Introduction
This document describes how to establish IPsec connectivity between the Cisco Unified Communications Manager (CUCM) nodes within a cluster.
Note: By default, the IPsec connection between the CUCM nodes is disabled.
Prerequisites
Requirements
Cisco recommends that you have knowledge of the CUCM.
Components Used
The information in this document is based on the CUCM Version 10.5(1).
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Configure
Use the information that is described in this section in order to configure the CUCM and establish IPsec connectivity between the nodes in a cluster.
Configuration Overview
Here are the steps that are involved in this procedure, each of which is detailed in the sections that follow:
- Verify the IPsec connectivity between the nodes.
- Check the IPsec certificates.
- Download the IPsec root certificates from the Subscriber node.
- Upload the IPsec root certificate from the Subscriber node to the Publisher node.
- Configure the IPsec policy.
Verify IPsec Connectivity
Complete these steps in order to verify the IPsec connectivity between the nodes:
- Log into the Operating System (OS) Administration page of the CUCM server.
- Navigate to Services > Ping.
- Specify the remote node IP address.
- Check the Validate IPsec check box and click Ping.
If there is no IPsec connectivity, then you see results similar to this:
Check IPsec Certificates
Complete these steps in order to check the IPsec certificates:
- Log into the OS Administration page.
- Navigate to Security > Certificate Management.
- Search for the IPsec certificates (log into the Publisher and Subscriber nodes separately).
Note: The Subscriber node IPsec certificate is not usually viewable from the Publisher node; however, you can see the Publisher node IPsec certificates on all of the Subscriber nodes as an IPsec-Trust certificate.
In order to enable IPsec connectivity, you must have an IPsec certificate from one node set as an ipsec-trust certificate on the other node:
Download IPsec Root Certificate from Subscriber
Complete these steps in order to download the IPsec root certificate from the Subscriber node:
- Log into the OS Administration page of the Subscriber node.
- Navigate to Security > Certificate Management.
- Open the IPsec root certificate and download it in .pem format:
Upload IPsec Root Certificate from Subscriber to Publisher
Complete these steps in order to upload the IPsec root certificate from the Subscriber node to the Publisher node:
- Log into the OS Administration page of the Publisher node.
- Navigate to Security > Certificate Management.
- Click Upload Certificate/Certificate chain, and upload the Subscriber node IPsec root certificate as an ipsec-trust certificate:
- After you upload the certificate, verify that the Subscriber node IPsec root certificate appears as shown:
Note: If you are required to enable IPsec connectivity between multiple nodes in a cluster, then you must download the IPsec root certificates for those nodes as well, and upload them to the Publisher node via the same procedure.
Configure IPsec Policy
Complete these steps in order to configure the IPsec policy:
- Log into the OS Administration page of the Publisher and the Subscriber nodes separately.
- Navigate to Security > IPSEC Configuration.
- Use this information in order to configure the IP and certificate details:
*****
PUBLISHER : 10.106.122.155 & cucm912pub.pem
SUBSCRIBER: 10.106.122.15 & cucm10sub.pem
*****
Verify
Complete these steps in order to verify that your configuration works and that the IPsec connectivity between the nodes is established:
- Log into the OS Administration of the CUCM server.
- Navigate to Services > Ping.
- Specify the remote node IP address.
- Check the Validate IPsec check box and click Ping.
If the IPsec connectivity has been established, then you see a message similar to this:
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information