Cisco Cisco Packet Data Gateway (PDG)
IPSec Network Applications
▀ IPSec for LTE/SAE Networks
▄ IPSec Reference, StarOS Release 18
48
CA certificate authentication is used to validate the certificate that the local node receives from a remote node during an
IKE_AUTH exchange.
IKE_AUTH exchange.
A maximum of sixteen certificates and sixteen CA certificates are supported per system. One certificate is supported per
service, and a maximum of four CA certificates can be bound to one crypto template.
service, and a maximum of four CA certificates can be bound to one crypto template.
For configuration instructions for X.509 certificate-based peer authentication, see the configuration chapter in the
administration guides for the MME, S-GW, and P-GW.
administration guides for the MME, S-GW, and P-GW.
The figure below shows the message flow during X.509 certificate-based peer authentication. The table that follows the
figure describes each step in the message flow.
figure describes each step in the message flow.
For additional information refer to the IPSec Certificates chapter of this guide.
Figure 7.
X.509 Certificate-based Peer Authentication
Table 8. X.509 Certificate-based Peer Authentication
Step
Description
1
The peer node initiates an IKEv2 exchange with the local node, known as the IKE_SA_INIT exchange, by issuing an
IKE_SA_INIT Request to negotiate cryptographic algorithms, exchange nonces, and perform a Diffie-Hellman
exchange with the local node.
IKE_SA_INIT Request to negotiate cryptographic algorithms, exchange nonces, and perform a Diffie-Hellman
exchange with the local node.