VoIP: SIP-over-TLS and sRTP: LANCOM Systems

You can use a Windows tool (LANconfig), the Web interface (WEBconfig), the Command-Line Interface (CLI), or SNMP to configure your LANCOM router. In the CLI, you see the used OpenSSL version via sysinfo. Below, I used WEBconfig. Furthermore in the WEBconfig, I found (at least) three paths/views for configuration: (A) Wizard, (B) Hierarchy, and (C) Menu Tree.

Last tested firmware

10.30.0075 = 10.30 Rel (Reference Manual: General, All-IP, Content Filter, Public Spot, WLAN Management)
10.20.0455 = 10.20 RU6 (Reference Manual: General, All-IP)
10.12.0659 = 10.12 RU12 (Reference Manual: General, All-IP)
retested in May 2020 with 10.12.0787-SU15 and 10.20.0637-SU10

Configuration

Password:	has to be changed on first use
HTTPS:	enabled on default
Update:	File management → Perform a Firmware Upload, or Extras → Check for Firmware Update, or Configuration → Management → Software update (→ General) → Check & Update
Trust Anchors:	File management → Upload Certificate → File type: SIP - Trusted Certificate Chain Slot 1: PKCS#12 allows several trust anchors in one file; no private key required: `openssl pkcs12 -export -in 76.pem -in 8395.pem -nokeys -out common.p12`
SIP-URI User:	A) Setup Wizard → Setup Voice-over-IP → (Lines) SIP provider and (Users) ISDN users → User defined → … or B) Configuration → Voice Call Manager → Lines → SIP lines → Add → SIP-ID, or C) LCOS Menu Tree → Setup → Voice-Call-Manager → Lines → SIP-Provider → Line → Add → User-Id
SIP-URI Host:	A) … SIP domain → other… B) … SIP domain C) … Domain Port: 0 (enables DNS-SRV)
SIP-over-TLS:	A) … finish wizard and edit via B or C B) … Signaling encryption: TLS 1.0 and Verify server cert. acc. to: SIP cert. slot 1 C) … Transport: TLSv1 and Verify-Server-Certificate: SIP-Trusted-CA-Slot-1 this is not a minimum version, therefore, you have to know the version(s) of your SIP provider (higher is better)
SDES-sRTP:	A) … finish wizard and edit via B or C B) Speech encryption: Prefer C) SRTP: Prefer which is RTP/SAVP, 488, RTP/AVP

To use that new destination line, for example, you change the existing default call-route:
B) Configuration → Voice Call Manager → Call Router → Call routing → Default → Destination line
C) LCOS Menu Tree → Setup → Voice-Call-Manager → Call-Router → Call-Rounting → default → Dest-Line-1

Bad Defaults

SDES-sRTP:	[SNMP 2.33.3.1.1.23] Configuration → Voice Call Manager → Users → SIP Users → (Security) Speech encryption: Prefer This controls SDES-sRTP for users of the internal SIP B2BUA. Default is Ignore but the remaining sRTP options do not get disabled/greyed then.
Signaling DiffServ:	[SNMP 2.33.2.15] Configuration → Voice Call Manager → Extended → (Quality of Service) SIP DiffServ codepoint (DSCP): CS5 Default is CS6; help text is wrong because it states CS1 as default and CS3 as recommendation.
IPv6:	[SNMP 2.70.10] Configuration → IPv6 → General → IPv6 enabled Default is Disabled; remaining defaults look good.

Software Bugs

SHA-2 Digest:	ignores `algorithm` and picks last
DNS-NAPTR:	missing
Voice Call Manager (VCM):	~~all TLS clients have an option called Crypto-Algorithms, except the TLS client of the VCM; therefore you cannot disable RC4-MD5 even manually~~ fixed with 10.40.0286 since 10.40, everything allows TLS 1.3, except the VCM
Signaling DiffServ:	when using the SIP B2BUA, does not work internally for TCP (and TLS), only for UDP

Security

Bugs:	~~Cipher Suites include RC4 (even MD5)~~ fixed with 10.40.0286 ~~SIP-over-TLS without authentication (no Hostname Validation)~~ fixed with 10.12.0488
Responsible Disclosure:	via ticket system Agents close your case when the issue was handed over to Engineering. Re-opening the ticket does not help, because is gets closed after two months of inactivity automatically. Consequently, you have to monitor the release notes whether your issue was fixed.
Firmware Update:	Automatic Update: possible since LCOS 10.20, see… (even beta is possible) Update Newsletter: LANCOM LCOS Newsflash Update Newsletter for Release Candidates: LANCOM RC Newsflash

Miscellaneous

Call Reject (UDUB) depends on ISDN device
cannot be overridden to send status 486 always
B) Configuration → Voice Call Manager → Extended → Country specific profile for: Germany
C) LCOS Menu Tree → Setup → Voice-Call-Manager → General → Country: Germany
includes a SIP B2BUA which allows not only ISDN or analog phones but also SIP phones

Model Range

introduced in the year 2011 (require software add-on All-IP):
- LANCOM 831A (tested; LCOS 10.30 was available via archive)
- LANCOM 1631E
- LANCOM 1781 series, like 1781VA (tested; End-of-Life: 1781EF and 1781EW without plus)
- LANCOM 7100+
- LANCOM 9100+
- T-Business LAN R800A
introduced in the year 2015:
- LANCOM 883 VoIP, LANCOM R883VAW
- LANCOM 884 VoIP, LANCOM R884VA
- LANCOM 1783 series
- LANCOM 1784VA
- T-Business LAN R800V
introduced in the year 2019:
- LANCOM 883+ VoIP, LANCOM R883+
- LANCOM 1640E (only for SIP phones, no ISDN/analog port; requires software add-on All-IP)
- LANCOM 1780EW-4G+ (only for SIP phones, no ISDN/analog port; requires software add-on All-IP)
- LANCOM 1790 series (only for SIP phones, no ISDN/analog port; requires software add-on All-IP)
- LANCOM 1793 series
- LANCOM 1900EF (only for SIP phones, no ISDN/analog port)
- LANCOM 1906VA

Some models require an intermediate update and then a conversion. Please, do not give up to get the latest version and double-check the (Telekom) download page. Some models within a series are End-of-Sale and/or End-of-Life already; please double-check its lifecycle. Anything below 10.20 is not recommend because the automatic firmware update is missing then.

Power Supply

12 V 1.5 A, Coaxial: 5.5 mm × 2.1 mm

← back to the other phones.