Author Topic: Talking about encryption support with Grandstream (long)  (Read 1422 times)


  • Guest
Talking about encryption support with Grandstream (long)
« on: June 20, 2009, 04:47:26 AM »
within the next 2 years, we will replace our old PBX step by step. It was decided to go for VoIP with complete CTI and Outlook integration, doubled fail over VoIP server. Now the question is, what manufacturer and what products we should use. Something from the big ones? Avaya, Alcatel-Lucent, Cisco, Nortel, Aastra, Siemens, Innovaphone? Or should we go for an opensource based solution? Asterisk, FreeSwitch, VoIP PBX? Something else?
Well, for now it is open, what we will choose. For now, it´s time to ask some question to the manufacturers; better, the customers of those manufacturers within support forums. Here I am.
From the specification sheets, the GXP-2020 looks nice, also the appearance is acceptable.
Old analog phones and faxes could be connected to central GXW-4100 series gateways. Additional devices can be used with e.g. HT-502. The GXE-5000 series could be used for local backup, when the SIP trunk to the SIP provider would fail.
Talking about the size and amount of devices: ~ 1500 ip phones, ~200 analog phones and faxes, ~40 buildings that are interconnected with an local WAN. bandwith is not a problem.
One big issue is encryption. We want it everywhere, as long data crosses the IP WAN/LAN, encryption is needed.
And this seems to be the problem with many solution. Everybody pretends to do it. Almost everybody is talking about SRTP, TLS/SIPS. But noone says anything about details: key exchange mechanism, encrpytion algorithms, i.e DTLS, MIKEY, ZRTP, AES, SDES, IPsec,...
So after asking some questions, it is clear: \"No, you can´t\"
It seems there are many different scenarios to consider. Calls can go and come from different places:
 1. Incoming calls should be reached via landline:
[e.g. telefon network --ISDN/E1--> media gateway --IP--> VoIP PBX --IP-->GXP-2020 users]
So, what about encryption between the media gateway, the VoIP PBX and GXP-2020? Is it possible to encrypt the whole path? Could it be done with Grandstream products?
 2. Outcoming calls should go to a SIP provider which supports sip trunking and DDI, well SIPconnect. Our planned provider does support SRTP for now. TLS will be introduced within 2009.
[e.g. SIP Provider <--SIP trunk-- oIP PBX <--IP--GXP-2020 users]
Same question here:
 Is it possible to encrypt the whole path with Grandstream products, hop by hop with TLS, end to end with SRTP? Well this will depend on the soft PBX, but has anyone actually done this with Grandstream?
3. Outcoming calls should be forwarded locally, if the SIP trunk between the SIP provider and the VoIP PBX server fails.
[e.g. telefon network <-- E1-- media gateway <--IP-- VoIP PBX <--IP-- GXP-2020 users]
Same question here:
What about encryption between the media gateway, the VoIP PBX and the GSP-2020 Is it possible to encrypt the whole IP path? Has anyone done this, yet? Which gateway do you use?
4. As I mentioned before there will be one big local entry for incoming calls. In fact this will be 3x E1. Many buildings will also have a small gateway for going directly to the telefon network via some BR1/ISDN lines, in case the WAN fails. So, at least outgoing calls would work. Would the GXE-5000 work in such a case? What are your experiences
[e.g. telefon network <-- ISDN/BR1-- GXE-5000/other gateway <--IP-- GXP-2020 users]
5. The next thing is the encryption of voice and signaling data in general. The VoIP PBX seems have to support this as well. I think it´s an end to end encryption between the users? As VoIP PBX seems to play a proxy part, I guess yes?
[e.g. VoIP PBX <--IP/SIPS--> GXP-2020 users <--SRTP --> GXP-2020 users]
This should be easy with Grandstream?
6. ENUM support
Well, I want to call someone with direct IP call, via SIP-URI/SIPS-URI, ENUM. And of course I want to be reached in such way. It seems I need a kind of Session border controller for handling allowed incoming connections to avoid SPIT. Here the problem is, that my partner which calls me has to support encryption. What to do if he doesn´t support it?
[caller/called person <--IP--> SBC with ENUM gateway <--IP--> VoIP PBX <--IP--> GXP-2020]
Has anyone done this, yet? Which products do you use?
So, many question. Hopefully, someone of you have some time to tell me about his/her experience.
Have a nice weekend.
Sincerely yours,


  • Guest
Hm, sorry for the bad
« Reply #1 on: June 20, 2009, 04:48:54 AM »

Hm, sorry for the bad layout. Seems the forum software mixed it up. And I can´t change it afterwards?


  • Guest
 #1,#3: the GXE supports
« Reply #2 on: June 22, 2009, 02:46:54 AM »

 #1,#3: the GXE supports TLS、CBCOM encryption.It can be encrypted the whole path if the media gateway support CBCOM, and  it can be done with all Grandstream products. #2  Now, Grandstream does not support SRTP. #4 the answer is yes