User`s manual
Table Of Contents
- Mediant 2000 & TP-1610 & TP-260/UNI SIP User’s Manual Version 5.0
- Table of Contents
- List of Figures
- List of Tables
- Notices
- 1. Overview
- 2. Physical Description
- 3. Installation
- 4. Getting Started
- 5. Web Management
- Computer Requirements
- Protection and Security Mechanisms
- Accessing the Embedded Web Server
- Getting Acquainted with the Web Interface
- Protocol Management
- Advanced Configuration
- Status & Diagnostic
- Software Update Menu
- Maintenance
- Logging Off the Embedded Web Server
- 6. Gateway's ini File Configuration
- Secured ini File
- Modifying an ini File
- The ini File Content
- The ini File Structure
- The ini File Example
- Networking Parameters
- System Parameters
- Web and Telnet Parameters
- Security Parameters
- RADIUS Parameters
- SNMP Parameters
- SIP Configuration Parameters
- Voice Mail Parameters
- ISDN and CAS Interworking-Related Parameters
- Number Manipulation and Routing Parameters
- E1/T1 Configuration Parameters
- Channel Parameters
- Configuration Files Parameters
- 7. Using BootP / DHCP
- 8. Telephony Capabilities
- Working with Supplementary Services
- Configuring the DTMF Transport Types
- Fax & Modem Transport Modes
- Event Notification using X-Detect Header
- ThroughPacket™
- Dynamic Jitter Buffer Operation
- Configuring the Gateway’s Alternative Routing (based on Conn
- Call Detail Report
- Supported RADIUS Attributes
- Trunk to Trunk Routing Example
- Proxy or Registrar Registration Example
- SIP Call Flow Example
- SIP Authentication Example
- 9. Networking Capabilities
- 10. Advanced PSTN Configuration
- 11. Advanced System Capabilities
- 12. Special Applications
- 13. Security
- 14. Diagnostics
- 15. SNMP-Based Management
- SNMP Standards and Objects
- Carrier Grade Alarm System
- Cold Start Trap
- Third-Party Performance Monitoring Measurements
- TrunkPack-VoP Series Supported MIBs
- Traps
- SNMP Interface Details
- SNMP Manager Backward Compatibility
- Dual Module Interface
- SNMP NAT Traversal
- SNMP Administrative State Control
- AudioCodes’ Element Management System
- 16. Configuration Files
- Appendix A. Selected Technical Specifications
- Appendix B. Supplied SIP Software Kit
- Appendix C. SIP Compliance Tables
- Appendix D. The BootP/TFTP Configuration Utility
- Appendix E. RTP/RTCP Payload Types and Port Allocation
- Appendix F. RTP Control Protocol Extended Reports (RTCP-XR)
- Appendix G. Accessory Programs and Tools
- Appendix H. Release Reason Mapping
- Appendix I. SNMP Traps
- Appendix J. Installation and Configuration of Apache HTTP Server
- Appendix K. Regulatory Information
Mediant 2000 & TP-1610 & TP-260
SIP User's Manual 282 Document #: LTRT-68805
13.1.1 IKE
IKE is used to obtain the Security Associations (SA) between peers (the gateway and the
application it’s trying to contact). The SA contains the encryption keys and profile used by
the IPSec to encrypt the IP stream. The IKE table lists the IKE peers with which the
gateway performs the IKE negotiation (up to 20 peers are available).
The IKE negotiation is separated into two phases: main mode and quick mode. The main
mode employs the Diffie-Hellman (DH) protocol to obtain an encryption key (without any
prior keys), and uses a pre-shared key to authenticate the peers. The created channel
secures the messages of the following phase (quick mode) in which the IPSec SA
properties are negotiated.
The IKE negotiation is as follows:
Main mode (the main mode creates a secured channel for the quick mode)
• SA negotiation – The peers negotiate their capabilities using four proposals. Each
proposal includes three parameters: Encryption method, Authentication protocol
and the length of the key created by the DH protocol. The key’s lifetime is also
negotiated in this stage. For detailed information on configuring the main mode
proposals, refer to Section 13.1.3.1 on page 283.
• Key exchange (DH) – The DH protocol is used to create a phase-1 key.
• Authentication – The two peers authenticate one another using the pre-shared
key (configured by the parameter ‘IKEPolicySharedKey’).
Quick mode (quick mode negotiation is secured by the phase-1 SA)
• SA negotiation – The peers negotiate their capabilities using four proposals. Each
proposal includes two parameters: Encryption method and Authentication
protocol. The lifetime is also negotiated in this stage. For detailed information on
configuring the quick mode proposals, refer to the SPD table under Section
13.1.3.2 on page 286.
• Key exchange – a symmetrical key is created using the negotiated SA.
IKE Specifications:
Authentication mode - pre-shared key only
Main mode is supported for IKE Phase 1
Supported IKE SA encryption algorithms - Data Encryption Standard (DES), 3DES,
and Advanced Encryption Standard (AES)
Hash types for IKE SA - SHA1 and MD5
13.1.2 IPSec
IPSec is responsible for encrypting and decrypting the IP streams.
The IPSec Security Policy Database (SPD) table defines up to 20 IP peers to which the
IPSec security is applied. IPSec can be applied to all packets designated to a specific IP
address or to a specific IP address, port (source or destination) and protocol type.
Each outgoing packet is analyzed and compared to the SPD table. The packet's
destination IP address (and optionally, destination port, source port and protocol type) are
compared to each entry in the table. If a match is found, the gateway checks if an SA
already exists for this entry. If it doesn’t, the IKE protocol is invoked (refer to Section
13.1.1
above) and an IPSec SA is established. The packet is encrypted and transmitted. If a
match isn’t found, the packet is transmitted un-encrypted.
Note: An incoming packet whose parameters match one of the entries of the SPD
table but is received un-encrypted, is dropped.