Cisco Cisco Packet Data Interworking Function (PDIF)
IPSec Network Applications
IPSec for Femto-UMTS Networks ▀
IPSec Reference, StarOS Release 18 ▄
53
ip-address-alloc dynamic
ipsec transform-setlist ipsec_trans_set
exit
ikev2-ikesa keepalive-user-activity
end
configure
context vpn_ctxt_name
hnbgw-service hnbgw_svc_name
security-gateway bind address segw_ip_address crypto-template
crypto_template context segw_ctxt_name
crypto_template context segw_ctxt_name
end
Notes:
vpn_ctxt_name is name of the source context in which HNB-GW service is configured
segw_ctxt_name is name of the context in which Se-GW service is configured. By default it takes context where
HNB-GW service is configured.
hnbgw_svc_name is name of the HNB-GW service which is to be configured for used for Iuh reference between
HNB-GW and HNB
X.509 Certificate-based Peer Authentication
X.509 specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a
certification path validation algorithm. X.509 certificates are configured on each IPSec node so that it can send the
certificate as part of its IKE_AUTH_REQ for the remote node to authenticate it. These certificates can be in PEM
(Privacy Enhanced Mail) or DER (Distinguished Encoding Rules) format, and can be fetched from a repository via
HTTP or FTP.
certification path validation algorithm. X.509 certificates are configured on each IPSec node so that it can send the
certificate as part of its IKE_AUTH_REQ for the remote node to authenticate it. These certificates can be in PEM
(Privacy Enhanced Mail) or DER (Distinguished Encoding Rules) format, and can be fetched from a repository via
HTTP or FTP.
CA certificate authentication is used to validate the certificate that the local node receives from a remote node during an
IKE_AUTH exchange.
IKE_AUTH exchange.
A maximum of sixteen certificates and sixteen CA certificates are supported per system. One certificate is supported per
service, and a maximum of four CA certificates can be bound to one crypto template.
service, and a maximum of four CA certificates can be bound to one crypto template.
The figure below shows the message flow during X.509 certificate-based peer authentication. The table that follows the
figure describes each step in the message flow.
figure describes each step in the message flow.