Cisco Cisco Packet Data Gateway (PDG)
Introduction to IP Security (IPSec)
▀ IPSec Terminology
▄ IPSec Reference, StarOS Release 16
18
Crypto Map
Crypto Maps define the tunnel policies that determine how IPSec is implemented for subscriber data packets.
There are several types of crypto maps supported by StarOS. They are:
Manual crypto maps
IKEv2 crypto maps
Dynamic crypto maps
Manual Crypto Maps (IKEv1)
These are static tunnels that use pre-configured information (including security keys) for establishment. Because they
rely on statically configured information, once created, the tunnels never expire; they exist until their configuration is
deleted.
rely on statically configured information, once created, the tunnels never expire; they exist until their configuration is
deleted.
Manual crypto maps define the peer security gateway to establish a tunnel with, the security keys to use to establish the
tunnel, and the IPSec SA to be used to protect data sent/received over the tunnel. Additionally, manual crypto maps are
applied to specific system interfaces.
tunnel, and the IPSec SA to be used to protect data sent/received over the tunnel. Additionally, manual crypto maps are
applied to specific system interfaces.
Important:
Because manual crypto map configurations require the use of static security keys (associations), they
are not as secure as crypto maps that rely on dynamically configured keys. Therefore, it is recommended that they only
be configured and used for testing purposes.
be configured and used for testing purposes.
IKEv2 Crypto Maps
These tunnels are similar to manual crypto maps in that they require some statically configured information such as the
IP address (IPv4 or IPv6) of a peer security gateway and that they are applied to specific system interfaces.
IP address (IPv4 or IPv6) of a peer security gateway and that they are applied to specific system interfaces.
However, IKEv2 crypto maps offer greater security because they rely on dynamically generated security associations
through the use of the Internet Key Exchange (IKE) protocol.
through the use of the Internet Key Exchange (IKE) protocol.
When IKEv2 crypto maps are used, the system uses the pre-shared key configured for the map as part of the Diffie-
Hellman (D-H) exchange with the peer security gateway to initiate Phase 1 of the establishment process. Once the
exchange is complete, the system and the security gateway dynamically negotiate IKE SAs to complete Phase 1. In
Phase 2, the two peers dynamically negotiate the IPSec SAs used to determine how data traversing the tunnel will be
protected.
Hellman (D-H) exchange with the peer security gateway to initiate Phase 1 of the establishment process. Once the
exchange is complete, the system and the security gateway dynamically negotiate IKE SAs to complete Phase 1. In
Phase 2, the two peers dynamically negotiate the IPSec SAs used to determine how data traversing the tunnel will be
protected.
Dynamic Crypto Maps (IKEv1)
These tunnels are used for protecting L2TP-encapsulated data between the system and an LNS/security gateway or
Mobile IP data between an FA service configured on one system and an HA service configured on another.
Mobile IP data between an FA service configured on one system and an HA service configured on another.
The system determines when to implement IPSec for L2TP-encapsulated data either through attributes returned upon
successful authentication for attribute based tunneling, or through the configuration of the L2TP Access Concentrator
(LAC) service used for compulsory tunneling.
successful authentication for attribute based tunneling, or through the configuration of the L2TP Access Concentrator
(LAC) service used for compulsory tunneling.
The system determines when to implement IPSec for Mobile IP based on RADIUS attribute values as well as the
configurations of the FA and HA service(s).
configurations of the FA and HA service(s).
For additional information, refer to the Crypto Maps chapter of this guide