Session Initiation Protocol Triggered VPN

Session Initiation Protocol Triggered VPN (SIP-Triggered VPN or VPN-SIP) is a service offered by service providers where a VPN is set up using Session Initiation Protocol (SIP) for on-demand media or application sharing between peers. The VPN-SIP feature defines the process in which two SIP user agents resolve each other’s IP addresses, exchange the fingerprints of their self-signed certificates, third-party certificates, or pre-shared key securely, and agree to establish an IPsec-based VPN.

Service providers offer the VPN-SIP service to their customers that have SIP-based services such as bank ATMs or branches. This VPN-SIP service replaces an ISDN connection for backup network functionality. If the primary broadband service link goes down, these bank ATMs or branches connect to their central headend or data centres through the VPN-SIP service.

The SIP server of the service provider, which coordinates the VPN-SIP service, is also used for billing of the service based on the time the service is used.

Information about VPN-SIP

Components for VPN-SIP Solution

VPN-SIP uses IPSec Static Virtual Tunnel Interface (SVTI). IPSec SVTI stays in active (UP) state even when there is no IPSec security association (SA) established between the tunnel interface and the SVTI peer.

The following are three components for the VPN-SIP Solution:

  • SIP

  • VPN-SIP

  • Crypto (IP Security (IPsec), Internet Key Exchange (IKE), Tunnel Protection (TP), Public Key Infrastructure (PKI) modules within crypto)

Sesssion Initiation Protocol

SIP is used as a name resolution mechanism to initiate an IKE session. VPN-SIP uses SIP service to establish a VPN connection to a home or a small business router that does not have a fixed IP address. This connection is achieved using self-signed certificates or pre-shared keys. SIP negotiates the use of IKE for media sessions in the Session Description Protocol (SDP) offer-and-answer model.

SIP is statically configured. One tunnel interface must be configured for each remote SIP number.

SIP also provides billing capabilities for service providers to charge customers based on the SIP number, for using the VPN-SIP service. Billing based on SIP numbers happens in the service provider network and is independent of the end devices like Cisco VPN-SIP routers.

VPN-SIP Solution

VPN-SIP is the central block that coordinates between SIP and Crypto modules, and provides an abstraction between them.

When traffic destined to a remote network behind a SIP number is routed to the tunnel interface, the IPSec control plane gets a trigger from packet switching path as there is no IPSEC SA configured to that peer. IPsec control plane passes the trigger to VPN-SIP as the tunnel is configured for VPN-SIP.


Note
Static routes for remote networks for that SIP number must be configured to point to that tunnel interface.

When the VPN-SIP service is triggered, SIP sets up the call with a SIP phone number pair. SIP also passes incoming call details to the VPN-SIP and negotiates IKE media sessions using local address and fingerprint information of the local self-signed certificate or pre-shared key. SIP also passes remote address and fingerprint information to VPN-SIP.

The VPN-SIP service listens to tunnel status updates and invokes SIP to tear down the SIP session. The VPN-SIP service also provides a means to display current and active sessions.

Feature at a glance

The following steps summarize how the VPN-SIP feature works:

  • IP SLA monitors the primary link using route tracking. When the primary link fails IP SLA detects this failure.

  • Once the primary path fails, IP SLA switches the default route to the higher metric route that is configured on the router.

  • When relevant traffic tries to flow using the secondary link, SIP sends an invite message to the SIP server to obtain the VPN peer information.

  • The router receives the VPN peer information (IP address, local and remote SIP numbers, IKE port, and finger print) and it establishes VPN-SIP tunnel.

  • When the primary path comes back up, IP SLA detects the primary path and the route falls back to the original path. When the idle timer expires, IPSec is torn down and a SIP call is disconnected.

Following is the topology for the VPN-SIP solution:

Figure 1. VPN-SIP Topology

SIP Call Flow

The SIP call flow is divided into initiation at the local peer and call receipt at the remote peer.

At SIP Call Intitiation

When packets are routed to an SVTI interface in data plane, the SIP call must be placed to the peer SIP number to resolve its address, so that VPN tunnel can be brought up.

  • When local auth-type is PSK, IKEv2 finds the matching key for a peer SIP number. The IKEv2 keyring must be configured with id_key_id type (string) as SIP number for each SIP peer. IKEv2 computes the fingerprint of the looked-up key and passes it to VPN-SIP.

  • When local auth-type is a self-signed certificate or an third-party certificate, IKEv2 computes the fingerprint of the local certificate configured under the IKEv2 profile and passes it to the VPN-SIP

The VPN-SIP module interacts with SIP to setup SIP call to the peer. When the call is successful, VPN-SIP sets the tunnel destination of SVTI to the resolved IP address, requesting SVTI to initiate the VPN tunnel.


Note
When a wildcard key is required, use the authentication local pre-share key command and the authentication remote pre-share key command in IKEv2 profile.

When SIP call is received at the remote peer

When a SIP call is received from a peer, following interactions occur between various crypto modules:

  • The Tunnel Protection helps VPN-SIP module to set tunnel destination address.

  • IKEv2 returns local auth-type (PSK or PKI) and local fingerprint to the VPN-SIP module. When local auth-type is PSK, IKEv2 finds a matching key for a corresponding SIP number.


