Cisco Cisco Packet Data Gateway (PDG)
IPSec Network Applications
IPSec for Femto-UMTS Networks ▀
IPSec Reference, StarOS Release 17 ▄
57
Child SA Rekey Support
Rekeying of an IKEv2 Child Security Association (SA) occurs for an already established Child SA whose lifetime
(either time-based or data-based) is about to exceed a maximum limit. The IPSec subsystem initiates rekeying to replace
the existing Child SA. During rekeying, two Child SAs exist momentarily (500ms or less) to ensure that transient
packets from the original Child SA are processed by the IPSec node and not dropped.
(either time-based or data-based) is about to exceed a maximum limit. The IPSec subsystem initiates rekeying to replace
the existing Child SA. During rekeying, two Child SAs exist momentarily (500ms or less) to ensure that transient
packets from the original Child SA are processed by the IPSec node and not dropped.
Child SA rekeying is disabled by default, and rekey requests are ignored. This feature gets enabled in the Crypto
Configuration Payload Mode of the system’s CLI.
Configuration Payload Mode of the system’s CLI.
For additional information refer to the IPSec Certificates chapter of this guide.
IKEv2 Keep-Alive Messages (Dead Peer Detection)
IPSec for LTE/SAE supports IKEv2 keep-alive messages, also known as Dead Peer Detection (DPD), originating from
both ends of an IPSec tunnel. Per RFC 3706, DPD is used to simplify the messaging required to verify communication
between peers and tunnel availability. You configure DPD on each IPSec node. You can also disable DPD, and the node
will not initiate DPD exchanges with other nodes. However, the node always responds to DPD availability checks
initiated by another node regardless of its DPD configuration.
both ends of an IPSec tunnel. Per RFC 3706, DPD is used to simplify the messaging required to verify communication
between peers and tunnel availability. You configure DPD on each IPSec node. You can also disable DPD, and the node
will not initiate DPD exchanges with other nodes. However, the node always responds to DPD availability checks
initiated by another node regardless of its DPD configuration.
For additional information refer to the Dead Peer Detection (DPD) Configuration section of the Redundant IPSec
Tunnel Fail-over chapter of this guide.
Tunnel Fail-over chapter of this guide.
IPSec Tunnel Termination
IPSec tunnel termination occurs during the following scenarios:
Idle Tunnel Termination. When a session manager for a service detects that all subscriber sessions using a
given IPSec tunnel have terminated, the IPSec tunnel also gets terminated after a timeout period.
Service Termination. When a service running on a network node is brought down for any reason, all
corresponding IPSec tunnels get terminated. This may be caused by the interface for a service going down, a
service being stopped manually, or a task handling an IPSec tunnel restarting.
service being stopped manually, or a task handling an IPSec tunnel restarting.
Unreachable Peer. If a network node detects an unreachable peer via Dead Peer Detection (DPD), the IPSec
tunnel between the nodes gets terminated. DPD can be enabled per P-GW, S-GW, and MME service via the
system CLI during crypto template configuration.
system CLI during crypto template configuration.
Network Handover Handling. Any IPSec tunnel that becomes unusable due to a network handover gets
terminated, while the network node to which the session is handed initiates a new IPSec tunnel for the session