Cisco Cisco Packet Data Gateway (PDG)
IPSec Network Applications
▀ Implementing IPSec for Mobile IP Applications
▄ IPSec Reference, StarOS Release 18
36
Step
Description
11
The HA determines the appropriate crypto map to use for IPSec protection based on the FA’s address. It does this by
comparing the address received to those configured using the isakmp peer-fa command. From the crypto map, the
system determines the following:
comparing the address received to those configured using the isakmp peer-fa command. From the crypto map, the
system determines the following:
The map type, in this case dynamic
Whether perfect forward secrecy (PFS) should be enabled for the IPSec SA and if so, what group should be
used
used
IPSec SA lifetime parameters
The name of one or more configured transform set defining the IPSec SA
12
The HA creates a response to the D-H exchange using the “S” secret and the Key ID sent by the FA.
13
The HA sends IKE SA negotiation D-H exchange response to the FA.
14
The FA and the HA negotiate an ISAKMP (IKE) policy to use to protect further communications.
15
Once the IKE SA has been negotiated, the system negotiates an IPSec SA with the security gateway using the transform
method specified in the transform sets.
method specified in the transform sets.
16
Once the IPSec SA has been negotiated, the system protects the data according to the IPSec SAs established during step
15 and sends it over the IPSec tunnel.
15 and sends it over the IPSec tunnel.
Important:
Once an IPSec tunnel is established between an FA and HA for a particular subscriber, all new
Mobile IP sessions using the same FA and HA are passed over the tunnel regardless of whether or not IPSec is
supported for the new subscriber sessions. Data for existing Mobile IP sessions is unaffected Configuring IPSec
supported for the new subscriber sessions. Data for existing Mobile IP sessions is unaffected Configuring IPSec
Configuring IPSec Support for Mobile IP
This section provides a list of the steps required to configure IPSec functionality on the system in support of Mobile IP.
Each step listed refers to a different section containing the specific instructions for completing the required procedure.
Each step listed refers to a different section containing the specific instructions for completing the required procedure.
Important:
These instructions assume that the systems were previously configured to support subscriber data
sessions either as an FA or an HA.
Step 1
Configure one or more transform sets for the FA system according to the instructions located in the Transform Set
Configuration chapter of this guide.
Configuration chapter of this guide.
The transform set(s) must be configured in the same context as the FA service.
Step 2
Configure one or more ISAKMP policies or the FA system according to the instructions located in the ISAKMP Policy
Configuration chapter of this guide.
Configuration chapter of this guide.
The ISAKMP policy(ies) must be configured in the same context as the FA service.
Step 3
Configure an ipsec-isakmp crypto map or the FA system according to the instructions located in the Dynamic Crypto
Map Configuration section of the Crypto Maps chapter of this guide.
Map Configuration section of the Crypto Maps chapter of this guide.
The crypto map(s) must be configured in the same context as the FA service.