Note

IKEv2 only knows peer by its SIP number.

During the SIP call negotiation between peers, each peer must select a unique local IKEv2 port number to be exchanged over the SDP. To support different port numbers for each session, the VPN-SIP module programmatically configures IP Port Address Translation (PAT) to translate between IKEv2 port (4500) and the port number exchanged over SDP. For the translation to work IP NAT must be configured on secondary link and the loopback interface configured as the VPN-SIP tunnel source. The lifetime of the translation is limited to the lifetime of the VPN-SIP session.

SDP Offer and Answer

Following is the sample for SDP offer and answer that is negotiated in the SIP call as defined in RFC 6193:

offer SDP
      ...
      m=application 50001 udp ike-esp-udpencap
      c=IN IP4 10.6.6.49
      a=ike-setup:active
      a=fingerprint:SHA-1 \
      b=AS:512
      4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB
      ...

   answer SDP
      ...
      m=application 50002 udp ike-esp-udpencap
      c=IN IP4 10.6.6.50
      a=ike-setup:passive
      a=fingerprint:SHA-1 \
      b=AS:512
      D2:9F:6F:1E:CD:D3:09:E8:70:65:1A:51:7C:9D:30:4F:21:E4:4A:8E

As part of the SDP negotiation, both peers negotiate the maximum bandwidth rate for the VPN-SIP session using the b=AS :number SDP attribute. if the peers mention different bandwidth numbers in their SDP, both of them should honor the minimum value as the maximum bandwidth. If b=AS :number SDP attribute is missing in the offer or answer, the SIP call is not successfully set up.

The negotiated maximum bandwidth is applied on the SVTI tunnel interface through the programmatically configured QoS policy in the output direction. The programmatically configured QoS policy is not applied and session fails, if there is a pre-existing statically configured policy.

Once SIP call is complete and address of the peer is resolved, VPN-SIP sets tunnel destination of SVTI and sends a request to initiate tunnel.

IKEv2 Negotiation

Following is the process for IKEv2 Security Session (SA) negotiation:

  • Before starting the session, IKEv2 checks with VPN-SIP if the session is a VPN-SIP session.

  • If it’s a VPN-SIP session and local auth-type is PSK, IKEv2 looks up the PSK key pair using SIP number of the peer instead of IP address of the peer.

  • For validating self-signed certificate, IKEv2 checks if the certificate is self-signed and validates the certificate.

    • In addition to existing AUTH payload validation as part of IKEv2 protocol, IKEv2 calculates hash of the received certificate or looked-up PSK and compares with the fingerprint from SIP negotiation that IKEv2 queries from VPN-SIP module. Only if the fingerprint matches, IKEv2 considers authentication of peer is valid. If not, IKEv2 declares that peer has failed to authenticate and fails the VPN session.

VPN-SIP solution depends on IPSEC idle timer to detect that traffic is no longer routed over the backup VPN. The idle-time configuration under the IPSec Profile is mandatory for session to be disconnected when there is no traffic. 120 seconds is the recommended time.

VPN-SIP and SIP coordinate to tear down SIP call.

When IPsec idle time expires the VPN-SIP module informs the IKEv2 to bring down the IPsec tunnel. VPN-SIP requests the SIP module to disconnect the SIP call, without waiting for confirmation from the IKEv2.

When SIP call disconnect is received from the peer, VPN-SIP module informs the IKEv2 to bring down the IPsec tunnel, and acknowledges to SIP to tear down the SIP call.

Supported Platforms

The VPN-SIP feature is supported on the following platforms:

Prerequisites for VPN-SIP

  • Security K9 license must be enabled on the router.

  • The routers must have a minimum memory of 1 GB.

  • For the SIP register request of the SIP User Agent to succeed, the SIP registrar must be available to the VPN-SIP routers.

  • The DHCP server must support option 120 and 125 to obtain the SIP server address, which is needed for registration and establishing the SIP session.

  • Proper routing configurations must be completed to ensure backup WAN path is used when primary path is down.

  • Maximum Transmission Unit (MTU) of the tunnel interface must be less than the MTU of the secondary WAN interface.

  • When self-signed or third-party certificates are used for IKEv2 authentication, configure IKEv2 fragmentation on the VPN-SIP router to avoid fragmentation at the IP layer.

  • NAT SIP ALG must be disabled.

  • Caller ID notification service must be configured in the network.

Restrictions for VPN-SIP

  • VPN-SIP and CUBE/SIP gateway cannot be configured on the same device. When CUBE license is active on the device, only CUBE will be functional.

  • Only IPv4 is supported for transport and media (IPv4 transport for SIP registration, SIP signaling, and IPv4 packets encrypted over IPv4 transport).

  • SIP signalling with peer devices behind NAT is not supported (ICE and STUN are not supported.

  • SIP negotiation is supported only in global VRF.

  • Remote-access VPN features like private address assignment, configuration mode exchange (CP payloads), routes exchange, are not supported.

  • Routing protocols over the VPN-SIP session are not supported.

  • Only Rivest-Shamir-Addleman (RSA) server self-signed certificates are supported.

  • Pre-shared key lookup functionality using authentication, authorization, and accounting (AAA) is not supported.

  • The IPSec idle timer is configured per IPSec profile using the ipsec-profile command. The idle time is the same for all VPN-SIP sessions that use a specific IPSec profile.

