HELLO & WELCOME

[WelshPaul]

In this guide, I'm going to show you how to enable call encryption using TLS and SRTP on the Cisco SPA range of phones. Before we start, you need to be aware of the following:

1. Hosted PBX Users - Your VoIP provider must support TLS and SRTP for this to work.
2. Onsite PBX Users - Your PBX also needs to be correctly configured and have the required certificate(s) installed for this to work.
3. This guide isn't about how to configure your PBX, I'm only going to describe the steps required to configure your Cisco SPA phone!

The instructions described below were performed on a Windows 10 PC, an Onsite PBX (FreePBX) with the assigned IP address 192.168.1.182, a Cisco SPA525G2 running the latest firmware 7.6(2)SR3 which was registered to Extension 1000.

Step 1
Open your web browser of choice and enter your Cisco SPA telephones IP address in the URL. You should see the phones web GUI on screen:

SPA525G2 GUI
spa525_gui.png (78.12 KiB) Viewed 357 times

Click on "Admin Login", followed by "advanced" located in the top right hand side of the page.

SPA525G2 Admin Login
spa525_gui_admin_advanced.png (14.14 KiB) Viewed 357 times

You should now have access to all advanced administration features, like so:

SPA525G2 Advanced Administration GUI
spa525_admin_advanced_gui.png (78.47 KiB) Viewed 357 times

Step 2
Click on the tab named SIP (as shown in the above image) and under the SIP Parameters section, look for the parameter named SRTP Method.

Default setting is:

• SRTP Method: x-sipura

Change it to:

• SRTP Method: s-descriptor

SPA525G2 SIP GUI
spa525g2_sip.png (78.73 KiB) Viewed 357 times

Scroll down and click on the "Submit All Changes" button.

Step 3
Click on the tab named Ext1. Under the SIP Settings section, look for the parameter named SIP Transport.

Default setting is:

• SIP Transport: UDP

Change it to:

• SIP Transport: TLS

SPA525G2 EXT1 GUI TLS
spa525g2_ext1_tls.png (75.83 KiB) Viewed 357 times

Scroll down to the Proxy and Registration section, look for the parameter named Proxy.

Default Proxy setting is:

• Proxy:

Enter the domain or IP address of your PBX:

• Proxy: 192.168.1.182

Again, under the same section look for the parameter named Register Expires.

Default Register Expires setting is:

• Register Expires: 3600

Change it to:

• Register Expires: 60

SPA525G2 EXT1 GUI Proxy and Registration
spa525g2_ext1_proxy.png (33.1 KiB) Viewed 357 times

Continue Scrolling down until you reach the Subscriber Information section, look for the parameter named User ID.

Default setting is:

• User ID:

Enter the username your extension or VoIP account:

• User ID: 1000

Again, under the same section look for the parameter named Password.

Default setting is:

• Password:

Enter the password of your extension or VoIP account:

• Password: password1234

SPA525G2 EXT1 GUI Subscriber Information
spa525g2_subscriber_info.png (15.15 KiB) Viewed 357 times

Scroll down and click on the "Submit All Changes" button.

Step 4
Finally, click on the tab named User and under the Supplementary Services section, look for the parameter named Secure Call Setting.

Default setting is:

• Secure Call Setting: no

Change it to:

• Secure Call Setting: yes

SPA525G2 User GUI
spa525g2_user.png (79.86 KiB) Viewed 357 times

Scroll down and click on the "Submit All Changes" button.

That's it! Calls between your Cisco SPA phone and your PBX are now encrypted!

SPA525G2 Call Log
spa525g2_secure_call.png (13.83 KiB) Viewed 356 times

The Cisco SPA525G beeps three times at the beginning of a call to indicate that the media stream is secure.