SRTP and TLS
After the endpoints (IP Phones) are secure, CUCM can establish TLS with the endpoints, and the endpoints can negotiate SRTP among themselves. Cisco voice gateways also support encryption as follows:
- MGCP gateway with SRTP package and IPsec tunnel to CUCM (or default gateway device for CUCM). IPsec is for protection of signaling, which in the case of MGCP is in clear text by default.
- H.323 gateway with certificates exchanged with CUCM for SRTP and IPsec for protecting signaling.
- SIP gateway with secure SIP trunk leveraging TLS to protect signaling.
Figure 5-6 gives insight to TLS signaling and SRTP media flow among CUCM, endpoints, and gateways.
Figure 5-6 TLS and SRTP Call Flow Between CUCM, Endpoints, and Gateways