  • Track objects that are used for IPSLA monitoring, have a maximum limit of 1000 objects in Cisco IOS software. When one track object is used to track one peer router, maximum number of VPN-SIP sessions that one IOS device can have is limited by the maximum number of track objects.

  • Only one local SIP number is supported on Cisco IOS software.

  • If there is a pre-existing statically configured policy, the programmatically configured QoS policy is not applied and session fails. Remove any statically configured QoS policy on the SVTI interface.

  • On all Cisco ISR 1100 series routers, the supported scale of VPN-SIP feature is 300 sessions.

  • Cisco does not support the interoperability with VPN-SIP implementation of other vendors.

  • For the class policies included in the policy-map attached to the VPN-SIP tunnel, only Priority Queueing and Class-Based Weighted Fair Queueing (CBWFQ) are supported.

  • For CBWFQ configurations, only the bandwidth percent percent command is supported. The bandwidth bandwidth command is not supported as the bandwidth of the VPN-SIP session varies depending on the negotiation with the peer router.

How to Configure VPN-SIP

Configuring VPN-SIP

The following steps describe the process of configuring VPN-SIP:

  1. Configure the tunnel authentication using third party certificates, self-signed certificates, or pre-shared keys.

    1. Tunnel Authentication using Certificates

      Configure a trustpoint to obtain a certificate from a certification authority (CA) server that is located in the customer's network. This is required for tunnel authentication. Use the following configuration: 

      peer1(config)# crypto pki trustpoint CA
 enrollment url http://10.45.18.132/
 serial-number none
 subject-name CN=peer2
 revocation-check crl
 rsakeypair peer2

peer2(config)# crypto pki authenticate CA
Certificate has the following attributes:
       Fingerprint MD5: F38A9B4C 2D80490C F8E7581B BABE7CBD
      Fingerprint SHA1: 4907CC36 B1957258 5DFE23B2 649E7DDA 99BDB7C3
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

peer2(config)#crypto pki enroll CA
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: CN=peer2
% The subject name in the certificate will include: peer2
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose CA' command will show the fingerprint.
Certificate map for Trustpoint
crypto pki certificate map data 1
issuer-name co cn = orange

    2. Tunnel authentication using self-signed certificate

      Configure a PKI trust point to generate a self-signed certificate on the device, when authenticating using a self-signed certificate. Use the following configuration: 

      peer4(config)#crypto pki trustpoint Self
    enrollment selfsigned
    revocation-check none
    rsakeypair myRSA
    exit
crypto pki enroll Self
 
Do you want to continue generating a new Self Signed Certificate? [yes/no]: yes
% Include the router serial number in the subject name? [yes/no]: yes
% Include an IP address in the subject name? [no]: no
Generate Self Signed Router Certificate? [yes/no]: yes
 
Router Self Signed Certificate successfully created

    3. Configure tunnel authentication using a pre-shared key

      crypto ikev2 keyring keys
peer peer1
identity key-id 1234
pre-shared-key key123

    • Configure IKEv2 Profile for Certificate

      crypto ikev2 profile IPROF
match certificate data
identity local key-id 5678
authentication remote rsa-sig
authentication local rsa-sig
keyring local keys
pki trustpoint self
nat force-encap

    • Configure an IKEv2 Profile for pre-shared keys

      crypto ikev2 profile IPROF
match identity remote any
identity local key-id 5678
authentication remote pre-share
authentication local pre-share
keyring local keys
nat force-encap

    Note
    To complete the IKEv2 SA configuration, the nat force-encap command must be configured on both peers. Since, UDP encapsulation is negotiated in SDP, IKEv2 must start and continue on port 4500.

  3. Configure an IPsec profile

    crypto ipsec profile IPROF
set security-association idle-time 2000

  4. Configure a LAN side interface

    interface Vlan101
         ip address 192.0.2.3 255.255.255.0
         no shutdown 
! 
     interface GigabitEthernet2
         switchport access vlan 101
         no ip address

  5. Configure a loopback interface

    The loopback interface is used as the source interface for the secondary VPN tunnel.

    interface loopback 1
    ip address 192.0.2.1 255.0.0.0
    ip nat inside

  6. Configure a secondary interface.


    Note
    Make sure the secondary interface is configured to receive the IP address, SIP server address, and vendor specific information via DHCP. 
    interface GigabitEthernet8
     ip dhcp client request sip-server-address
     ip dhcp client request vendor-identifying-specific
     ip address dhcp
    ip nat outside

  7. Configure the tunnel interface

    interface Tunnel1
     ip address 192.0.2.1 255.255.255.255
     load-interval 30
     tunnel source Loopback1
     tunnel mode ipsec ipv4
     tunnel destination dynamic
     tunnel protection ipsec profile IPROF ikev2-profile IPROF
     vpn-sip local-number 5678 remote-number 1234 bandwidth 1000

    Use the vpn-sip local-number local-number remote-number remote-number bandwidth bw-number command to configure the sVTI interface for VPN-SIP. Bandwidth is the maximum data transmission rate that must be negotiated with this peer and the negotiated value is set on the tunnel interface. Allowed values are 64, 128, 256, 512, and 1000 kbps.

