Cisco Cisco Packet Data Gateway (PDG)
Evolved Packet Data Gateway Overview
▀ Features and Functionality
▄ ePDG Administration Guide, StarOS Release 17
20
between 1 and 65535 seconds. The default DPD retry interval is 10 seconds, and the range is between 1 and
65535 seconds. The default number of DPD retries is 2, and the range is between 0 and 65535.
65535 seconds. The default number of DPD retries is 2, and the range is between 0 and 65535.
Dead Peer Detection
The ePDG supports DPD (Dead Peer Detection) protocol messages originating from the ePDG and the WLAN UEs.
DPD is performed when no IKE/IPSec packets reach the ePDG within the configured DPD interval. DPD is configured
in the crypto template in the ePDG service. The administrator can also disable DPD. However, the ePDG always
responds to DPD availability checks initiated by the UE, regardless of the ePDG idle timer configuration.
DPD is performed when no IKE/IPSec packets reach the ePDG within the configured DPD interval. DPD is configured
in the crypto template in the ePDG service. The administrator can also disable DPD. However, the ePDG always
responds to DPD availability checks initiated by the UE, regardless of the ePDG idle timer configuration.
Child SA Rekeying
Rekeying of an IKEv2 Child SA (Security Association) occurs for an already established Child SA whose lifetime is
about to exceed a maximum limit. The ePDG initiates rekeying to replace the existing Child SA. The ePDG-initiated
rekeying is disabled by default. This is the recommended setting, although rekeying can be enabled using the Crypto
Configuration Payload Mode commands.
about to exceed a maximum limit. The ePDG initiates rekeying to replace the existing Child SA. The ePDG-initiated
rekeying is disabled by default. This is the recommended setting, although rekeying can be enabled using the Crypto
Configuration Payload Mode commands.
Support for MAC Address of WiFi Access Points
The ePDG can propagate the MAC (Media Access Control) address of each WiFi access point to the P-GW. The ePDG
sends this information using the PMIP Location AVP (Attribute-Value Pair) in the User-Location-Info Vendor Specific
Option of PBU (Proxy-MIP Binding Update) messages over the S2b interface. In case the protocol used on S2b is
GTPv2 then this information is communicated using the Private Extension IE in Create Session Request message.
sends this information using the PMIP Location AVP (Attribute-Value Pair) in the User-Location-Info Vendor Specific
Option of PBU (Proxy-MIP Binding Update) messages over the S2b interface. In case the protocol used on S2b is
GTPv2 then this information is communicated using the Private Extension IE in Create Session Request message.
The WLAN UEs send the MAC address of each WiFi access point to the ePDG embedded in the NAI (Network Access
Identifier). When the ePDG receives an NAI that includes a MAC address, the ePDG checks the MAC address and if
the validation is successful, the ePDG removes the MAC address from the NAI before sending it to the AAA server in
the User-Name AVP of DER (Diameter EAP Request) messages.
Identifier). When the ePDG receives an NAI that includes a MAC address, the ePDG checks the MAC address and if
the validation is successful, the ePDG removes the MAC address from the NAI before sending it to the AAA server in
the User-Name AVP of DER (Diameter EAP Request) messages.
Note that the ePDG can be configured to allow IPSec connection establishment without the MAC address present. If the
MAC address is not present and the ePDG is configured to check for the MAC address, the ePDG fails the IKE
negotiation and returns Notify payload 24 (AUTHENTICATION_FAILED).
MAC address is not present and the ePDG is configured to check for the MAC address, the ePDG fails the IKE
negotiation and returns Notify payload 24 (AUTHENTICATION_FAILED).
AAA Server Groups
A value-added feature to enable VPN service provisioning for enterprise or MVNO customers. Enables each corporate
customer to maintain its own AAA servers with its own unique configurable parameters and custom dictionaries. This
feature provides support for up to 800 AAA server groups and 800 NAS IP addresses that can be provisioned within a
single context or across the entire chassis. A total of 128 servers can be assigned to an individual server group. Up to
1,600 accounting, authentication, and/or mediation servers are supported per chassis.
customer to maintain its own AAA servers with its own unique configurable parameters and custom dictionaries. This
feature provides support for up to 800 AAA server groups and 800 NAS IP addresses that can be provisioned within a
single context or across the entire chassis. A total of 128 servers can be assigned to an individual server group. Up to
1,600 accounting, authentication, and/or mediation servers are supported per chassis.
EAP Authentication
Enables secure user and device level authentication with a 3GPP AAA server or via 3GPP2 AAA proxy and the
authenticator in the ePDG.
authenticator in the ePDG.
The ePDG uses the Diameter-based SWm interface to authenticate subscriber traffic with the 3GPP AAA server.
Following completion of the security procedures (IKEv2) between the UE and ePDG, the ePDG selects EAP-AKA as
Following completion of the security procedures (IKEv2) between the UE and ePDG, the ePDG selects EAP-AKA as