Cisco Cisco Packet Data Gateway (PDG)
Security Gateway Overview
Product Overview ▀
SecGW Administration Guide, StarOS Release 17 ▄
17
SecGW Application
The StarOS-based Security Gateway (SecGW) application is a solution for Remote-Access (RAS) and Site-to-Site
(S2S) mobile network environments. It is implemented via StarOS as a WSG (Wireless Security Gateway) service that
leverages the IPSec features supported by StarOS.
(S2S) mobile network environments. It is implemented via StarOS as a WSG (Wireless Security Gateway) service that
leverages the IPSec features supported by StarOS.
SecGW delivers the S2S IP Encryption capabilities required in UMTS/HSPA and LTE 3GPP LTE/SAE network
architectures.
architectures.
For complete descriptions of supported IPSec features, see the IPSec Reference.
Important:
The SecGW is a licensed StarOS feature. A separate license is required for each VPC-VSM instance
and SecGW. Contact your Cisco account representative for detailed information on specific licensing requirements.
Key Features
The following are key features of the SecGW product:
Functions in a virtualized environment on one or more VSM blades in an ASR9000
Supports IKEv2.
Supports DES, 3DES, AES and NULL Encryption algorithms, and MD5, SHA1/2 and AES-XCBC Hash
algorithms.
Provides mechanisms for High Availability both within and outside of the ASR 9000 chassis.
IPv6 support encompasses Inner-Outer pairs – v6-v6, v6-v4, v4-v6, v4-v4
Allows dynamic provisioning of IPSec configuration when a new SecGW is instantiated on the router.
Each of the four SecGWs on a VSM must be configured separately.
Load balancing has not been implemented for the SecGWs; incoming calls will not be automatically distributed across
the four SecGWs on a VSM. A workaround is to use VLANs for load balancing. The public side interface of each
SecGW can be configured for a separate VLAN. Calls from multiple peers are routed to the same IP address via a
different VLAN to distribute the traffic load.
the four SecGWs on a VSM. A workaround is to use VLANs for load balancing. The public side interface of each
SecGW can be configured for a separate VLAN. Calls from multiple peers are routed to the same IP address via a
different VLAN to distribute the traffic load.
IPSec Capabilities
The following IPSec features are supported by StarOS for implementation in an SecGW application:
Anti Replay
Multiple Child SA (MCSA)
Certificate Management Protocol (CMPv2)
Session Recovery/Interchassis Session Recovery for both RAS and S2S
Support for IKE ID Type
PSK support with up to 255 octets
Online Certificate Status Protocol (OCSP)
Reverse DNS Lookup for Peer IP in show Commands