18.3.3.2. SPE for IP Trunking 
IMPORTANT:
Depending on the gateway and the trunk type, various
payload encryptions are possible for IP trunking (see Table
1, “Signaling and payload encryption (IP environment)”).
IMPORTANT:
Activation / Deactivation of SPE for IP trunking
requires a restart of the board.
The following steps have to be performed:
- Configuring the trunk
-
The AMO TDCSU is used for basic trunk configuration:CHANGE-TDCSU:PEN=<port equipment number>,SECLEVEL=<security_level>;Security level (SECLEVEL) can feature the following values:TRADITIO:Nonsecure trunkDefault value for TDM trunksSTANDARDSRTP (payload encryption) is not supported, only signaling encryption (TLS-secured)SECUREFull encryption (SRTP + TLS-secured)Default value for IP trunksEXTSECUR :This trunk is encrypted by a mechanism (such as VPN) that is different from this feature. This trunk is therefore treated by call processing as "fully encrypted" but not encrypted by OpenScape 4000. The other side of the trunk must also be an OpenScape 4000 configured as EXTSECUR.
IMPORTANT:
The same security level will be set for all trunks associated with a board. -
Configuring the gateway
CHANGE-GKREG:GWNO:=<gateway_number>,SECLEVEL=<SECURITY_level>;Configuring the internal (local) gateway (INTGW)The security level of the internal gateway is set via AMO TDCSU (with the command
CHANGE-TDCSU). With AMO GKREG you can only display the actual security level but can't modify it. To modify the security level use AMO TDCSU.If the security level configured with the AMO TDCSU is not displayed for the internal gateway in AMO GKREG, this could be because:- SPE is not active (check with AMO ZANDE) or
- certificates are not available, faulty or expired (for more information, refer to the WBM/DLS and AMO HISTA, AMO BCSU, AMO SDSU).
AMO BCSUDetailed information can be found in AMO BCSU with the commandDISPLAY-BCSU:TYPE=TBL,LTG=<ltg>,LTU=<ltu>,SLOT=<slot>;in the SECURITY STATUS section.AMO SDSUDetailed information can be found in AMO SDSU with the commandDISP-SDSU;. Refer to SECURITY LEVEL in the output.<DISPLAY-SDSU:STATUS=ALL,TYPE=PEN,LEVEL=PER3,LTG=1,LTU=1,SLOT=14; DISPLAY-SDSU:STATUS=ALL,TYPE=PEN,LEVEL=PER3,LTG=1,LTU=1,SLOT=14; H500: AMO SDSU STARTED LTG1 (PERIPHERY) ------ MOUNTING LOCATION MODULE NAME BDL BD(#=ACT) STATUS ------------------- LTG 1 --------------------- READY -AP370013-----SG 1 LTU 1 --------------------- READY ** .LTG 1.LTU 1.014 STMI4 A Q2324-X510 READY LAN CONN. . . . . . . . . . . READY LINK SIGNAL ETHERNET . . . . PRESENT LAN SPEED . . . . . . . . . 