps</strong></div><ol class="ol steps"><li class="li step">
<span class="ph cmd">Go to <span class="keyword wintitle">SIP</span>/<span class="keyword wintitle">Transport</span>.</span>
</li><li class="li step">
<span class="ph cmd">In the <span class="keyword wintitle">General Configuration</span> table,
set the <span class="keyword wintitle">Add SIP Transport in Registration</span> and <span class="keyword wintitle">Add SIP Transport in Contact
Header</span> variables to <span class="keyword wintitle">Enable</span>.</span>
</li><li class="li step">
<span class="ph cmd">Click<span class="keyword wintitle">Apply</span>.</span>
</li></ol></section>
<section class="section result"><div class="tasklabel"><strong class="sectiontitle tasklabel">Result</strong></div>
<br><img class="image" id="task_jfr_hgh_ms__image_csf_mgh_ms" src="https://documentation.media5corp.com/download/attachments/45482024/GeneralConfiguration.png" width="800"><br>
</section>
</div>
</article></article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title18" id="concept_zcd_4pg_ms">
<h2 class="title topictitle2" id="ariaid-title18">Mikey and SDES Mismatch</h2>
<div class="body conbody"><p class="shortdesc">This document explains why it is highly recommended to choose only one single key
management protocol.</p>
<p class="p">In the following example, SDES is configured on endpoint 1 (192.168.120.30) and Mikey on
endpoint 2 (192.168.120.12)</p>
<p class="p">The gateway 192.168.120.12 returns a <span class="keyword wintitle">SIP 415 Unsupported Media</span> error because it is not
configured to manage SDES. </p>
<p class="p">The following Syslog message should also be seen:
<samp class="ph msgph">syslog: SdpTools [D3A2] Received the wrong key management protocol. Secure stream
disabled.</samp></p>
<br><img class="image" id="concept_zcd_4pg_ms__image_e1f_tqg_ms" src="https://documentation.media5corp.com/download/attachments/45482024/MickeyAndSDESMismatch.png" width="800"><br>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title19" id="unique_1550171977730517531">
<h2 class="title topictitle2" id="ariaid-title19">Audio Issues with Secured Media (SRTP)</h2>
<div class="body conbody"><p class="shortdesc">This document explains how to detect an audio issue with a Mediatrix gateway when the
media is secured with SRTP.</p>
<p class="p">In the following example, both gateways are configured with different <span class="keyword wintitle">SRTP Preferences</span> configurations. This situation
may be encountered when the SRTP behaviors with different SIP devices are not compatible.</p>
<p class="p">The gateway 192.168.121.5 is configured to keep the cryptographic elements while the the
gateway 192.168.121.10 is configured to regenerate the cryptographic elements.</p>
<p class="p">After some times, when the Mediatrix detects that the incoming SRTP stream cannot be decrypted,
it will send the following notification message: <samp class="ph msgph">Mipt: 1600-Media IP Transport: 110-The
call #### on endpoint XYZ detected an SRTP cryptographic error. The secured RTP stream is
not properly decoded.</samp></p>
<br><img class="image" src="https://documentation.media5corp.com/download/attachments/45482024/CaptureSrtpCryptoError.png" width="800"><br>
<p class="p">This audio issue occurred after the sequence number of one of the SRTP streams had rolled over
and the SRTP cryptographic contexts of both peers are desynchronised. This event may also
happen when resuming a SIP call on hold.</p>
<div class="note note note_note"><span class="note__title">Note:</span> When an audio issue related to SRTP streams occurred, please refer to the <a class="xref" href="https://documentation.media5corp.com/display/DGWLATEST/SRTP+Troubleshooting" target="_blank">SRTP Troubleshooting</a> document.</div>
</div>
</article></article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic reference nested0" aria-labelledby="ariaid-title20" id="reference_nvm_vqg_ms">
<h1 class="title topictitle1" id="ariaid-title20">Annexes</h1>
<div class="body refbody">
<section class="section"><h2 class="title sectiontitle">Mediatrix Support Portal</h2><a class="xref" href="http://www.media5corp.com/support-portal" target="_blank">http://www.media5corp.com/support-portal</a></section>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic reference nested0" aria-labelledby="ariaid-title21" id="reference_j4g_nbv_gfb">
