Cisco Cisco Packet Data Gateway (PDG)
ePDG also supports hash and URL based encoding of certificate payloads in IKE exchanges.
The ePDG generates an SNMP notification when the certificate is within 30 days of expiration and
approximately once a day until a new certificate is provided. Operators need to generate a new certificate and
then configure the new certificate using the system's CLI. The certificate is then used for all new sessions.
approximately once a day until a new certificate is provided. Operators need to generate a new certificate and
then configure the new certificate using the system's CLI. The certificate is then used for all new sessions.
Timers
The ePDG includes the following timers for IPSec tunnels:
• IKE Session Setup Timer: This timer ensures that an IKE session set up is completed within a configured
period. The ePDG tears down the call if it is still in progress when the timer expires. The default value
is 120 seconds, and the range is between 1 and 3600 seconds.
is 120 seconds, and the range is between 1 and 3600 seconds.
• IKEv2 and IPSec SA Lifetime Timers: The ePDG maintains separate SA lifetime timers for both
IKEv2 SAs and IPSec SAs. All timers are started when an SA is successfully set up. If there is traffic
through the SA, the ePDG may initiate rekeying. If there is no traffic and rekey keepalive is not required,
the ePDG deletes the SA without rekeying. If there is no traffic and rekey keepalive is required, the
ePDG attempts to rekey. The default value of the IKEv2 SA lifetime timer is 86400 seconds and the
range is between 60 and 86400 seconds. The default value of the IPSec SA lifetime timer is 86400
seconds and the range is between 60 and 86400 seconds.
through the SA, the ePDG may initiate rekeying. If there is no traffic and rekey keepalive is not required,
the ePDG deletes the SA without rekeying. If there is no traffic and rekey keepalive is required, the
ePDG attempts to rekey. The default value of the IKEv2 SA lifetime timer is 86400 seconds and the
range is between 60 and 86400 seconds. The default value of the IPSec SA lifetime timer is 86400
seconds and the range is between 60 and 86400 seconds.
• DPD Timers: By default, DPD (Dead Peer Detection) is disabled. When enabled, the ePDG may initiate
DPD via IKEv2 keepalive messages to check the liveliness of the WLAN UEs. When enabled, the ePDG
always respond to DPD checks from the UEs. The default value of the DPD timers is 3600 seconds and
the range is between 10 and 3600 seconds. The default DPD retry interval is 10 seconds, and the range
is between 10 and 3600 seconds. The default number of DPD retries is 2, and the range is between 1
and 100.
always respond to DPD checks from the UEs. The default value of the DPD timers is 3600 seconds and
the range is between 10 and 3600 seconds. The default DPD retry interval is 10 seconds, and the range
is between 10 and 3600 seconds. The default number of DPD retries is 2, and the range is between 1
and 100.
Dead Peer Detection
The ePDG supports DPD (Dead Peer Detection) protocol messages originating from the ePDG and the WLAN
UEs. DPD is performed when no IKE/IPSec packets reach the ePDG within the configured DPD interval.
DPD is configured in the crypto template in the ePDG service. The administrator can also disable DPD.
However, the ePDG always responds to DPD availability checks initiated by the UE, regardless of the ePDG
idle timer configuration.
UEs. DPD is performed when no IKE/IPSec packets reach the ePDG within the configured DPD interval.
DPD is configured in the crypto template in the ePDG service. The administrator can also disable DPD.
However, the ePDG always responds to DPD availability checks initiated by the UE, regardless of the ePDG
idle timer configuration.
Child SA Rekeying
Rekeying of an IKEv2 Child SA (Security Association) occurs for an already established Child SA whose
lifetime is about to exceed a maximum limit. The ePDG initiates rekeying to replace the existing Child SA.
The ePDG-initiated rekeying is disabled by default. This is the recommended setting, although rekeying can
be enabled using the Crypto Configuration Payload Mode commands.
lifetime is about to exceed a maximum limit. The ePDG initiates rekeying to replace the existing Child SA.
The ePDG-initiated rekeying is disabled by default. This is the recommended setting, although rekeying can
be enabled using the Crypto Configuration Payload Mode commands.
Support for MAC Address of WiFi Access Points
The ePDG can propagate the MAC (Media Access Control) address of each WiFi access point to the P-GW.
The ePDG sends this information using the PMIP Location AVP (Attribute-Value Pair) in the
User-Location-Info Vendor Specific Option of PBU (Proxy-MIP Binding Update) messages over the S2b
The ePDG sends this information using the PMIP Location AVP (Attribute-Value Pair) in the
User-Location-Info Vendor Specific Option of PBU (Proxy-MIP Binding Update) messages over the S2b
ePDG Administration Guide, StarOS Release 19
10
Evolved Packet Data Gateway Overview
Dead Peer Detection