для Cisco Cisco Packet Data Gateway (PDG)
Evolved Packet Data Gateway Overview
▀ Features and Functionality
▄ ePDG Administration Guide, StarOS Release 18
20
IKEv2 and IPSec SA Lifetime Timers: The ePDG maintains separate SA lifetime timers for both IKEv2 SAs
and IPSec SAs. All timers are started when an SA is successfully set up. If there is traffic through the SA, the
ePDG may initiate rekeying. If there is no traffic and rekey keepalive is not required, the ePDG deletes the SA
without rekeying. If there is no traffic and rekey keepalive is required, the ePDG attempts to rekey. The default
value of the IKEv2 SA lifetime timer is 86400 seconds and the range is between 60 and 86400 seconds. The
default value of the IPSec SA lifetime timer is 86400 seconds and the range is between 60 and 86400 seconds.
ePDG may initiate rekeying. If there is no traffic and rekey keepalive is not required, the ePDG deletes the SA
without rekeying. If there is no traffic and rekey keepalive is required, the ePDG attempts to rekey. The default
value of the IKEv2 SA lifetime timer is 86400 seconds and the range is between 60 and 86400 seconds. The
default value of the IPSec SA lifetime timer is 86400 seconds and the range is between 60 and 86400 seconds.
DPD Timers: By default, DPD (Dead Peer Detection) is disabled. When enabled, the ePDG may initiate DPD
via IKEv2 keepalive messages to check the liveliness of the WLAN UEs. When enabled, the ePDG always
respond to DPD checks from the UEs. The default value of the DPD timers is 3600 seconds and the range is
between 1 and 65535 seconds. The default DPD retry interval is 10 seconds, and the range is between 1 and
65535 seconds. The default number of DPD retries is 2, and the range is between 0 and 65535.
respond to DPD checks from the UEs. The default value of the DPD timers is 3600 seconds and the range is
between 1 and 65535 seconds. The default DPD retry interval is 10 seconds, and the range is between 1 and
65535 seconds. The default number of DPD retries is 2, and the range is between 0 and 65535.
Dead Peer Detection
The ePDG supports DPD (Dead Peer Detection) protocol messages originating from the ePDG and the WLAN UEs.
DPD is performed when no IKE/IPSec packets reach the ePDG within the configured DPD interval. DPD is configured
in the crypto template in the ePDG service. The administrator can also disable DPD. However, the ePDG always
responds to DPD availability checks initiated by the UE, regardless of the ePDG idle timer configuration.
DPD is performed when no IKE/IPSec packets reach the ePDG within the configured DPD interval. DPD is configured
in the crypto template in the ePDG service. The administrator can also disable DPD. However, the ePDG always
responds to DPD availability checks initiated by the UE, regardless of the ePDG idle timer configuration.
Child SA Rekeying
Rekeying of an IKEv2 Child SA (Security Association) occurs for an already established Child SA whose lifetime is
about to exceed a maximum limit. The ePDG initiates rekeying to replace the existing Child SA. The ePDG-initiated
rekeying is disabled by default. This is the recommended setting, although rekeying can be enabled using the Crypto
Configuration Payload Mode commands.
about to exceed a maximum limit. The ePDG initiates rekeying to replace the existing Child SA. The ePDG-initiated
rekeying is disabled by default. This is the recommended setting, although rekeying can be enabled using the Crypto
Configuration Payload Mode commands.
Support for MAC Address of WiFi Access Points
The ePDG can propagate the MAC (Media Access Control) address of each WiFi access point to the P-GW. The ePDG
sends this information using the PMIP Location AVP (Attribute-Value Pair) in the User-Location-Info Vendor Specific
Option of PBU (Proxy-MIP Binding Update) messages over the S2b interface. In case the protocol used on S2b is
GTPv2 then this information is communicated using the Private Extension IE in Create Session Request message.
sends this information using the PMIP Location AVP (Attribute-Value Pair) in the User-Location-Info Vendor Specific
Option of PBU (Proxy-MIP Binding Update) messages over the S2b interface. In case the protocol used on S2b is
GTPv2 then this information is communicated using the Private Extension IE in Create Session Request message.
The WLAN UEs send the MAC address of each WiFi access point to the ePDG embedded in the NAI (Network Access
Identifier). When the ePDG receives an NAI that includes a MAC address, the ePDG checks the MAC address and if
the validation is successful, the ePDG removes the MAC address from the NAI before sending it to the AAA server in
the User-Name AVP of DER (Diameter EAP Request) messages.
Identifier). When the ePDG receives an NAI that includes a MAC address, the ePDG checks the MAC address and if
the validation is successful, the ePDG removes the MAC address from the NAI before sending it to the AAA server in
the User-Name AVP of DER (Diameter EAP Request) messages.
Note that the ePDG can be configured to allow IPSec connection establishment without the MAC address present. If the
MAC address is not present and the ePDG is configured to check for the MAC address, the ePDG fails the IKE
negotiation and returns Notify payload 24 (AUTHENTICATION_FAILED).
MAC address is not present and the ePDG is configured to check for the MAC address, the ePDG fails the IKE
negotiation and returns Notify payload 24 (AUTHENTICATION_FAILED).
AAA Server Groups
A value-added feature to enable VPN service provisioning for enterprise or MVNO customers. Enables each corporate
customer to maintain its own AAA servers with its own unique configurable parameters and custom dictionaries. This
feature provides support for up to 800 AAA server groups and 800 NAS IP addresses that can be provisioned within a
customer to maintain its own AAA servers with its own unique configurable parameters and custom dictionaries. This
feature provides support for up to 800 AAA server groups and 800 NAS IP addresses that can be provisioned within a