Cisco Cisco Packet Data Gateway (PDG)
Refer to ASR 9000 documentation for additional information on HA active-standby configuration.
Network Interfaces
You will need to know the addressing information for all external interfaces to StarOS. The list of addresses
is included but not limited to:
is included but not limited to:
• WSG service (endpoints, access groups)
• VLANs
• SNMP
• DHCP
SecGW Configuration Sequence
The configuration sequence for enabling an SecGW is as follows:
• Create a crypto template with the desired IPSec functions. See
Crypto Templates, on page 16
• Create Access Control Lists. See
Access Control Lists, on page 18
• Enable and configure one or more WSG services. See
WSG Service Configuration, on page 19
• Configure required IPSec features. See
IPSec Configuration, on page 26
For additional information, see the sample configurations provided in this guide.
SecGW (WSG service) must be separately enabled and configured on each VPC-VSM instance. There
are four CPUs on the VSM; each CPU runs a separate instance of VPC-VSM.
are four CPUs on the VSM; each CPU runs a separate instance of VPC-VSM.
Important
Crypto Templates
The StarOS CLI Crypto Template Configuration Mode is used to configure an IKEv2 IPSec policy. It includes
most of the IPSec parameters and IKEv2 dynamic parameters for cryptographic and authentication algorithms.
A security gateway service will not function without a configured crypto template. Only one crypto template
can be configured per service.
most of the IPSec parameters and IKEv2 dynamic parameters for cryptographic and authentication algorithms.
A security gateway service will not function without a configured crypto template. Only one crypto template
can be configured per service.
A crypto template requires the configuration of the following parameters:
• allow-cert-enc cert-hash-url – Enables support for certificate enclosure type other than default.
• allow-custom-fqdn-idr – Allows non-standard FQDN (Fully Qualified Domain Name) strings in the
IDr (Identification - Responder) payload of IKE_AUTH messages received from the UE with the payload
type as FQDN.
type as FQDN.
• authentication – Configures the gateway and subscriber authentication methods to be used by this
crypto template.
• blacklist – Enables use of a blacklist file
SecGW Administration Guide, StarOS Release 19
16
SecGW Service Creation
Network Interfaces