    Once an SVTI is configured for VPN-SIP, changes cannot be made to tunnel mode, tunnel destination, tunnel source, and tunnel protection. To change the mode, source, destination, or tunnel protection you must remove the VPN-SIP configuration from the SVTI interface.

  8. Add static routes to destination networks

    Add a secondary route with a higher metric.

    ip route 192.0.2.168 255.255.255.0 Tunnel0 track 1
ip route 192.0.2.168 255.255.255.0 Tunnel1 254

  9. Configure IP SLA

    ip sla 1
         icmp-echo 192.0.2.11
         threshold 500
         timeout 500
         frequency 2
        ip sla schedule 1 life forever start-time now

  10. Configure route tracking

    track 1 ip sla 1 reachability

  11. Enable VPN-SIP

    vpn-sip enable
vpn-sip local-number 5678 address ipv4 GigabitEthernet8
vpn-sip tunnel source Loopback1
vpn-sip logging

    To configure VPN-SIP, you must configure local SIP number and local address. The vpn-sip local-number SIP-number address ipv4 WAN-interface-name command configures the local SIP number that is used for SIP call and the associated IPv4 address.


    Note
    Only IPv4 addresses can be configured. Crypto module does not support dual stack.

    • Backup WAN interface address may change based on DHCP assignment.

    When the primary WAN interface is functional, the destination of the VPN-SIP tunnel is set to the backup WAN interface, so that the tunnel interface is active. Destination is set to IP address of the peer that is learnt from SDP of SIP negotiation when traffic is routed to the tunnel interface. When primary WAN interface fails and the back routes are activated, packets are routed to the sVTI through backup.


    Note
    We recommend that you use an unused non-routable address as the address of the loopback interface and do not configure this loopback interface for any other purpose. Once a loopback interface is configured, VPN-SIP listens to any updates to the interface and blocks them. The vpn-sip logging command enables the system logging of VPN-SIP module for events, such as session up, down, or failure.

Verifying VPN-SIP on a Local Router

Verifying Registration Status

Peer1# show vpn-sip registration-status
 SIP registration of local number 0388881001 : registered 10.6.6.50

Verifying SIP Registrar

Peer1#show vpn-sip sip registrar

Line          destination      expires(sec)  contact   transport     call-id
====================================================================================================
0388881001    example.com         2359        10.6.6.50  UDP           3176F988-9EAA11E7-8002AFA0-8EF41435

Verifying VPN-SIP Status

Peer1#show vpn-sip session detail
VPN-SIP session current status
 
Interface: Tunnel1
   Session status: SESSION_UP (I)
   Uptime        : 00:00:42
   Remote number : 0388881001 =====> This is the Remote Router's SIP number
   Local number  : 0388882001 =====> Local router's SIP number
   Remote address:port: 10.6.6.49:50002 
   Local address:port : 10.6.6.50:50001 
   Crypto conn handle: 0x8000017D
   SIP Handle        : 0x800000C7
   SIP callID        : 1554
   Configured/Negotiated bandwidth: 64/64 kbps

Verifying Crypto Session

Peer1# show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP Vpn-sip
 
Interface: Tunnel1
Profile: IPROF
Uptime: 00:03:53
Session status: UP-ACTIVE
Peer: 10.6.6.49 port 4500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.6.6.49
      Desc: (none)
  Session ID: 43
  IKEv2 SA: local 10.11.1.1/4500 remote 10.6.6.49/50002 Active
          Capabilities:S connid:1 lifetime:23:56:07 ====> Capabilities:S indicates this is a  SIP VPN_SIP Session
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 6 drop 0 life (KB/Sec) 4222536/3366
        Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 4222537/3366

Verifying IP NAT Translations

Peer1#sh ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
udp 2.2.2.2:4500       10.6.6.50:50001    10.6.6.49:50002    10.6.6.49:50002

Verifying DHCP SIP Configuration

Peer9#show vpn-sip sip dhcp 
SIP DHCP Info
 
SIP-DHCP interface:  GigabitEthernet8
 
SIP server address:  
Domain name:         dns:example.com

Verifying VPN-SIP on a Remote Router

Verifying VPN-SIP Registration Status on a Remote Router

Peer2# show vpn-sip registration-status
 SIP registration of local number 0388882001 : registered 10.6.6.49

Verifying VPN-SIP Registrar on a Remote Router

Peer2# show vpn-sip sip registrar
Line          destination      expires(sec)  contact    transport    call-id
============================================================================================
0388882001    example.com    2478         10.6.6.49   UDP         E6F23809-9EAB11E7-80029279-40B97F59

Verifying VPN-SIP Session Details on a Remote Router

Peer2# show vpn-sip session detail
VPN-SIP session current status
Interface: Tunnel1
   Session status: SESSION_UP (R)
   Uptime        : 00:00:21
   Remote number : 0388882001 =====> This is the Peer1 Router's SIP number
   Local number  : 0388881001 =====> Local router's SIP number
   Remote address:port: 10.6.6.50:50001
   Local address:port : 10.6.6.49:50002
   Crypto conn handle: 0x8000017E
   SIP Handle        : 0x800000BE
   SIP callID        : 1556
   Configured/Negotiated bandwidth: 1000/64 kbps

