Cisco Cisco Packet Data Gateway (PDG)
IPSec Network Applications
Implementing IPSec for Mobile IP Applications ▀
IPSec Reference, StarOS Release 16 ▄
35
Table 3. IPSec-based Mobile IP Session Processing
Step
Description
1
FA service receives a Mobile IP registration request from the mobile node.
2
FA sends an Access-Request to the FAAA server with the 3GPP2-IKE-Secret-Request attribute equal to yes.
3
The FAAA proxies the request to the HAAA.
4
The HAAA returns an Access-Accept message including the following attributes:
3GPP2-Security-Level set to 3 for IPSec tunnels and registration messages
3GPP2-MIP-HA-Address indicating the IP address of the HA with which the FA is to communicate
3GPP2-KeyId providing an identification number for the IKE secret (alternatively, the keys may be statically
configured for the FA and/or HA)
configured for the FA and/or HA)
3GPP2-IKE-Secret indicating the pre-shared secret to use to negotiate the IKE SA
5
The FAAA passes the accept message to the FA with all of the attributes.
6
The FA determines if an IPSec SA already exists based on the HA address supplied. If so, that SA will be used. If not, a
new IPSec SA will be negotiated.
new IPSec SA will be negotiated.
7
The FA determines the appropriate crypto map to use for IPSec protection based on the HA address attribute. It does
this by comparing the address received to those configured using the isakmp peer-ha command. From the crypto map,
the system determines the following:
this by comparing the address received to those configured using the isakmp peer-ha command. From the crypto map,
the system determines the following:
The map type, in this case dynamic
Whether perfect forward secrecy (PFS) should be enabled for the IPSec SA and if so, what group should be
used
used
IPSec SA lifetime parameters
The name of one or more configured transform set defining the IPSec SA
8
To initiate the IKE SA negotiation, the FA performs a Diffie-Hellman (D-H) exchange of the ISAKMP secret specified
in the IKE secret attribute with the peer HA dictated by the HA address attribute. Included in the exchange is the Key
ID received from the HAAA.
in the IKE secret attribute with the peer HA dictated by the HA address attribute. Included in the exchange is the Key
ID received from the HAAA.
9
Upon receiving the exchange, the HA sends an access request to the HAAA with the following attributes:
3GPP2-S-Request (note that this attribute is not used if the IPSec keys are statically configured)
3GPP2-User-name (the username specified is the IP addresses of the FA and HA).
The password used in the access request is the RADIUS shared secret.
10
The HAAA returns an Access-Accept message to the HA with the following attributes:
3GPP2-S indicating the “S” secret used to generate the HA’s response to the D-H exchange
3GPP2-S-Lifetime indicating the length of time that the “S” secret is valid
3GPP2-Security-Level set to 3 for IPSec tunnels and registration messages (optional)