Cisco Cisco Packet Data Gateway (PDG)
IPSec Network Applications
IPSec for LTE/SAE Networks ▀
IPSec Reference, StarOS Release 17 ▄
49
X.509 Certificate-based Peer Authentication
X.509 specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a
certification path validation algorithm. X.509 certificates are configured on each IPSec node so that it can send the
certificate as part of its IKE_AUTH_REQ for the remote node to authenticate it. These certificates can be in PEM
(Privacy Enhanced Mail) or DER (Distinguished Encoding Rules) format, and can be fetched from a repository via
HTTP or FTP.
certification path validation algorithm. X.509 certificates are configured on each IPSec node so that it can send the
certificate as part of its IKE_AUTH_REQ for the remote node to authenticate it. These certificates can be in PEM
(Privacy Enhanced Mail) or DER (Distinguished Encoding Rules) format, and can be fetched from a repository via
HTTP or FTP.
CA certificate authentication is used to validate the certificate that the local node receives from a remote node during an
IKE_AUTH exchange.
IKE_AUTH exchange.
A maximum of sixteen certificates and sixteen CA certificates are supported per system. One certificate is supported per
service, and a maximum of four CA certificates can be bound to one crypto template.
service, and a maximum of four CA certificates can be bound to one crypto template.
For configuration instructions for X.509 certificate-based peer authentication, see the configuration chapter in the
administration guides for the MME, S-GW, and P-GW.
administration guides for the MME, S-GW, and P-GW.
The figure below shows the message flow during X.509 certificate-based peer authentication. The table that follows the
figure describes each step in the message flow.
figure describes each step in the message flow.
For additional information refer to the IPSec Certificates chapter of this guide.
Figure 7.
X.509 Certificate-based Peer Authentication