Verifying Crypto Session Details on a Remote Router

Peer2 #show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN-SIP
 
Interface: Tunnel1
Profile: IPROF
Uptime: 00:02:32
Session status: UP-ACTIVE
Peer: 10.6.6.50 port 50001 fvrf: (none) ivrf: (none)
      Phase1_id: 10.6.6.50
      Desc: (none)
  Session ID: 147
  IKEv2 SA: local 10.17.1.1/4500 remote 10.6.6.50/50001 Active
          Capabilities:S connid:1 lifetime:23:57:28 ====> Capabilities:S indicates this is a  SIP VPN-SIP Session
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 4 drop 0 life (KB/Sec) 4293728/3448
        Outbound: #pkts enc'ed 6 drop 0 life (KB/Sec) 4293728/3448

Verifying IP NAT Translations on a Remote Router

Peer2#show ip nat translations 
Pro Inside global      Inside local       Outside local      Outside global
udp 3.3.3.3:4500       10.6.6.49:50002    10.6.6.50:50001    10.6.6.50:50001

Configuring QoS for VPN-SIP

Optionally, you can apply a quality of service (QoS) policy to the VPN-SIP. A QoS policy provides secure, predictable, measurable, and sometimes guaranteed services to certain types of traffic.

  1. Configure the appropriate policy map. 

    Device(config)#class-map match-all UDP
 match protocol ip
!
policy-map CBWFQ
 class UDP
  bandwidth percent 60 
  queue-limit 12 packets

  2. Attach the policy-map to the VPN-SIP:

    Device(config)#interface Tunnel1
.
.
.
vpn-sip local-number 5678 remote-number 1234 bandwidth 1000 service-policy CBWFQ

    Note

    When the VPN-SIP session is successfully negotiated and comes up, an implicit service policy is automatically attached to the tunnel interface. If you run the show running-config command for this interface, the implicit service policy is not displayed. Any policy-map that you create on the device becomes a child policy of this implicit service policy.

Verifying QoS for VPN-SIP

Verifying the Application of the Policy Map

Peer1#sh policy-map int tun1
 Tunnel1 

  Service-policy output: VPN-SIP-Tunnel1-Bandwidth

    Class-map: class-default (match-any)  
      0 packets, 0 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any 
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/0/0
      (pkts output/bytes output) 0/0
      QoS Set
        dscp cs4
          Packets marked 0
      shape (average) cir 1000000, bc 4000, be 4000
      target shape rate 1000000

      Service-policy : CBWFQ

        Class-map: UDP (match-all)  
          0 packets, 0 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: protocol ip
          Queueing
          queue limit 12 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0
          bandwidth 60% (600 kbps)
          

        Class-map: class-default (match-any)  
          0 packets, 0 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: any 
          
          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0

Peer1#sh vpn-sip session detail 
VPN-SIP session current status

Interface: Tunnel1
   Session status: SESSION_UP (R) 
   Uptime        : 00:00:15
   Remote number : 5678
   Local number  : 1234
   Remote address:port: 6.6.6.40:51878
   Local address:port : 6.6.6.89:50010
   Crypto conn handle: 0x40000017
   SIP Handle        : 0x4000000B
   SIP callID        : 2288
   Configured/Negotiated bandwidth: 1000/1000 kbps
   Applied service policy: CBWFQ

Verifying the Flow of Traffic

After sending UDP traffic in the direction of the policy, verify the flow of traffic as follows:

Peer1#sh policy-map int tun1
 Tunnel1 

  Service-policy output: VPN-SIP-Tunnel1-Bandwidth

    Class-map: class-default (match-any)  
      105782 packets, 4865972 bytes
      5 minute offered rate 130000 bps, drop rate 0000 bps
      Match: any 
      Queueing
      queue limit 64 packets
      (queue depth/total drops/no-buffer drops) 0/98707/0
      (pkts output/bytes output) 7068/890568
      QoS Set
        dscp cs4
          Packets marked 105782
      shape (average) cir 1000000, bc 4000, be 4000
      target shape rate 1000000

      Service-policy : CBWFQ

        Class-map: UDP (match-all)  
          105775 packets, 4865650 bytes
          5 minute offered rate 130000 bps, drop rate 331000 bps
          Match: protocol ip
          Queueing
          queue limit 12 packets
          (queue depth/total drops/no-buffer drops) 11/98707/0
          (pkts output/bytes output) 7068/890568
          bandwidth 60% (600 kbps)
          

        Class-map: class-default (match-any)  
          0 packets, 0 bytes
          5 minute offered rate 0000 bps, drop rate 0000 bps
          Match: any 
          
          queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 0/0

Configuration Examples for VPN-SIP

Using self-signed certificates for authentication

The following is sample configuration to configure VPN-SIP using self-signed certificates for authentication. There is no distinction between initiator and responder role in VPN-SIP. The configuration on a peer node will be identical with local SIP numbers changed. 

