Cisco Cisco Packet Data Gateway (PDG)
IPSec Network Applications
Implementing IPSec for PDN Access Applications ▀
IPSec Reference, StarOS Release 16 ▄
33
Step
Description
5
From the crypto map, the system determines the following:
The map type, in this case ISAKMP
The pre-shared key used to initiate the Internet Key Exchange (IKE) and the IKE negotiation mode
The IP address of the security gateway
Whether perfect forward secrecy (PFS) should be enabled for the IPSec SA and if so, what group should be
used
used
IPSec SA lifetime parameters
The name of a configured transform set defining the IPSec SA
6
To initiate the IKE SA negotiation, the system performs a Diffie-Hellman exchange of the pre-shared key specified in
the crypto map with the specified peer security gateway.
the crypto map with the specified peer security gateway.
7
The system and the security gateway negotiate an ISAKMP policy (IKE SA) to use to protect further communications.
8
Once the IKE SA has been negotiated, the system negotiates an IPSec SA with the security gateway using the transform
method specified in the transform sets.
method specified in the transform sets.
9
Once the IPSec SA has been negotiated, the system protects the data according to the IPSec SAs established during step
8 and sends it over the IPSec tunnel.
8 and sends it over the IPSec tunnel.
Configuring IPSec Support for PDN Access
This section provides a list of the steps required to configure IPSec functionality on the system in support of PDN
access. Each step listed refers to a different section containing the specific instructions for completing the required
procedure.
access. Each step listed refers to a different section containing the specific instructions for completing the required
procedure.
Important:
These instructions assume that the system was previously configured to support subscriber data
sessions either as a core service or an HA. In addition, parameters configured using this procedure must be configured in
the same destination context on the system.
the same destination context on the system.
Step 1
Configure one or more IP access control lists (ACLs) according to the information and instructions located in the IP
Access Control Lists chapter of the product Administration Guide.
Access Control Lists chapter of the product Administration Guide.
Step 2
Configure one or more transform sets according to the instructions located in the Transform Set Configuration chapter
of this guide.
of this guide.
Step 3
Configure one or more ISAKMP policies according to the instructions located in the ISAKMP Policy Configuration
chapter of this guide.
chapter of this guide.
Step 4
Configure an ipsec-isakmp crypto map according to the instructions located in the ISAKMP Crypto Map Configuration
section of the Crypto Maps chapter in this guide.
section of the Crypto Maps chapter in this guide.
Step 5
Apply the crypto map to an interface on the system according to the instructions located in the Crypto Map and
Interface Association section of the Crypto Maps chapter in this guide.
Interface Association section of the Crypto Maps chapter in this guide.
Step 6
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode
command save configuration. For additional information on how to verify and save configuration files, refer to the
System Administration Guide and the Command Line Interface Reference.
command save configuration. For additional information on how to verify and save configuration files, refer to the
System Administration Guide and the Command Line Interface Reference.