What prompts this article is the recent feature enhancement from VOIP.MS namely the opportunity to provide encryption on the signaling and voice traffic for VOIP calls through VOIP.MS (VOIP.MS wiki article). To do this, you configure both ends of a SIP trunk for encryption. At the server end, this requires just one mouse click. But at the client end, you have to figure out how to configure the client device accordingly so that both the signaling traffic and the voice traffic will get encrypted in cooperation with the VOIP.MS server. The steps to do this would, of course, be different depending upon the particular client device being used.
This article focuses on the Cisco SPA122 Analog Telephone Adapter. (The instructions provided here would apply mutatis mutandis to the single-line SPA112 ATA.)
The SPA122 is a widely used and extremely reliable two-line VOIP telephone adapter. Until now you might have been using an SAP122 to provide one or two analog telephone lines from VOIP.MS service. Such a connection would have used UDP (not TCP and not TLS) for the SIP signaling, and thus would have been at risk of eavesdropping. Likewise such a connection would not have used SRTP for the voice traffic, and thus would have been at risk of eavesdropping for that traffic as well.
Now comes the opportunity to encrypt both the signaling traffic and the voice traffic with your VOIP.MS service. This article assumes several things:
- You are familiar with the VOIP.MS wiki article about the new encrypted SIP traffic feature (in beta test).
- You already know how to configure the SIP trunk at the server end for TLS/SRTP (click on advanced options, select “yes” for “encrypted SIP traffic”).
- You already know that if the POP you were using did not contain a numerical digit, you are going to have to insert a numerical digit or switch to a POP in that city that has a numerical digit.
- You already know how to log into the administrative interface of your Cisco SPA122 ATA.
- You have already configured one or both lines of the ATA to connect via SIP trunks to VOIP.MS POPs
- You have already tested the connections through the SIP trunks for incoming and/or outgoing calls as appropriate and you already know that they work just fine.
- Each telephone line in the ATA that is connected to a VOIP.MS trunk shows a status of “registered” in the ATA.
- Each SIP trunk shows a status of registered in the registration status screens of VOIP.MS.
With all of these assumptions in place, it will be appreciated that all that you really need to accomplish is turning on TLS for the SIP connection, and turning on SRTP. It is easy enough, in the administrative interface of the Cisco ATA, to figure out how to change the SIP signaling from UDP to TLS. Having figured this out, you might think that it would be an easy matter to click around in the administrative interface of the Cisco ATA to figure out how to turn on SRTP. If so, you would be wrong. The four-letter string “SRTP” appears nowhere in any of the configuration screens of the Cisco ATA.
This article explains how to do this with the Cisco SPA122.
I will describe how to update the Line-1 connection in the ATA, and corresponding steps can be used to update the Line-2 connection in the ATA. (Likewise similar steps can be used in the one-line ATA called the SPA112.)
In the ATA, log in at the administrative interface, and go to voice/line1/SIP-settings:
- Change the SIP Transport from UDP to TLS
- Change the SIP port to 5061 (I am not actually sure if this is needed)
- Change the EXT SIP port to 5061
Go to voice/line1/proxy-and-registration and look at “proxy”. If it contains a numerical digit, no action required. If it does not, change it to a POP that contains a numerical digit (see the VOIP.MS wiki article). If you make a change, you may need to make a corresponding change at VOIP.MS in the relevant DID function such as a DID or ring group.
Go to voice/line1/Supplementary-Service-Subscription. Check that “secure call serv” is set to “yes” (this is the default).
Click “submit”. You will have to wait a minute or two for the ATA to reboot.
Now go into voice/user1. Go to “secure call setting” where the default value is “no”. Change it to “yes”. (This is Cisco’s way of saying SRTP is required.)
Click “submit”. This will not require a reboot so it will not take as long. You may only have to wait thirty seconds or so for the ATA to return to an administrative screen.
Now at the VOIP.MS account or subaccount, configure for “encrypted SIP traffic”. This only requires one mouse click!
Now check the registration status at VOIP.MS which should be green with a padlock icon indicating a secure connection. And check the registration status in the ATA which should say “registered”.
Place incoming and outgoing test calls at the ATA as appropriate.