Cisco Cisco Packet Data Gateway (PDG) Guida Alla Risoluzione Dei Problemi
IP Security
Implementing IPSec for PDN Access Applications ▀
Cisco ASR 5000 Series Enhanced Feature Configuration Guide ▄
OL-22983-01
Table 14. IPSec PDN Access Processing
Step
Description
1.
A subscriber session or PDP context Request, in GGSN service, arrives at the system.
2.
The system processes the subscriber session or request as it would typically.
3.
Prior to routing the session packets, the system compares them against configured Access Control Lists (ACLs).
4.
The system determines that the packet matches the criteria of an ACL that is associated with a configured crypto map.
5.
From the crypto map, the system determines the following:
The map type, in this case ISAKMP
The pre-shared key used to initiate the Internet Key Exchange (IKE) and the IKE negotiation mode
The IP address of the security gateway
Whether perfect forward secrecy (PFS) should be enabled for the IPSec SA and if so, what group should be used
IPSec SA lifetime parameters
The name of a configured transform set defining the IPSec SA
6.
To initiate the IKE SA negotiation, the system performs a Diffie-Hellman exchange of the pre-shared key specified in the
crypto map with the specified peer security gateway.
crypto map with the specified peer security gateway.
7.
The system and the security gateway negotiate an ISAKMP policy (IKE SA) to use to protect further communications.
8.
Once the IKE SA has been negotiated, the system negotiates an IPSec SA with the security gateway using the transform
method specified in the transform sets.
method specified in the transform sets.
9.
Once the IPSec SA has been negotiated, the system protects the data according to the IPSec SAs established during step 8
and sends it over the IPSec tunnel.
and sends it over the IPSec tunnel.
Configuring IPSec Support for PDN Access
This section provides a list of the steps required to configure IPSec functionality on the system in support of PDN
access. Each step listed refers to a different section containing the specific instructions for completing the required
procedure.
access. Each step listed refers to a different section containing the specific instructions for completing the required
procedure.
Important:
These instructions assume that the system was previously configured to support subscriber data
sessions either as a core service or an HA. In addition, parameters configured using this procedure must be configured in
the same destination context on the system.
the same destination context on the system.
Step 1
Configure one or more IP access control lists (ACLs) according to the information and instructions located in IP Access
Control Lists chapter of this guide.
Control Lists chapter of this guide.
Step 2
Configure one or more transform sets according to the instructions located in the
of this chapter.