100 MBIT/S LAN INTERFACE . . . . . . . . FDX (FULL DUPLEX) CCT FUNCTION BLOCK 0 HG3570_2 1 - 2 HG3550_2 3 - 12 HG3530_2 13 - 22 HG3540_2 CCT LINE STNO SI BUS TYPE 001 2401 PP NW READY MULTLINE 10 . . . . . . . . . . . . . .READY 000 NO CONN 001 NETWORK SUBUNIT . TMD CONN ISDN READY (ALT_ROUT: N) (HG3550IP) LINE: 2401 STNO: SI: 001 . . . . . . . . TMD CONN ISDN READY 002 NETWORK SUBUNIT . TMD CONN ISDN READY (ALT_ROUT: N) (HG3550IP) LINE: 2401 STNO: SI: 001 . . . . . . . . TMD CONN ISDN READY 003 NETWORK SUBUNIT . TMD CONN ISDN READY (ALT_ROUT: N) (HG3550IP) LINE: 2401 STNO: SI: 001 . . . . . . . . TMD CONN ISDN READY 004 NETWORK SUBUNIT . TMD CONN ISDN READY (ALT_ROUT: N) (HG3550IP) LINE: 2401 STNO: SI: 001 . . . . . . . . TMD CONN ISDN READY 005 NETWORK SUBUNIT . TMD CONN ISDN READY (ALT_ROUT: N) (HG3550IP) LINE: 2401 STNO: SI: 001 . . . . . . . . TMD CONN ISDN READY 006 NETWORK SUBUNIT . TMD CONN ISDN READY (ALT_ROUT: N) (HG3550IP) LINE: 2401 STNO: SI: 001 . . . . . . . . TMD CONN ISDN READY 007 NETWORK SUBUNIT . TMD CONN ISDN READY (ALT_ROUT: N) (HG3550IP) LINE: 2401 STNO: SI: 001 . . . . . . . . TMD CONN ISDN READY 008 NETWORK SUBUNIT . TMD CONN ISDN READY (ALT_ROUT: N) (HG3550IP) LINE: 2401 STNO: SI: 001 . . . . . . . . TMD CONN ISDN READY 009 NETWORK SUBUNIT . TMD CONN ISDN READY (ALT_ROUT: N) (HG3550IP) LINE: 2401 STNO: SI: 001 . . . . . . . . TMD CONN ISDN READY 010 NETWORK SUBUNIT . TMD CONN ISDN READY (ALT_ROUT: N) (HG3550IP) LINE: 2401 STNO: SI: 001 . . . . . . . . TMD CONN ISDN READY 011 NO CONN 012 NO CONN 013 NO CONN 014 NO CONN 015 NO CONN 016 NO CONN 017 NO CONN 018 NO CONN 019 NO CONN 020 NO CONN 021 NO CONN 022 NO CONN 023 NO CONN 024 NO CONN 025 NO CONN 026 NO CONN 027 NO CONN 028 NO CONN 029 NO CONN 030 NO CONN SECURITY LEVEL . . . . . . . (CONF.) "SECURE" (ACT.) "SECURE" CCT LINE STNO SI BUS TYPE 002 2402 NOGEN 003 2403 OPTI ONLY READY MULTLINE 8. . . . . . . . . . . . . . .READY 000 NO CONN 001 SUBUNIT . . . . . DIGITE MAIN READY (ALT_ROUT: N) (OPTIIP ) LINE: 2470 STNO: 24054 SI:VCE 001 . . . . . . . . DIGITE SUB A READY 002 . . . . . . . . DIGITE SUB A READY 003 . . . . . . . . DIGITE SUB C READY 002 NO CONN 003 NO CONN 004 NO CONN 005 NO CONN 006 NO CONN 007 NO CONN 008 NO CONN SECURITY LEVEL . . . . . . . (CONF.) "SECURE" (ACT.) "TRADITIO" CCT LINE STNO SI BUS TYPE 004 2404 OPTI ONLY READY MULTLINE 8. . . . . . . . . . . . . . .READY 000 NO CONN 001 SUBUNIT . . . . . DIGITE MAIN READY (ALT_ROUT: N) (OPTIIP ) LINE: 2471 STNO: 24055 SI:VCE 001 . . . . . . . . DIGITE SUB A READY 002 . . . . . . . . DIGITE SUB A READY 003 . . . . . . . . DIGITE SUB C READY 002 NO CONN 003 NO CONN 004 NO CONN 005 NO CONN 006 NO CONN 007 NO CONN 008 NO CONN SECURITY LEVEL . . . . . . . (CONF.) "CIPHER" (ACT.) "CIPHER" CCT LINE STNO SI BUS TYPE 005 2405 OPTI ONLY READY MULTLINE 8. . . . . . . . . . . . . . .READY 000 NO CONN 001 SUBUNIT . . . . . DIGITE MAIN READY (ALT_ROUT: N) (OPTIIP ) LINE: 2472 STNO: 24056 SI:VCE 001 . . . . . . . . DIGITE SUB A READY 002 . . . . . . . . DIGITE SUB A READY 003 . . . . . . . . DIGITE SUB C READY 002 NO CONN 003 NO CONN 004 NO CONN 005 NO CONN 006 