Cisco Cisco Packet Data Gateway (PDG) Merkblatt
IPSec Network Applications
IPSec for Femto-UMTS Networks ▀
Cisco StarOS IP Security (IPSec) Reference ▄
57
For additional information refer to the Dead Peer Detection (DPD) Configuration section of the Redundant IPSec
Tunnel Fail-over chapter of this guide.
Tunnel Fail-over chapter of this guide.
IPSec Tunnel Termination
IPSec tunnel termination occurs during the following scenarios:
Idle Tunnel Termination. When a session manager for a service detects that all subscriber sessions using a
given IPSec tunnel have terminated, the IPSec tunnel also gets terminated after a timeout period.
Service Termination. When a service running on a network node is brought down for any reason, all
corresponding IPSec tunnels get terminated. This may be caused by the interface for a service going down, a
service being stopped manually, or a task handling an IPSec tunnel restarting.
service being stopped manually, or a task handling an IPSec tunnel restarting.
Unreachable Peer. If a network node detects an unreachable peer via Dead Peer Detection (DPD), the IPSec
tunnel between the nodes gets terminated. DPD can be enabled per P-GW, S-GW, and MME service via the
system CLI during crypto template configuration.
system CLI during crypto template configuration.
Network Handover Handling. Any IPSec tunnel that becomes unusable due to a network handover gets
terminated, while the network node to which the session is handed initiates a new IPSec tunnel for the session
x.509 Certificate Configuration
Use the following example to configure the x.509 certificates on the system to provide security certification between
FAP and SeGW in Femto-UMTS network.
FAP and SeGW in Femto-UMTS network.
configure
certificate name <x.509_cert_name> pem { data <pem_data_string> | url <pem_data_url>}
private-key pem { [encrypted] data <PKI_pem_data_string> | url <PKI_pem_data_url> }
private-key pem { [encrypted] data <PKI_pem_data_string> | url <PKI_pem_data_url> }
ca-certificate name <ca_root_cert_name> pem { data <pem_data_string> | url
<pem_data_url> }
<pem_data_url> }
exit
crypto template <segw_crypto_template> ikev2-dynamic
authentication local certificate
authentication remote certificate
keepalive interval <dur> timeout <dur_timeout>
certificate <x.509_cert_name>
ca-certificate list ca-cert-name <ca_root_cert_name>
payload <crypto_payload_name> match childsa [match {ipv4 | ipv6}]
ip-address-alloc dynamic
ipsec transform-setlist <ipsec_trans_set>