Cisco Cisco Packet Data Gateway (PDG)
Service Configurations
WSG Service Configuration to Support IPSec ▀
IPSec Reference, StarOS Release 17 ▄
97
WSG Service Configuration to Support IPSec
This section provides an overview of the process for enabling a WSG service with a crypto template supporting IPSec
features. WSG service must be enabled to support a Security Gateway (SecGW) running on an ASR 9000 router
equipped with a Virtualized Services Module (VSM).
features. WSG service must be enabled to support a Security Gateway (SecGW) running on an ASR 9000 router
equipped with a Virtualized Services Module (VSM).
For additional information refer to the Security Gateway Administration Guide.
Creating a Crypto Template to Support a SecGW
The StarOS CLI Crypto Template Configuration Mode is used to configure an IKEv2 IPSec policy. It includes most of
the IPSec parameters and IKEv2 dynamic parameters for cryptographic and authentication algorithms. A security
gateway service will not function without a configured crypto template. Only one crypto template can be configured per
service.
the IPSec parameters and IKEv2 dynamic parameters for cryptographic and authentication algorithms. A security
gateway service will not function without a configured crypto template. Only one crypto template can be configured per
service.
A crypto template for a SecGW may require the configuration of the following parameters:
allow-cert-enc cert-hash-url – Enables support for certificate enclosure type other than default.
allow-custom-fqdn-idr – Allows non-standard FQDN (Fully Qualified Domain Name) strings in the IDr
(Identification - Responder) payload of IKE_AUTH messages received from the UE with the payload type as
FQDN.
FQDN.
authentication – Configures the gateway and subscriber authentication methods to be used by this crypto
template.
blacklist – Enables use of a blacklist file
ca-certificate list – Binds an X.509 Certificate Authority (CA) root certificate to a crypto template.
ca-crl list – Binds one or more Certificate Authority-Certificate Revocation Lists (CA-CRLs) to this crypto
template.
certificate – Binds a single X.509 trusted certificate to a crypto template.
control-dont-fragment – Controls the Don't Fragment (DF) bit in the outer IP header of the IPSec tunnel data
packet.
dns-handling – Adds a custom option to define the ways a DNS address is returned based on proscribed
circumstances described below.
dos cookie-challenge notify-payload – Configures the cookie challenge parameters for IKEv2 INFO Exchange
notify payloads for the given crypto template.
identity local – Configures the identity of the local IPSec Client (IKE ID).
ikev2-ikesa – Configures parameters for the IKEv2 IKE Security Associations within this crypto template.
keepalive – Configures keepalive or dead peer detection for security associations used within this crypto
template.
max-childsa – Defines a soft limit for the number of child Security Associations (SAs) per IKEv2 policy.
nai – Configures the Network Access Identifier (NAI) parameters to be used for the crypto template IDr
(recipient's identity).
natt – Configures Network Address Translation - Traversal (NAT-T) for all security associations associated with
this crypto template. This feature is disabled by default.