Cisco Cisco Packet Data Gateway (PDG) Documentation Roadmaps
PDG/TTG Overview
Features and Functionality ▀
Cisco ASR 5000 Series Product Overview ▄
OL-22938-01
Configure the name of the crypto template for IKEv2/IPSec: A crypto template is used to define an
IKEv2/IPSec policy. It includes IKEv2 and IPSec parameters for keepalive, lifetime, NAT-T, and
cryptographic and authentication algorithms. There must be one crypto template per PDG service.
cryptographic and authentication algorithms. There must be one crypto template per PDG service.
The crypto template includes the following:
The name of the EAP profile: The EAP profile defines the EAP methods and associated parameters.
Multiple authentication support: Multiple authentication is specified as a part of crypto template
configuration.
IKEv2 and IPSec transform sets: Transform set defines the negotiable algorithms for IKE SAs and Child SAs.
The setup timeout value: This parameter specifies the session setup timeout timer value. The TTG terminates a
UE connection attempt if the UE does not establish a successful connection within the specified timeout period.
Max-sessions: This parameter sets the maximum number of subscriber sessions allowed by this PDG service.
SGTP context and service: You create an SGTP context and service to enable GPRS Tunneling Protocol (GTP)
on the TTG to use for sending packet data between the TTG and the GGSN.
TTG Mode
TTG mode uses IKEv2/IPsec tunnels to deliver packet data services over untrusted WiFi access networks with
connectivity to the Internet or managed networks.
connectivity to the Internet or managed networks.
In TTG mode, the system terminates an IPSec tunnel for each WLAN UE subscriber session established over the Wu
reference point. The TTG also establishes a corresponding GTP (GPRS Tunneling Protocol) tunnel over the Gn'
reference point to the GGSN. The TTG and a subset of GGSN functions work together to provide PDG functionality to
the WLAN UEs.
reference point. The TTG also establishes a corresponding GTP (GPRS Tunneling Protocol) tunnel over the Gn'
reference point to the GGSN. The TTG and a subset of GGSN functions work together to provide PDG functionality to
the WLAN UEs.
IP Security (IPSec) Encryption
The PDG/TTG supports IKEv2 and IPSec encryption using IPv4 addressing. IKEv2 and IPSec encryption enables
network domain security for all IP packet-switched networks in order to provide confidentiality, integrity,
authentication, and anti-replay protection. These capabilities are insured through use of cryptographic techniques.
network domain security for all IP packet-switched networks in order to provide confidentiality, integrity,
authentication, and anti-replay protection. These capabilities are insured through use of cryptographic techniques.
IKEv2 and IP Security (IPSec) encryption, including support for:
IKEv2 encryption protocols: AES-CBC with 128 bits, AES-CBC with 256 bits, 3DES-CBC, and DES-CBC
IKEv2 pseudo-random functions: PRF-HMAC-SHA1, PRF-HMAC-MD5
IKEv2 integrity: HMAC-SHA1-96, HMAC-MD5
IKEv2 Diffie-Hellman groups: 1, 2, 5, and 14
IPSec ESP (Encapsulating Security Payload) encryption: AES-CBC with 128 bits, AES-CBC with 256 bits,
3DES-CBC, and DES-CBC
IPSec integrity: HMAC-SHA1-96, HMAC-MD5
IKEv2 and IPSec rekeying