// Self-signed certificate
crypto pki trustpoint selfCert
  rsakeypair myRSA
  enrollment selfsigned
  revocation-check none
!
crypto ikev2 profile vpn-sip-profile
 match identity remote any
 authentication local rsa-sig
 authentication remote rsa-sig
 pki trustpoint selfCert // Use same self-signed trustpoint for sign and verify
 nat force-encap
!
crypto ipsec profile vpn-sip-ipsec
 set security-association idle-time 120
!
vpn-sip enable
vpn-sip local-number 0388883001 address ipv4 GigabitEthernet1
vpn-sip tunnel source Loopback11
vpn-sip logging
!
// one tunnel per peer – configuration is for peer with a SIP-number of 0388884001
int tunnel0
 ip unnumbered loopback 0
 tunnel source loopback11
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel protection ipsec profile vpn-sip-ipsec ikev2-profile vpn-sip-profile 
 vpn-sip local-number 0388883001 remote-number 0388884001 bandwidth 1000
!
// ip unnumbered of tunnel interfaces
int loopback 0
  ip address 10.21.1.1 255.255.255.255
!
int loopback11
ip address 10.9.9.9 255.255.255.255
ip nat inside
!
// one tunnel per peer – this is for peer with SIP-number 0388885001
int tunnel1
 ip unnumbered loopback 0
 tunnel source loopback11
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel protection ipsec profile vpn-sip-ipsec ikev2-profile iprof 
 vpn-sip sip-local 0388883001 sip-remote 0388885001 bandwidth 1000
!
interface GigabitEthernet8
 ip dhcp client request sip-server-address
 ip dhcp client request vendor-identifying-specific
 ip address dhcp
ip nat outside


// backup routes configured with higher AD so that these routes will be activated only when primary path goes down. AD need to be chosen to be greater than that of primary route.
ip route 10.0.0.0 255.0.0.0 tunnel 0 250
ip route 10.1.0.0 255.0.0.0 tunnel 0 250
ip route 10.2.0.0 255.0.0.0 tunnel 0 250
ip route 10.3.0.0 255.0.0.0 tunnel 0 250

Troubleshooting for VPN-SIP

Viewing Tunnel Interface in Show Output

Symptom

Show VPN-SIP session doesn’t show any information about the tunnel interface. In the following example, information about the tunnel interface, tunnel1 is not shown: 

Peer5-F#show vpn-sip session 
VPN-SIP session current status

Interface: Tunnel2
   Session status: READY_TO_CONNECT  
   Remote number : 0334563333
   Local number  : 0623458888
   Remote address:port: 10.10.0.0:0
   Local address:port : 192.0.2.22:0

Interface: Tunnel3
   Session status: READY_TO_CONNECT  
   Remote number : 0323452222
   Local number  : 0623458888
   Remote address:port: 10.10.0.0:0
   Local address:port : 192.0.2.22:0

Interface: Tunnel4
   Session status: READY_TO_CONNECT  
   Remote number : 0612349999
   Local number  : 0623458888
   Remote address:port: 10.10.0.0:0
   Local address:port : 192.0.2.22:0

Interface: Tunnel6
   Session status: READY_TO_CONNECT  
   Remote number : 0634567777
   Local number  : 0623458888
   Remote address:port: 10.10.0.0:0
   Local address:port : 172.30.18.22:0
Possible Cause

VPN-SIP is not configured on the tunnel interface

Peer5-F#sh run int tun1
Building configuration...

Current configuration : 201 bytes
!
interface Tunnel1
 ip address 10.5.5.5 255.255.255.0
 tunnel source Loopback11
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel protection ipsec profile test-prof ikev2-profile test
end
Recommended Action

Configure VPN-SIP on the tunnel interface.

:

Peer5-F#show running interface tunnel 1
Building configuration...

Current configuration : 278 bytes
!
interface Tunnel1
 ip address 10.5.5.5 255.255.255.255
 tunnel source Loopback11
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel protection ipsec profile test-prof ikev2-profile test
 vpn-sip local-number 0623458888 remote-number 0312341111 bandwidth 1000
end

Following is the running output for the above scenario:


Peer5-F#show vpn-sip session detail 
VPN-SIP session current status

Interface: Tunnel1
   Session status: READY_TO_CONNECT  
   Remote number : 0312341111
   Local number  : 0623458888
   Remote address:port: 10.0.0.0:0
   Local address:port : 172.30.18.22:0

   Crypto conn handle: 0x8000002C
   SIP Handle        : 0x0
   SIP callID        : --
   Configured/Negotiated bandwidth: 1000/0 kbps

Interface: Tunnel2
   Session status: READY_TO_CONNECT  
   Remote number : 0334563333
   Local number  : 0623458888
   Remote address:port: 10.0.0.0:0
   Local address:port : 172.30.18.22:0
   Crypto conn handle: 0x80000012
   SIP Handle        : 0x0
   SIP callID        : --
   Configured/Negotiated bandwidth: 512/0 kbps

Interface: Tunnel3
   Session status: READY_TO_CONNECT  
   Remote number : 0323452222
   Local number  : 0623458888
   Remote address:port: 10.0.0.0:0
   Local address:port : 172.30.18.22:0
   Crypto conn handle: 0x80000031
   SIP Handle        : 0x0
   SIP callID        : --
   Configured/Negotiated bandwidth: 512/0 kbps

Interface: Tunnel4
   Session status: READY_TO_CONNECT  
   Remote number : 0612349999
   Local number  : 0623458888
   Remote address:port: 10.0.0.0:0
   Local address:port : 172.30.18.22:0
   Crypto conn handle: 0x8000002F
   SIP Handle        : 0x0
   SIP callID        : --
   Configured/Negotiated bandwidth: 1000/0 kbps

