Most H.323 vendors did not implement encrypting the signaling connection with TLS. They only encrypt the media (RTP). But you can use the two GNU Gatekeepers to encrypt you call signaling even when your endpoints don't support this natively.
Suppose you have 2 locations and want to connect them securely over the public internet.
GnuGk can encrypt call signalling between those locations using TLS and encrypt the media (RTP) using H.235.6 (AES encryption).
Configuration for GNU Gatekeeper 1 (prefix 01)
[Gatekeeper::Main] [RoutedMode] GKRouted=1 H245Routed=1 CallSignalPort=1720 AcceptUnregisteredCalls=1 ; make sure H.245 gets tunneled for TLS H245TunnelingTranslation=1 ; add AES media encryption if the endpoint doesn't encrypt itself EnableH235HalfCallMedia=1 ; only allow encrypted calls RequireH235HalfCallMedia=1 ; change the media key after 2^31 operations EnableH235HalfCallMediaKeyUpdates=1 [Proxy] Enable=1 [ModeSelection] 0.0.0.0/0=PROXY ; only use routed mode for local calls 192.168.0.0/18=H245ROUTED [TLS] EnableTLS=1 PrivateKey=/path/to/server.pem Certificates=/path/to/server.pem CAFile=/path/to/rootcert.pem Passphrase=MySecret CheckCertificateIP=1 [Gatekeeper::Auth] FileIPAuth=required;Setup [FileIPAuth] ; allow all calls from local network 192.168.1.0/24=allow ; only allow TLS encrypted and authenticated calls from elsewhere any=onlyTLS [RasSrv::PermanentEndpoints] ; the GnuGk in the other location, serving prefix 02 1.2.3.4:1300=remote-gw;02 [EP::remote-gw] ; use TLS to call remote GnuGk UseTLS=1
Configuration for GNU Gatekeeper 2 (prefix 02)
[Gatekeeper::Main] [RoutedMode] GKRouted=1 H245Routed=1 CallSignalPort=1720 AcceptUnregisteredCalls=1 ; make sure H.245 gets tunneled for TLS H245TunnelingTranslation=1 ; add AES media encryption if the endpoint doesn't encrypt itself EnableH235HalfCallMedia=1 ; only allow encrypted calls RequireH235HalfCallMedia=1 ; change the media key after 2^31 operations EnableH235HalfCallMediaKeyUpdates=1 [Proxy] Enable=1 [ModeSelection] 0.0.0.0/0=PROXY ; only use routed mode for local calls 192.168.0.0/18=H245ROUTED [TLS] EnableTLS=1 PrivateKey=/path/to/server.pem Certificates=/path/to/server.pem CAFile=/path/to/rootcert.pem Passphrase=MySecret CheckCertificateIP=1 [Gatekeeper::Auth] FileIPAuth=required;Setup [FileIPAuth] ; allow all calls from local network 192.168.1.0/24=allow ; only allow TLS encrypted and authenticated calls from elsewhere any=onlyTLS [RasSrv::PermanentEndpoints] ; the GnuGk in the other location, serving prefix 01 1.2.3.5:1300=remote-gw;01 [EP::remote-gw] ; use TLS to call remote GnuGk UseTLS=1
Other options
You could also configure the remote GNU Gatekeeper as a neighbor, but beware that the RAS traffic between neighbors will show meta data (whois is caling who) in clear text!
See the GnuGk manual section on TLS for more details and examples how to generate the OpenSSL certificates.
