How to configure TLS and SRTP on VOIPnow and Grandstream Phones

Secure SIP protects SIP messages by encrypting them over a TLS (Transport Layer Security) channel using a security certificate. Secure RTP (Real-time Transport Protocol) provides encryption, message a

Important Notes / Requirements

  • Access to VOIPnow

  • Access to Grandstream Phones

Your phone should support the crypto standard, otherwise, calls will not work. Fax is not supported on encrypted connections.

What is TLS/SRTP?

TLS is a cryptographic protocol that secures/encrypts SIP messages sent by a softphone, IP phone, or a PBX

This protocol offers a series of advantages as follows:

  • with TLS enabled, SIP messages cannot be intercepted, read, or altered by intruding parties;

  • being a recognized secure standard, TLS allows to unlock VoIP on many mobile networks around the world where it is being blocked by default (especially in more strictly regulated jurisdictions, for example in Gulf states);

  • adopting TLS can also help bypass Network Address Translation issues that often arise on 3G/LTE networks.

SRTP is another cryptographic protocol that encrypts the audio stream (RTP media) between the regional gateway and the Unified Communication platform or the IP-PBX. The result is that no party can intercept, read, and alter the audio stream during the call.

Why do we need to enable the TLS/SRTP protocol?

As we all know in this day and age of privacy concern and alleged snooping you wouldn’t access your bank over plain old HTTP, or send credit card details in an email for obvious reasons. that's why in VoIPnow we strongly recommend that you enable TLS/SRTP between Voipnow and your equipment for us to make sure that all packets are secured (SIP messages and Media packets)

How do I enable SRTP in VoIPNow?

You can enable the SRTP encryption on any Phone Terminal Extension within VoIPNow fairly easily, it is worth keeping in mind that you need to ensure the phone actually supports that Cryptographic standard otherwise your calls may fail to route.

Follow the steps below to enable SRTP in VoIPNow.

Configuration Steps

  1. Log in to your VOIPnow

2. Navigate to the User/Extension you want to enable the TLS/SRTP encryption then go to “SIP preferences”

3. Change the Media encryption to “SDES/DTLS-SRTP”

The configuration in VOIPnow is now completed.

Next, we will configure the IP Phone. In this example, we will be using Grandstream GXP2170

Note: This TLS/SRTP encryption are also tested on GRP Phones (GRP2615 and GRP2613) models

If you are using GRP Phones no need to follow Step 5 and 6 since it was set to Unlimted by default

Configuring TLS/SRTP on a Grandstream GXP2170

For this example, we will be using a Grandstream GXP2170, but the general concept is the same for the majority of SIP-based IP phones. This is assuming they support the configured Cryptographic standard selected in VoIPNow.

Follow the steps below to configure the GXP2170 with TLS/SRTPConfiguration Steps

Configuration Steps

  1. Log in to the Grandstream phone where the extension was registered

  2. Navigate to Accounts >>>>> Account 1 >>>>> SIP Settings >>>>> Basic settings

3. Change the SIP Transport parameter from “UDP” to “TLS/TCP” to activate the TLS protocol then apply changes

4. Navigate to Audio Settings and change the SRTP Mode from “No” to “Enabled and Forced” to activate SRTP protocol then apply changes

5. Navigate to Maintenance >>>>> Security Settings >>>>> Security

6. Change the “Minimum TLS Version” from TLS 1.1 to TLS 1.0 then apply changes

Congratulation you have successfully configured both VOIPnow and Grandstream phone to use TLS/SRTP protocol for encryption!

Make sure to do a test call inbound/outbound from the phone as well to confirm everything is working smoothly, some phones may require slightly different configuration settings.