Cisco Cisco Packet Data Gateway (PDG)
IPSec Network Applications
▀ IPSec for LTE/SAE Networks
▄ IPSec Reference, StarOS Release 17
52
Table 9. E-UTRAN/EPC Logical Network Interfaces Supporting IPSec Tunnels
Interface
Description
S1-MME Interface This interface is the reference point for the control plane protocol between the eNodeB and the MME.
The S1-MME interface uses S1-AP (S1- Application Protocol) over SCTP (Stream Control Transmission
Protocol) as the transport layer protocol for guaranteed delivery of signaling messages between the MME
and the eNodeB (S1).
When configured, the S1-AP over SCTP signaling traffic gets carried over an IPSec tunnel.
When a subscriber UE initiates a connection with the eNodeB, the eNodeB initiates an IPSec tunnel with
the MME, and SCTP signaling for all subsequent subscriber UEs served by this MME gets carried over
the same IPSec tunnel.
The MME can also initiate an IPSec tunnel with the eNodeB when the following conditions exist:
Protocol) as the transport layer protocol for guaranteed delivery of signaling messages between the MME
and the eNodeB (S1).
When configured, the S1-AP over SCTP signaling traffic gets carried over an IPSec tunnel.
When a subscriber UE initiates a connection with the eNodeB, the eNodeB initiates an IPSec tunnel with
the MME, and SCTP signaling for all subsequent subscriber UEs served by this MME gets carried over
the same IPSec tunnel.
The MME can also initiate an IPSec tunnel with the eNodeB when the following conditions exist:
The first tunnel setup is always triggered by the eNodeB. This is the tunnel over which initial
SCTP exchanges occur.
SCTP exchanges occur.
The MME initiates additional tunnels to the eNodeB after an SCTP connection is set up if the
MME is multi-homed: a tunnel is initiated from MME's second address to the eNodeB.
MME is multi-homed: a tunnel is initiated from MME's second address to the eNodeB.
The eNodeB is multi-homed: tunnels are initiated from the MME's primary address to each
secondary address of the eNodeB.
secondary address of the eNodeB.
Both of the prior two conditions: a tunnel is initiated from each of MME's addresses to each
address of the eNodeB.
address of the eNodeB.
S1-U Interface
This interface is the reference point for bearer channel tunneling between the eNodeB and the S-GW.
Typically, the eNodeB initiates an IPSec tunnel with the S-GW over this interface for subscriber data
traffic. But the S-GW may also initiate an IPSec tunnel with the eNodeB, if required.
Typically, the eNodeB initiates an IPSec tunnel with the S-GW over this interface for subscriber data
traffic. But the S-GW may also initiate an IPSec tunnel with the eNodeB, if required.
S5 Interface
This interface is the reference point for tunneling between the S-GW and the P-GW.
Based on the requested APN from a subscriber UE, the MME selects both the S-GW and the P-GW that
the S-GW connects to. GTP-U data traffic is carried over the IPSec tunnel between the S-GW and P-GW
for the current and all subsequent subscriber UEs.
Based on the requested APN from a subscriber UE, the MME selects both the S-GW and the P-GW that
the S-GW connects to. GTP-U data traffic is carried over the IPSec tunnel between the S-GW and P-GW
for the current and all subsequent subscriber UEs.
IPSec Tunnel Termination
IPSec tunnel termination occurs during the following scenarios:
Idle Tunnel Termination. When a session manager for a service detects that all subscriber sessions using a
given IPSec tunnel have terminated, the IPSec tunnel also gets terminated after a timeout period.
Service Termination. When a service running on a network node is brought down for any reason, all
corresponding IPSec tunnels get terminated. This may be caused by the interface for a service going down, a
service being stopped manually, or a task handling an IPSec tunnel restarting.
service being stopped manually, or a task handling an IPSec tunnel restarting.
Unreachable Peer. If a network node detects an unreachable peer via Dead Peer Detection (DPD), the IPSec
tunnel between the nodes gets terminated. DPD can be enabled per P-GW, S-GW, and MME service via the
system CLI during crypto template configuration.
system CLI during crypto template configuration.
E-UTRAN Handover Handling. Any IPSec tunnel that becomes unusable due to an E-UTRAN network
handover gets terminated, while the network node to which the session is handed initiates a new IPSec tunnel
for the session.
for the session.