Cisco Cisco Packet Data Gateway (PDG)
Evolved Packet Data Gateway Overview
Features and Functionality ▀
ePDG Administration Guide, StarOS Release 18 ▄
19
The data path from the ePDG supports mixed inner IPv4 and IPv6 addresses in the same Child SA for ESP
(Encapsulating Security Payload) encapsulation and decapsulation when the Any option is configured in the payload,
regardless of the IP version of the outer protocol.
(Encapsulating Security Payload) encapsulation and decapsulation when the Any option is configured in the payload,
regardless of the IP version of the outer protocol.
Supported Algorithms
The ePDG supports the protocols in the table below, which are specified in RFC 5996.
Table 3. Supported Algorithms
Protocol
Type
Supported Options
Internet Key
Exchange version 2
Exchange version 2
IKEv2 Encryption
DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-256
IKEv2 Pseudo Random Function
PRF-HMAC-SHA1, PRF-HMAC-MD5, AES-XCBC-PRF-128
IKEv2 Integrity
HMAC-SHA1-96, HMAC-SHA2-256, HMAC-SHA2-384. HMAC-
SHA2-512, HMAC-MD5-96, AES-XCBC-96
SHA2-512, HMAC-MD5-96, AES-XCBC-96
IKEv2 Diffie-Hellman Group
Group 1 (768-bit), Group 2 (1024-bit), Group 5 (1536-bit), Group
14 (2048-bit)
14 (2048-bit)
IP Security
IPSec Encapsulating Security
Payload Encryption
Payload Encryption
NULL, DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-256
Extended Sequence Number
Value of 0 or off is supported (ESN itself is not supported)
IPSec Integrity
NULL, HMAC-SHA1-96, HMAC-MD5-96, AES-XCBC-96
x.509 Digital Certificate Handling
A digital certificate is an electronic credit card that establishes a subscriber’s credentials when doing business or other
transactions on the Internet. The digital certificates used by the ePDG conform to ITU-T standard X.509 for a PKI
(Public Key Infrastructure) and PMI (Privilege Management Infrastructure). X.509 specifies standard formats for public
key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
transactions on the Internet. The digital certificates used by the ePDG conform to ITU-T standard X.509 for a PKI
(Public Key Infrastructure) and PMI (Privilege Management Infrastructure). X.509 specifies standard formats for public
key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
The ePDG is capable of authenticating itself to the UE using certificates and does so in the response to the first
IKE_AUTH Request message from the UE.
IKE_AUTH Request message from the UE.
ePDG also supports hash and URL based encoding of certificate payloads in IKE exchanges.
The ePDG generates an SNMP notification when the certificate is within 30 days of expiration and approximately once
a day until a new certificate is provided. Operators need to generate a new certificate and then configure the new
certificate using the system’s CLI. The certificate is then used for all new sessions.
a day until a new certificate is provided. Operators need to generate a new certificate and then configure the new
certificate using the system’s CLI. The certificate is then used for all new sessions.
Timers
The ePDG includes the following timers for IPSec tunnels:
IKE Session Setup Timer: This timer ensures that an IKE session set up is completed within a configured
period. The ePDG tears down the call if it is still in progress when the timer expires. The default value is 120
seconds, and the range is between 1 and 3600 seconds.
seconds, and the range is between 1 and 3600 seconds.