User avatar
By WelshPaul
#4986
In this guide, I'm going to show you how to enable call encryption using TLS and SRTP on the Cisco SPA range of phones. Before we start, you need to be aware of the following:
  1. Hosted PBX Users - Your VoIP provider must support TLS and SRTP for this to work.
  2. Onsite PBX Users - Your PBX also needs to be correctly configured and have the required certificate(s) installed for this to work.
  3. This guide isn't about how to configure your PBX, I'm only going to describe the steps required to configure your Cisco SPA phone!
The instructions described below were performed on a Windows 10 PC, an Onsite PBX (FreePBX) with the assigned IP address 192.168.1.182, a Cisco SPA525G2 running the latest firmware 7.6(2)SR3 which was registered to Extension 1000.

Step 1
Open your web browser of choice and enter your Cisco SPA telephones IP address in the URL. You should see the phones web GUI on screen:
spa525_gui.png
SPA525G2 GUI
spa525_gui.png (78.12 KiB) Viewed 51 times
Click on "Admin Login", followed by "advanced" located in the top right hand side of the page.
spa525_gui_admin_advanced.png
SPA525G2 Admin Login
spa525_gui_admin_advanced.png (14.14 KiB) Viewed 51 times
You should now have access to all advanced administration features, like so:
spa525_admin_advanced_gui.png
SPA525G2 Advanced Administration GUI
spa525_admin_advanced_gui.png (78.47 KiB) Viewed 51 times
Step 2
Click on the tab named SIP (as shown in the above image) and under the SIP Parameters section, look for the parameter named SRTP Method.

Default setting is:
  • SRTP Method: x-sipura
Change it to:
  • SRTP Method: s-descriptor
spa525g2_sip.png
SPA525G2 SIP GUI
spa525g2_sip.png (78.73 KiB) Viewed 51 times
Scroll down and click on the "Submit All Changes" button.

Step 3
Click on the tab named Ext1. Under the SIP Settings section, look for the parameter named SIP Transport.

Default setting is:
  • SIP Transport: UDP
Change it to:
  • SIP Transport: TLS
spa525g2_ext1_tls.png
SPA525G2 EXT1 GUI TLS
spa525g2_ext1_tls.png (75.83 KiB) Viewed 51 times
Scroll down to the Proxy and Registration section, look for the parameter named Proxy.

Default Proxy setting is:
  • Proxy:
Enter the domain or IP address of your PBX:
  • Proxy: 192.168.1.182
Again, under the same section look for the parameter named Register Expires.

Default Register Expires setting is:
  • Register Expires: 3600
Change it to:
  • Register Expires: 60
spa525g2_ext1_proxy.png
SPA525G2 EXT1 GUI Proxy and Registration
spa525g2_ext1_proxy.png (33.1 KiB) Viewed 51 times
Continue Scrolling down until you reach the Subscriber Information section, look for the parameter named User ID.

Default setting is:
  • User ID:
Enter the username your extension or VoIP account:
  • User ID: 1000
Again, under the same section look for the parameter named Password.

Default setting is:
  • Password:
Enter the password of your extension or VoIP account:
  • Password: password1234
spa525g2_subscriber_info.png
SPA525G2 EXT1 GUI Subscriber Information
spa525g2_subscriber_info.png (15.15 KiB) Viewed 51 times
Scroll down and click on the "Submit All Changes" button.

Step 4
Finally, click on the tab named User and under the Supplementary Services section, look for the parameter named Secure Call Setting.

Default setting is:
  • Secure Call Setting: no
Change it to:
  • Secure Call Setting: yes
spa525g2_user.png
SPA525G2 User GUI
spa525g2_user.png (79.86 KiB) Viewed 51 times
Scroll down and click on the "Submit All Changes" button.

That's it! Calls between your Cisco SPA phone and your PBX are now encrypted!
spa525g2_secure_call.png
SPA525G2 Call Log
spa525g2_secure_call.png (13.83 KiB) Viewed 50 times
The Cisco SPA525G beeps three times at the beginning of a call to indicate that the media stream is secure.

Attached below is my latest OBIHAI UK configuratio…

System advice?

As you wanted 9 for an outside line, pretty sure t…

Getting IP address from SIP

Yes and yes (unless they change it). Try pinging …

OK, another update... This time I have overhauled…