Interface: Tunnel6
   Session status: READY_TO_CONNECT  
   Remote number : 0634567777
   Local number  : 0623458888
   Remote address:port: 10.0.0.0:0
   Local address:port : 172.30.18.22:0
   Crypto conn handle: 0x80000026
   SIP Handle        : 0x0
   SIP callID        : --
   Configured/Negotiated bandwidth: 1000/0 kbps

Troubleshooting SIP Registration Status

Symptom

SIP registration status is Not Registered

Peer5#show vpn-sip sip registrar 
Line          destination      expires(sec)  contact
transport     call-id
============================================================

Peer5-F#show vpn-sip registration-status 

 SIP registration of local number 0623458888 : not registered
Possible Cause

IP address is not configured on the WAN interface.


Peer5#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         unassigned      YES unset  down                  down    
GigabitEthernet0/1         unassigned      YES unset  up                    up      
GigabitEthernet0/2         unassigned      YES unset  down                  down    
GigabitEthernet0/3         unassigned      YES unset  down                  down    
GigabitEthernet0/4         unassigned      YES unset  up                    up      
GigabitEthernet0/5         10.5.5.5        YES manual up                    up      
Vlan1                      10.45.1.5       YES NVRAM  up                    up      
NVI0                       10.1.1.1        YES unset  up                    up      
Loopback1                  10.1.1.1        YES NVRAM  up                    up      
Loopback5                  10.5.5.5        YES NVRAM  administratively down down    
Loopback11                 10.11.11.11     YES NVRAM  up                    up      
Tunnel1                    10.5.5.5        YES NVRAM  up                    down    
Tunnel2                    10.2.2.2        YES NVRAM  up                    down    
Tunnel3                    10.3.3.3        YES NVRAM  up                    down    
Tunnel4                    10.4.4.4        YES NVRAM  up                    down    
Tunnel6                    10.8.8.8        YES NVRAM  up                    down    

Peer5-F#show run interface gigabitEthernet 0/4
Building configuration...

Current configuration : 213 bytes
!
interface GigabitEthernet0/4
 ip dhcp client request sip-server-address
 ip dhcp client request vendor-identifying-specific
 no ip address           ====> no IP address
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
end
Recommended Action

Use the ip address dhcp command to configure the interface IP address. 

Peer5-F#show running-config interface gigabitEthernet 0/4
Building configuration...

Current configuration : 215 bytes
!
interface GigabitEthernet0/4
 ip dhcp client request sip-server-address
 ip dhcp client request vendor-identifying-specific
 ip address dhcp         ====> configure IP address DHCP
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
end


Peer5-F#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         unassigned      YES unset  down                  down    
GigabitEthernet0/1         unassigned      YES unset  up                    up      
GigabitEthernet0/2         unassigned      YES unset  down                  down    
GigabitEthernet0/3         unassigned      YES unset  down                  down    
GigabitEthernet0/4         172.30.18.22    YES DHCP   up                    up      
GigabitEthernet0/5         10.5.5.5        YES manual up                    up      
Vlan1                      10.45.1.5       YES NVRAM  up                    up      
NVI0                       10.1.1.1        YES unset  up                    up      
Loopback1                  10.1.1.1        YES NVRAM  up                    up      
Loopback5                  10.5.5.5        YES NVRAM  administratively down down    
Loopback11                 10.11.11.11     YES NVRAM  up                    up      
Tunnel1                    10.6.5.5        YES NVRAM  up                    down    
Tunnel2                    10.2.2.2        YES NVRAM  up                    down    
Tunnel3                    10.3.3.3        YES NVRAM  up                    down    
Tunnel4                    10.4.4.4        YES NVRAM  up                    down    
Tunnel6                    10.8.8.8        YES NVRAM  up                    down    

Peer5-F#show vpn-sip sip registrar 
Line          destination      expires(sec)  contact
transport     call-id
============================================================
0623458888    example.com   2863          172.30.18.22
UDP           1E83ECF0-AF0611E7-802B8FCF-594EB9E7@10.50.18.22    

Peer5-F#show vpn-sip registration-status 

 SIP registration of local number 0623458888 : registered 172.30.18.22

Session stuck in Negotiating IKE state

Symptom

VPN-SIP session stuck in Negotiating IKE state.


Peer5#show vpn-sip session remote-number 0612349999 detail 
VPN-SIP session current status

Interface: Tunnel4
   Session status: NEGOTIATING_IKE (R) 
   Uptime        : 00:00:58
   Remote number : 0612349999
   Local number  : 0623458888
   Remote address:port: 72.30.168.3:24825
   Local address:port : 72.30.168.22:50012
   Crypto conn handle: 0x8000002E
   SIP Handle        : 0x8000000C
   SIP callID        : 16
   Configured/Negotiated bandwidth: 1000/1000 kbps
Possible Cause

Bad configuration related to IKEv2.

In the following example the Key ID that is configured in the keyring does not match the SIP numberof the remote peer.

Peer5-F#show running-config interface tunnel 4
Building configuration...

