Cisco Cisco Packet Data Gateway (PDG)
IPSec Network Applications
▀ IPSec for Femto-UMTS Networks
▄ IPSec Reference, StarOS Release 18
56
IKEv2 Keep-Alive Messages (Dead Peer Detection)
IPSec for LTE/SAE supports IKEv2 keep-alive messages, also known as Dead Peer Detection (DPD), originating from
both ends of an IPSec tunnel. Per RFC 3706, DPD is used to simplify the messaging required to verify communication
between peers and tunnel availability. You configure DPD on each IPSec node. You can also disable DPD, and the node
will not initiate DPD exchanges with other nodes. However, the node always responds to DPD availability checks
initiated by another node regardless of its DPD configuration.
both ends of an IPSec tunnel. Per RFC 3706, DPD is used to simplify the messaging required to verify communication
between peers and tunnel availability. You configure DPD on each IPSec node. You can also disable DPD, and the node
will not initiate DPD exchanges with other nodes. However, the node always responds to DPD availability checks
initiated by another node regardless of its DPD configuration.
For additional information refer to the Dead Peer Detection (DPD) Configuration section of the Redundant IPSec
Tunnel Fail-over chapter of this guide.
Tunnel Fail-over chapter of this guide.
IPSec Tunnel Termination
IPSec tunnel termination occurs during the following scenarios:
Idle Tunnel Termination. When a session manager for a service detects that all subscriber sessions using a
given IPSec tunnel have terminated, the IPSec tunnel also gets terminated after a timeout period.
Service Termination. When a service running on a network node is brought down for any reason, all
corresponding IPSec tunnels get terminated. This may be caused by the interface for a service going down, a
service being stopped manually, or a task handling an IPSec tunnel restarting.
service being stopped manually, or a task handling an IPSec tunnel restarting.
Unreachable Peer. If a network node detects an unreachable peer via Dead Peer Detection (DPD), the IPSec
tunnel between the nodes gets terminated. DPD can be enabled per P-GW, S-GW, and MME service via the
system CLI during crypto template configuration.
system CLI during crypto template configuration.
Network Handover Handling. Any IPSec tunnel that becomes unusable due to a network handover gets
terminated, while the network node to which the session is handed initiates a new IPSec tunnel for the session
x.509 Certificate Configuration
Use the following example to configure the x.509 certificates on the system to provide security certification between
FAP and SeGW in Femto-UMTS network.
FAP and SeGW in Femto-UMTS network.
configure
certificate name x.509_cert_name pem { data pem_data_string |
url pem_data_url} private-key pem { [encrypted] data PKI_pem_data_string |
url PKI_pem_data_url }
url pem_data_url} private-key pem { [encrypted] data PKI_pem_data_string |
url PKI_pem_data_url }
ca-certificate name ca_root_cert_name pem { data pem_data_string |
url pem_data_url }
url pem_data_url }
exit
crypto template segw_crypto_template ikev2-dynamic
authentication local certificate
authentication remote certificate
keepalive interval dur timeout dur_timeout