Cisco Cisco Packet Data Interworking Function (PDIF)
Evolved Packet Data Gateway Overview
▀ Features and Functionality
▄ ePDG Administration Guide, StarOS Release 17
18
ePDG Service
The ePDG service enables the WLAN UEs in the untrusted non-3GPP IP access network to connect to the E-
UTRAN/EPC network via a secure IPSec interface.
UTRAN/EPC network via a secure IPSec interface.
During configuration, you create the ePDG service in an ePDG context, which is a routing domain in the system.
Context and service configuration for the ePDG includes the following main steps:
Context and service configuration for the ePDG includes the following main steps:
Configure the IPv4/IPv6 address for the service: This is the IP address of the ePDG to which the WLAN UEs
attempt to connect, sending IKEv2 messages to this address to establish IPSec tunnels.
Configure the name of the crypto template for IKEv2/IPSec: A crypto template is used to define an
IKEv2/IPSec policy. It includes IKEv2 and IPSec parameters for keepalive, lifetime, NAT-T, and
cryptographic and authentication algorithms. There must be one crypto template per ePDG service.
cryptographic and authentication algorithms. There must be one crypto template per ePDG service.
The name of the EAP profile: The EAP profile defines the EAP authentication method and associated
parameters.
IKEv2 and IPSec transform sets: Transform sets define the negotiable algorithms for IKE SAs (Security
Associations) and Child SAs to enable calls to connect to the ePDG.
The setup timeout value: This parameter specifies the session setup timeout timer value. The ePDG terminates
a UE connection attempt if the UE does not establish a successful connection within the specified timeout
period. The default value is 60 seconds.
period. The default value is 60 seconds.
Max-sessions: This parameter sets the maximum number of subscriber sessions allowed by the ePDG service.
The default value is 1,000,000 and is subject to license limitations.
DNS client: DNS client configuration is needed for P-GW selection.
IKEv2 and IPSec Encryption
The ePDG supports IKEv2 (Internet Key Exchange version 2) and IPSec (IP Security) ESP (Encapsulating Security
Payload) encryption as per RFCs 4303 and 5996. IKEv2 and IPSec encryption enables network domain security for all
IP packet-switched networks in order to provide confidentiality, integrity, authentication, and anti-replay protection.
These capabilities are ensured through use of cryptographic techniques.
Payload) encryption as per RFCs 4303 and 5996. IKEv2 and IPSec encryption enables network domain security for all
IP packet-switched networks in order to provide confidentiality, integrity, authentication, and anti-replay protection.
These capabilities are ensured through use of cryptographic techniques.
The data path from the ePDG supports mixed inner IPv4 and IPv6 addresses in the same Child SA for ESP
(Encapsulating Security Payload) encapsulation and decapsulation when the Any option is configured in the payload,
regardless of the IP version of the outer protocol.
(Encapsulating Security Payload) encapsulation and decapsulation when the Any option is configured in the payload,
regardless of the IP version of the outer protocol.
Supported Algorithms
The ePDG supports the protocols in the table below, which are specified in RFC 5996.