Inspecting SIP over SSL/TLS (secure SIP)
Some SIP phones and SIP servers can communicate using SSL or TLS to encrypt the SIP signaling traffic. To allow SIP over SSL/TLS calls to pass through the FortiGate, the encrypted signaling traffic has to be unencrypted and inspected. To do this, the FortiGate SIP ALG intercepts and unencrypts and inspects the SIP packets. The packets are then re-encrypted and forwarded to their destination.
Normally SIP over SSL/TLS uses port 5061. You can use the following command to change the port that the FortiGate listens on for SIP over SSL/TLS sessions to port 5066:
config system settings set sip-ssl-port 5066
end
The SIP ALG supports full mode SSL/TLS only. Traffic between SIP phones and the FortiGate and between the FortiGate and the SIP server is always encrypted.
You enable SSL/TLS SIP communication by enabling SSL mode in a VoIP profile. You also need to install the SIP server and client certificates on your FortiGate and add them to the SSL configuration in the VoIP profile.
SIP over SSL/TLS between a SIP phone and a SIP server
Other than enabling SSL mode and making sure the security policies accept the encrypted traffic, the FortiGate configuration for SSL/TLS SIP is the same as any SIP configuration. SIP over SSL/TLS is supported for all supported SIP configurations.
Adding the SIP server and client certificates
A VoIP profile that supports SSL/TLS SIP requires one certification for the SIP server and one certificate that is used by all of the clients. Use the following steps to add these certificates to the FortiGate. Before you start, make sure the client and server certificate files and their key files are accessible from the management computer.
- Go to System > Certificates and select
- Set Type to Certificate.
- Browse to the Certificate file and the Key file and select OK.
- Enter a password for the certificate and select OK.
The certificate and key are uploaded to the FortiGate and added to the Local Certificates List.
- Repeat to upload the other certificate.
The certificates are added to the list of Local Certificates as the filenames you uploaded. You can add comments to make it clear where its from and how it is intended to be used.
Adding SIP over SSL/TLS support to a VoIP profile
Use the following commands to add SIP over SSL/TLS support to the default VoIP profile. The following command enables SSL mode and adds the client and server certificates and passwords, the same ones you entered when you imported the certificates:
config voip profile edit default config sip set ssl-mode full set ssl-client-certificate “Client_cert” set ssl-server-certificate “Server_cert” set ssl-auth-client “check-server” set ssl-auth-server “check-server-group”
end
end
Other SSL mode options are also available:
ssl-send-empty-frags {disable | enable} | Enable to send empty fragments to avoid CBC IV attacks.
Compatible with SSL 3.0 and TLS 1.0 only. Default is enable. |
ssl-client-renegotiation {allow | deny | secure} | Control how the ALG responds when a client attempts to renegotiate the SSL session. You can allow renegotiation or block sessions when the client attempts to renegotiate. You can also select secure to reject an SSL connection that does not support RFC 5746 secure renegotiation indication. Default is allow. |
ssl-algorithm {high | low medium} | | | Select the relative strength of the algorithms that can be selected. You can select high, the default, to allow only AES or 3DES, medium, to allow AES, 3DES, or RC4 or low, to allow AES, 3DES, RC4, or DES. |
ssl-pfs {allow | deny | regqure} | Select whether to allow, deny, or require perfect forward secrecy (PFS). Default is allow. | |
ssl-min-version {ssl-3.0 tls-1.0 | tls-1.1} | | | Select the minimum level of SSL support to allow. The default is ssl-3.0. |
ssl-max-version {ssl-3.0 tls-1.0 | tls-1.1} | | | Select the maximum level of SSL support to allow. The default is tls-1.1. |