Cisco Cisco Packet Data Interworking Function (PDIF)
Service Configurations
▀ FA Services Configuration to Support IPSec
▄ IPSec Reference, StarOS Release 17
86
FA Services Configuration to Support IPSec
This section provides instructions for configuring FA (Foreign Agent) services to support IPSec. It assumes that the FA
service was previously configured and system is ready to serve as an FA.
service was previously configured and system is ready to serve as an FA.
Important:
This section provides the minimum instruction set for configuring an FA service to support IPSec on
the system. For more information on commands that configure additional parameters and options, see the Command
Line Interface Reference.
Line Interface Reference.
To configure the FA service to support IPSec:
Step 1
Step 2
Step 3
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode
command save configuration. For additional information on how to verify and save configuration files, refer to the
System Administration Guide and the Command Line Interface Reference.
command save configuration. For additional information on how to verify and save configuration files, refer to the
System Administration Guide and the Command Line Interface Reference.
Modifying FA Service to Support IPSec
Use the following example to modify FA service to support IPSec on your system:
configure
context ctxt_name
fa-service fa_svc_name
isakmp peer-ha ha_address crypto-map map_name [ secret preshared_secret ]
isakmp default crypto-map map_name [ secret preshared_secret ]
end
Notes:
ctxt_name is the system context in which the FA service is configured to support IPSec.
fa_svc_name is name of the FA service for which you are configuring IPSec.
ha_address is IP address of the HA service to which FA service will communicate on IPSec.
map_name is name of the preconfigured ISAKMP or a manual crypto map.
A default crypto map for the FA service to be used in the event that the AAA server returns an HA address that
is not configured as an ISAKMP peer HA.
For maximum security, the default crypto map should be configured in addition to peer-ha crypto maps instead
of being used to provide IPSec SAs to all HAs. Note that once an IPSec tunnel is established between the FA
and HA for a particular subscriber, all new Mobile IP sessions using the same FA and HA are passed over the
tunnel regardless of whether or not IPSec is supported for the new subscriber sessions. Data for existing
Mobile IP sessions is unaffected.
and HA for a particular subscriber, all new Mobile IP sessions using the same FA and HA are passed over the
tunnel regardless of whether or not IPSec is supported for the new subscriber sessions. Data for existing
Mobile IP sessions is unaffected.