Google SIP Link Configuration Guide

Google SIP Link lets you use Google Voice features, such as voicemail transcription, ring groups, and call forwarding. SIP Link connects to your SBC over a TLS connection. Media sent over the SIP trunk is encrypted using DTLS. This connection takes place through the internet or direct peering.

This guide covers the necessary steps to configure VSXi to support Google SIP Link.

System Requirements

• Recent version of VSXi. This article was created using VSXi-10.7.1.x or later.
• DTLS capable media server (MST3 / MBT).

Certificate and Service Port Configuration

SIP Link accepts TLS certificates from the following Certificate Authorities (CAs):

• DigiCert
• Entrust DataCard
• GlobalSign
• GoDaddy
• Sectigo

TLS certificate requirements

TLS certificates must contain the fully qualified domain name (FQDN) of the SBC as the common name (CN), be 2,048 bits in size, and use RSA or ECDSA encryption. The domain of the CN in the certificate must match the Workspace domain.

Note: Wildcard certificates are not supported.

The TLS certificate and the trust chain from any one of the public CAs must be added to the TLS profile of the SBC along with the Google Root certificate. 

To get the Google Root certificate:

1. Download Google’s trusted root CAs.
2. Extract GTS Root R1 (GTSR1).
3. If required, extract the GlobalSign Root CA certificate.
4. Upload the root certificates to your VSXi.
5. Assign root certificate to the SIP Link Service Port with mutual authentication.

Service Port Configuration

The Google SIP Link Service Port needs to be TLS as illustrated below.

Google Voice supports TLS version 1.2 or later. The following configuration will meet Google's Requirements:

/sg/tls/spid_cfg2:

SPID=X Version=v1.2only ECDHE=X25519:P-256 CipherList=HIGH

Where X is the Service Port ID.

Resource Configuration

A Google SIP Link Resource will need the following:

1. A Google SIP Link enabled Service Port as described above.
2. DTLS enabled as illustrated below. 
3. An SMC with the SIP Trunk authentication token.

{
  "ProfileID": CHANGEID,
  "ProfileName": "Google SIP Link",
  "Rules": [
    {
      "MsgType": "REQUEST",
      "ReqMethod": "INVITE",
      "Action": "REPLACE_MSG",
      "ReplaceDefs": [
        {
          "ReplaceType": "ADD_LINE",
          "Header": "From:",
          "HeaderAttr": "HEADER_SECTION_ONLY",
          "Output": "X-Google-Pbx-Trunk-Secret-Key: REPLACETOKEN"
        },
        {
          "ReplaceType": "FINDSUB_LINES",
          "Header": "TOPLINE",
          "HeaderAttr": "HEADER_SECTION_ONLY",
          "Macro": "GETURI_HOST",
          "Output": "trunk.sip.voice.google.com"
        }
      ]
    }
  ]
}

Digit Format

DNIS must be send in E164 format.

Troubloshooting

You can refer to the following documentation under section "Troubleshoot common signal connection issues".

https://support.google.com/a/answer/11975747?sjid=15808604127131121139-NA#zippy=