Cisco Cisco Packet Data Gateway (PDG)
IKE_SA_INIT packets are just after the Ni and Nr payloads (before the optional CERTREQ
payload)," the ePDG does not force strict ordering of this and still can process these NOTIFY
payloads.
payload)," the ePDG does not force strict ordering of this and still can process these NOTIFY
payloads.
• ePDG egress processing will ensure that payloads are in order.
• As described above, when the ePDG receives IKEv2 messages, the ePDG does not enforce the payloads
to be in order. However, when the ePDG sends the response or generates any IKEv2 messages, the ePDG
will ensure that payloads are ordered according to RFC 4306.
will ensure that payloads are ordered according to RFC 4306.
• Traffic selector payloads from the UE support only traffic selectors by IP address range. In other words,
the IP protocol ID must be 0. The start port must be 0 and the end port must be 65535. IP address range
specification in the TSr payload is not supported.
specification in the TSr payload is not supported.
• Only IKE and ESP protocol IDs are supported. AH is not supported.
• The IKE Protocol ID specification may not use the NONE algorithm for authentication or the
ENCR_NULL algorithm for encryption as specified in Section 5 (Security Considerations) of RFC 4306.
• In ESP, ENCR_NULL encryption and NONE authentication cannot be simultaneously used.
• No more than 16 transform types may be present in a single IKE_SA_INIT or IKE_AUTH Request
message. If a deviation from this format is used in the proposal format, the ePDG returns an error of
INVALID_SYNTAX.
INVALID_SYNTAX.
X.509 Certificate (CERT) Restrictions
The following are known restrictions for the creation and use of X.509 CERT:
• The maximum size of a CERT configuration is 4096 bytes.
• The ePDG includes the CERT payload only in the first IKE_AUTH Response for the first authentication.
• If the ePDG receives the CERT-REQ payload when it is not configured to use certificate authentication
and if the CRITICAL bit is set in the IKE_AUTH request, the ePDG will reject the exchange. If the
ePDG receives the CERT-REQ payload when it is not configured to use certificate authentication and
if the CRITICAL bit is not set, the ePDG ignores the payload and proceeds with the exchange to be
authenticated using EAP.
ePDG receives the CERT-REQ payload when it is not configured to use certificate authentication and
if the CRITICAL bit is not set, the ePDG ignores the payload and proceeds with the exchange to be
authenticated using EAP.
• Only a single CERT payload is supported. While RFC 4306 mandates the support of up to four certificates,
the ePDG service will support only one X.509 certificate per context. This is due to the size of an X.509
certificate. Inclusion of multiple certificates in a single IKE_AUTH may result in the IKE_AUTH
message not being properly transmitted.
certificate. Inclusion of multiple certificates in a single IKE_AUTH may result in the IKE_AUTH
message not being properly transmitted.
GTPv2 Restrictions
The following are known restrictions for the creation and use of GTPv2:
• The ePDG should not send the Modify Bearer Command towards PGW for the modification of QoS or
APN AMBR for the default bearer when triggered by HSS to ePDG and then to PGW.
• The ePDG should not send Delete PDN connection set request message per 23.007 for the FQ-CSID
failure.
ePDG Administration Guide, StarOS Release 19
116
Evolved Packet Data Gateway Engineering Rules
X.509 Certificate (CERT) Restrictions