Cisco Cisco Packet Data Interworking Function (PDIF)
IPSec Network Applications
▀ Implementing IPSec for L2TP Applications
▄ IPSec Reference, StarOS Release 17
44
Table 7. GGSN PDP Context Processing with IPSec-Encrypted L
Step
Description
1
A subscriber session/PDP Context Request arrives at the system.
2
The configuration of the APN accessed by the subscriber indicates that session data is to be tunneled using L2TP. In
addition, attributes specifying a crypto map name and ISAKMP secret are also supplied indicating that IP security is
also required.
addition, attributes specifying a crypto map name and ISAKMP secret are also supplied indicating that IP security is
also required.
3
The system determines that the crypto map name supplied matches a configured crypto map.
4
From the crypto map, the system determines the following:
The map type, in this case dynamic
Whether perfect forward secrecy (PFS) should be enabled for the IPSec SA and if so, what group should be
used
used
IPSec SA lifetime parameters
The name of one or more configured transform set defining the IPSec SA
5
To initiate the IKE SA negotiation, the system performs a Diffie-Hellman exchange of the ISAKMP secret specified in
the profile attribute with the specified peer LNS or security gateway.
the profile attribute with the specified peer LNS or security gateway.
6
The system and the LNS or security gateway negotiate an ISAKMP (IKE) policy to use to protect further
communications.
communications.
7
Once the IKE SA has been negotiated, the system negotiates an IPSec SA with the LNS or security gateway using the
transform method specified in the transform sets.
transform method specified in the transform sets.
8
Once the IPSec SA has been negotiated, the system protects the L2TP encapsulated data according to the IPSec SAs
established during step 9 and sends it over the IPSec tunnel.
established during step 9 and sends it over the IPSec tunnel.
Configuring GGSN Support for L2TP Tunneling with IPSec
This section provides a list of the steps required to configure the GGSN to encrypt L2TP tunnels using IPSEC. Each
step listed refers to a different section containing the specific instructions for completing the required procedure.
step listed refers to a different section containing the specific instructions for completing the required procedure.
Important:
These instructions assume that the system was previously configured to support subscriber PDP
contexts and L2TP tunneling either as a GGSN. In addition, all parameters configured using this procedure must be
configured in the same destination context on the system as the LAC service.
configured in the same destination context on the system as the LAC service.
Step 1
Configure one or more transform sets according to the instructions located in the Transform Set Configuration chapter
of this guide.
of this guide.
Step 2
Configure one or more ISAKMP policies according to the instructions located in the ISAKMP Policy Configuration
chapter of this guide.
chapter of this guide.
Step 3
Configure an ipsec-isakmp crypto map according to the instructions located in the Dynamic Crypto Map Configuration
section of the Crypto Maps chapter of this guide.
section of the Crypto Maps chapter of this guide.