Cisco Cisco Packet Data Gateway (PDG)
Evolved Packet Data Gateway Overview
Features and Functionality ▀
ePDG Administration Guide, StarOS Release 17 ▄
19
Table 3. Supported Algorithms
Protocol
Type
Supported Options
Internet Key
Exchange version 2
Exchange version 2
IKEv2 Encryption
DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-256
IKEv2 Pseudo Random Function
PRF-HMAC-SHA1, PRF-HMAC-MD5, AES-XCBC-PRF-128
IKEv2 Integrity
HMAC-SHA1-96, HMAC-SHA2-256, HMAC-SHA2-384. HMAC-
SHA2-512, HMAC-MD5-96, AES-XCBC-96
SHA2-512, HMAC-MD5-96, AES-XCBC-96
IKEv2 Diffie-Hellman Group
Group 1 (768-bit), Group 2 (1024-bit), Group 5 (1536-bit), Group
14 (2048-bit)
14 (2048-bit)
IP Security
IPSec Encapsulating Security
Payload Encryption
Payload Encryption
NULL, DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-256
Extended Sequence Number
Value of 0 or off is supported (ESN itself is not supported)
IPSec Integrity
NULL, HMAC-SHA1-96, HMAC-MD5-96, AES-XCBC-96
x.509 Digital Certificate Handling
A digital certificate is an electronic credit card that establishes a subscriber’s credentials when doing business or other
transactions on the Internet. The digital certificates used by the ePDG conform to ITU-T standard X.509 for a PKI
(Public Key Infrastructure) and PMI (Privilege Management Infrastructure). X.509 specifies standard formats for public
key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
transactions on the Internet. The digital certificates used by the ePDG conform to ITU-T standard X.509 for a PKI
(Public Key Infrastructure) and PMI (Privilege Management Infrastructure). X.509 specifies standard formats for public
key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
The ePDG is capable of authenticating itself to the UE using certificates and does so in the response to the first
IKE_AUTH Request message from the UE.
IKE_AUTH Request message from the UE.
ePDG also supports hash and URL based encoding of certificate payloads in IKE exchanges.
The ePDG generates an SNMP notification when the certificate is within 30 days of expiration and approximately once
a day until a new certificate is provided. Operators need to generate a new certificate and then configure the new
certificate using the system’s CLI. The certificate is then used for all new sessions.
a day until a new certificate is provided. Operators need to generate a new certificate and then configure the new
certificate using the system’s CLI. The certificate is then used for all new sessions.
Timers
The ePDG includes the following timers for IPSec tunnels:
IKE Session Setup Timer: This timer ensures that an IKE session set up is completed within a configured
period. The ePDG tears down the call if it is still in progress when the timer expires. The default value is 120
seconds, and the range is between 1 and 3600 seconds.
seconds, and the range is between 1 and 3600 seconds.
IKEv2 and IPSec SA Lifetime Timers: The ePDG maintains separate SA lifetime timers for both IKEv2 SAs
and IPSec SAs. All timers are started when an SA is successfully set up. If there is traffic through the SA, the
ePDG may initiate rekeying. If there is no traffic and rekey keepalive is not required, the ePDG deletes the SA
without rekeying. If there is no traffic and rekey keepalive is required, the ePDG attempts to rekey. The default
value of the IKEv2 SA lifetime timer is 86400 seconds and the range is between 60 and 86400 seconds. The
default value of the IPSec SA lifetime timer is 86400 seconds and the range is between 60 and 86400 seconds.
ePDG may initiate rekeying. If there is no traffic and rekey keepalive is not required, the ePDG deletes the SA
without rekeying. If there is no traffic and rekey keepalive is required, the ePDG attempts to rekey. The default
value of the IKEv2 SA lifetime timer is 86400 seconds and the range is between 60 and 86400 seconds. The
default value of the IPSec SA lifetime timer is 86400 seconds and the range is between 60 and 86400 seconds.
DPD Timers: By default, DPD (Dead Peer Detection) is disabled. When enabled, the ePDG may initiate DPD
via IKEv2 keepalive messages to check the liveliness of the WLAN UEs. When enabled, the ePDG always
respond to DPD checks from the UEs. The default value of the DPD timers is 3600 seconds and the range is
respond to DPD checks from the UEs. The default value of the DPD timers is 3600 seconds and the range is