Current configuration : 276 bytes
!
interface Tunnel4
 ip address 10.4.4.4 255.255.255.0
 tunnel source Loopback11
 tunnel mode ipsec ipv4
 tunnel destination dynamic
 tunnel protection ipsec profile test-prof ikev2-profile test
 VPN-SIP local-number 0623458888 remote-number 0612349999 bandwidth 1000  ====> Remote number mentioned here doesn’t match the remote number in the keyring
end

IKEv2 Keyring configs:
!
crypto ikev2 keyring keys
 peer peer1
  identity key-id 0312341111
  pre-shared-key psk1
 !
 peer abc
  identity key-id 0345674444
  pre-shared-key psk1
 !
 peer peer2
  identity key-id 0334563333
  pre-shared-key psk10337101690
 !
 peer peer6
  identity key-id 0634567777
  pre-shared-key cisco123
 !
 peer peer3
  identity key-id 0323452222
  pre-shared-key cisco123
 !
 peer peer4
  identity key-id 0645676666
  pre-shared-key psk1
 !
 peer NONID
  identity fqdn example.com
  pre-shared-key psk1
 !
!
!
crypto ikev2 profile test
 match identity remote any
 identity local key-id 0623458888
 authentication remote pre-share
 authentication local pre-share
 keyring local keys
 dpd 10 6 periodic
 nat force-encap
Recommended Action

Correct the keyring configurations.

rypto ikev2 keyring keys
 peer peer1
  identity key-id 0312341111
  pre-shared-key psk1
 !
 peer abc
  identity key-id 0345674444
  pre-shared-key psk1
 !
 peer peer2
  identity key-id 0334563333
  pre-shared-key psk1
 !
 peer peer6
  identity key-id 0634567777
  pre-shared-key psk1
 !
 peer peer3
  identity key-id 0323452222
  pre-shared-key psk1
 !
 peer peer4
  identity key-id 0612349999
  pre-shared-key psk1
 !
 peer NONID
  identity fqdn example.com
  pre-shared-key psk1
 !
!
!
crypto ikev2 profile test
 match identity remote any
 identity local key-id 0623458888
 authentication remote pre-share
 authentication local pre-share
 keyring local keys
 dpd 10 6 periodic
 nat force-encap
!

Peer5-F#show vpn-sip session remote-number  0612349999 detail 
VPN-SIP session current status

Interface: Tunnel4
   Session status: SESSION_UP (R) 
   Uptime        : 00:02:04
   Remote number : 0612349999
   Local number  : 0623458888
   Remote address:port: 198.51.100.3:24845
   Local address:port : 198.51.100.22:50020
   Crypto conn handle: 0x8000004E
   SIP Handle        : 0x80000014
   SIP callID        : 24
   Configured/Negotiated bandwidth: 1000/1000 kbps

Troubleshooting Session Initiation

Symptom

Session does not initiate and gets stuck in Negotiating IKE state

Possible Cause

Fagmentation of IKE packets when a large PKI certificate is included in the IKE authentication message.

Recommended Action

Configure IKEv2 fragmentation on the routers.

Debug Commands

The folllwing debug commands are available to debug VPN-SIP configuration:

Table 1. debug commands

Command Name

Description

debug vpn-sip event

Prints debug messages for SVTI registration with VPN-SIP, SIP registration, call setup, and so on.

debug vpn-sip errors

Prints error messages only when an error occurs during initialization, registration, call setup, and so on.

debug vpn-sip sip all

Enables all SIP debugging traces.

debug vpn-sip sip calls

Enables SIP SPI calls debugging trace.

debug vpn-sip sip dhcp

Enables SIP-DHCP debugging trace

debug vpn-sip sip error

Enables SIP error debugging trace

debug vpn-sip sip events

Enables SIP events debugging trace.

debug vpn-sip sip feature

Enables feature level debugging.

debug vpn-sip sip function

Enables SIP function debugging trace.

debug vpn-sip sip info

Enables SIP information debugging trace.

debug vpn-sip sip level

Enables information level debugging.

debug vpn-sip sip media

Enables SIP media debugging trace.

debug vpn-sip sip messages

Enables SIP SPI messages debugging trace

debug vpn-sip sip non-call

Enables Non-Call-Context trace (OPTIONS, SUBSCRIBE, and so on)

debug vpn-sip sip preauth

Enable SIP preauth debugging trace.

debug vpn-sip sip states

Enable SIP SPI states debugging trace.

debug vpn-sip sip translate

Enables SIP translation debugging trace.

debug vpn-sip sip transport

Enables SIP transport debugging traces.

debug vpn-sip sip verbose

Enables verbose mode.

Additional References for VPN-SIP

Standards and RFCs

Standard/RFC Title
RFC 6193 (with Restrictions)

Media Description for the Internet Key Exchange Protocol (IKE) in the Session Description Protocol (SDP)

Feature Information for VPN-SIP

Table 2. Feature Information for VPN-SIP

Feature Name

Releases

Feature Information

Session Initiation Protocol Triggered VPN

VPN-SIP is a service offered by service providers where a VPN is setup for on-demand media or application sharing between peers, using Session Initiation Protocol (SIP).

The following commands were introduced: nat force-encap, show vpn-sip session, show vpn-sip sip, show vpn-sip registration-status, vpn-sip local-number, vpn-sip logging, vpn-sip tunnel source .