<h1 class="title topictitle1" id="ariaid-title21">Online Help</h1>
<p class="shortdesc"><span class="ph">If you are not familiar with the meaning of the fields and
buttons, click <span class="keyword wintitle">Show Help</span>, located at the upper right corner of
the Web page. When activated, the fields and buttons that offer online help will
change to green and if you hover over them, the description will bedisplayed.</span></p>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title22" id="concept_v4k_q3h_1r">
<h1 class="title topictitle1" id="ariaid-title22">DGW Documentation</h1>
<div class="body conbody"><p class="shortdesc">Mediatrix devices are supplied with an exhaustive set of documentation. </p>
<p class="p">Mediatrix user documentation is available on the <a class="xref" href="http://documentation.media5corp.com" target="_blank">Media5 Documentation
Portal</a>.</p>
<div class="p">Several types of documents were created to clearly present the information you are looking for.
Our documentation includes:<ul class="ul" id="concept_v4k_q3h_1r__ul_bqy_cjh_1r">
<li class="li"><strong class="ph b">Release notes</strong>: Generated at each GA release, this document includes the known and
solved issues of the software. It also outlines the changes and the new features the release
includes.</li>
<li class="li"><strong class="ph b">Configuration notes</strong>: These documents are created to facilitate the configuration of a
specific use case. They address a configuration aspect we consider that most users will need to
perform. However, in some cases, a configuration note is created after receiving a question
from a customer. They provide standard step-by-step procedures detailing the values of the
parameters to use. They provide a means of validation and present some conceptual information.
The configuration notes are specifically created to guide the user through an aspect of the
configuration. </li>
<li class="li"><strong class="ph b">Technical bulletins</strong>: These documents are created to facilitate the configuration of a
specific technical action, such as performing a firmware upgrade.</li>
<li class="li"><strong class="ph b">Hardware installation guide</strong>: They provide the detailed procedure on how to safely and
adequately install the unit. It provides information on card installation, cable connections,
and how to access for the first time the Management interface.</li>
<li class="li"><strong class="ph b">User guide</strong>: The user guide explains how to customise to your needs the configuration
of the unit. Although this document is task oriented, it provides conceptual information to
help the user understand the purpose and impact of each task. The User Guide will provide
information such as where and how TR-069 can be configured in the Management Interface, how to
set firewalls, or how to use the CLI to configure parameters that are not available in the
Management Interface.</li>
<li class="li"><strong class="ph b">Reference guide</strong>: This exhaustive document has been created for advanced users. It
includes a description of all the parameters used by all the services of the Mediatrix units.
You will find, for example, scripts to configure a specific parameter, notification messages
sent by a service, or an action description used to create Rulesets. This document includes
reference information such as a dictionary, and it does not include any step-by-step
procedures. </li>
</ul></div>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title23" id="concept_fqm_rv4_k4">
<h1 class="title topictitle1" id="ariaid-title23">Copyright Notice</h1>
<div class="body conbody"><p class="shortdesc">Copyright © 2023 Media5 Corporation.</p>
<p class="p">This document contains information that is proprietary to Media5 Corporation.</p>
<p class="p">Media5 Corporation reserves all rights to this document as well as to the Intellectual Property
of the document and the technology and know-how that it includes and represents.</p>
<p class="p">This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever,
without written prior approval by Media5 Corporation.</p>
<p class="p">Media5 Corporation reserves the right to revise this publication and make changes at any time
and without the obligation to notify any person and/or entity of such revisions and/or
changes.</p>
</div>
</article></article></main></body></html> |