NO CONN 007 NO CONN 008 NO CONN SECURITY LEVEL . . . . . . . (CONF.) "SECURE" (ACT.) "SECURE" CCT LINE STNO SI BUS TYPE 006 2406 OPTI ONLY READY MULTLINE 8. . . . . . . . . . . . . . .READY 000 NO CONN 001 SUBUNIT . . . . . DIGITE MAIN TRS (ALT_ROUT: N) (OPTIIP ) LINE: 2193 STNO: 24057 SI:VCE 001 . . . . . . . . DIGITE SUB A UNACH 002 . . . . . . . . DIGITE SUB A UNACH 003 . . . . . . . . DIGITE SUB C UNACH 002 NO CONN 003 NO CONN 004 NO CONN 005 NO CONN 006 NO CONN 007 NO CONN 008 NO CONN SECURITY LEVEL . . . . . . . (CONF.) "SECURE" (ACT.) "UNKNOWN" CCT LINE STNO SI BUS TYPE 007 2407 OPTI ONLY READY MULTLINE 8. . . . . . . . . . . . . . .READY 000 NO CONN 001 SUBUNIT . . . . . DIGITE MAIN TRS (ALT_ROUT: N) (OPTIIP ) LINE: 2436 STNO: 24058 SI:VCE 001 . . . . . . . . DIGITE SUB A UNACH 002 . . . . . . . . DIGITE SUB A UNACH 003 . . . . . . . . DIGITE SUB C UNACH 002 NO CONN 003 NO CONN 004 NO CONN 005 NO CONN 006 NO CONN 007 NO CONN 008 NO CONN SECURITY LEVEL . . . . . . . (CONF.) "SECURE" (ACT.) "UNKNOWN" CCT LINE STNO SI BUS TYPE 008 2408 NOGEN 009 2409 NOGEN 010 2410 NOGEN 011 2411 NOGEN 012 2412 NOGEN 013 2413 PP S0 READY ELEM DEV. . . . . . SB FCT TERM READY (ALT_ROUT: N) (S0PP ) LINE: 2413 STNO: 24060 SI:VCE SECURITY LEVEL . . . . . . . (CONF.) "SECURE" (ACT.) "TRADITIO" CCT LINE STNO SI BUS TYPE 014 2414 PP S0 READY ELEM DEV. . . . . . SB FCT TERM READY (ALT_ROUT: N) (S0PP ) LINE: 2414 STNO: 24061 SI:VCE SECURITY LEVEL . . . . . . . (CONF.) "SECURE" (ACT.) "UNKNOWN" CCT LINE STNO SI BUS TYPE 015 2415 NOGEN 016 2416 NOGEN 017 2417 NOGEN 018 2418 NOGEN 019 2419 NOGEN 020 2420 PP S0 READY ELEM DEV. . . . . . SB FCT TERM READY (ALT_ROUT: N) (S0PP ) LINE: 2420 STNO: 24067 SI:VCE SECURITY LEVEL . . . . . . . (CONF.) "SECURE" (ACT.) "UNKNOWN" CCT LINE STNO SI BUS TYPE 021 2421 PP S0 READY ELEM DEV. . . . . . SB FCT TERM READY (ALT_ROUT: N) (S0PP ) LINE: 2421 STNO: 24068 SI:VCE SECURITY LEVEL . . . . . . . (CONF.) "SECURE" (ACT.) "UNKNOWN" CCT LINE STNO SI BUS TYPE 022 2422 NOGEN
- SPE is not active (check with AMO ZANDE) or
- Security parameters of SIP trunk profile
A SIP trunk profile can be activated for SIP-Q trunks and must be activated
for native SIP trunks (see “SIP Connectivity > Section 3.3,
“SIP Trunk Profiles””).
- SIP-Q trunk profile
-
If a SIP-Q trunk profile is used, RTP security mode can be configured in vHG 3500.WBM > Configuration > Voice Gateway > SIP Trunk Profiles > Select Profile > EditThe default value is secure Payload (MIKEY) with fallback to insecure.
SIP trunk profile, SIP-Q, security parameters - Native SIP trunk profile
-
For native SIP trunks only SDES as payload encryption mode is supported, if payload encryption is released for the trunk partner. The payload encryption mode cannot be configured. Because SDES is not supported on STMI boards, no payload encryption is possible.