Cisco Cisco Packet Data Gateway (PDG) Fehlerbehebungsanleitung
IP Security
▀ Implementing IPSec for Mobile IP Applications
▄ Cisco ASR 5000 Series Enhanced Feature Configuration Guide
OL-22982-01
Step
Description
11.
The HA determines the appropriate crypto map to use for IPSec protection based on the FA‘s address. It does this by
comparing the address received to those configured using the
comparing the address received to those configured using the
command. From the crypto map, the
system determines the following:
The map type, in this case dynamic
Whether perfect forward secrecy (PFS) should be enabled for the IPSec SA and if so, what group should be used
IPSec SA lifetime parameters
The name of one or more configured transform set defining the IPSec SA
12.
The HA creates a response to the D-H exchange using the ―S‖ secret and the Key ID sent by the FA.
13.
The HA sends IKE SA negotiation D-H exchange response to the FA.
14.
The FA and the HA negotiate an ISAKMP (IKE) policy to use to protect further communications.
15.
Once the IKE SA has been negotiated, the system negotiates an IPSec SA with the security gateway using the transform
method specified in the transform sets.
method specified in the transform sets.
16.
Once the IPSec SA has been negotiated, the system protects the data according to the IPSec SAs established during step 15
and sends it over the IPSec tunnel.
and sends it over the IPSec tunnel.
Important:
Once an IPSec tunnel is established between an FA and HA for a particular subscriber, all new
Mobile IP sessions using the same FA and HA are passed over the tunnel regardless of whether or not IPSec is
supported for the new subscriber sessions. Data for existing Mobile IP sessions is unaffected.
supported for the new subscriber sessions. Data for existing Mobile IP sessions is unaffected.
Configuring IPSec Support for Mobile IP
This section provides a list of the steps required to configure IPSec functionality on the system in support of Mobile IP.
Each step listed refers to a different section containing the specific instructions for completing the required procedure.
Each step listed refers to a different section containing the specific instructions for completing the required procedure.
Important:
These instructions assume that the systems were previously configured to support subscriber data
sessions either as an FA or an HA.
Step 1
Configure one or more transform sets for the FA system according to the instructions located in the
The transform set(s) must be configured in the same context as the FA service.
Step 2
Configure one or more ISAKMP policies or the FA system according to the instructions located in the
The ISAKMP policy(ies) must be configured in the same context as the FA service.
Step 3
Configure an ipsec-isakmp crypto map or the FA system according to the instructions located in the
The crypto map(s) must be configured in the same context as the FA service.