для Cisco Cisco Packet Data Gateway (PDG)
IPSec Network Applications
▀ IPSec for Femto-UMTS Networks
▄ IPSec Reference, StarOS Release 16
54
ip-address-alloc dynamic
ipsec transform-setlist <ipsec_trans_set>
exit
ikev2-ikesa keepalive-user-activity
end
configure
context <vpn_ctxt_name>
hnbgw-service <hnbgw_svc_name>
security-gateway bind address <segw_ip_address> crypto-template
<crypto_template> context <segw_ctxt_name>
<crypto_template> context <segw_ctxt_name>
end
Notes:
<vpn_ctxt_name>
is name of the source context in which HNB-GW service is configured
<segw_ctxt_name>
is name of the context in which Se-GW service is configured. By default it takes context
where HNB-GW service is configured.
<hnbgw_svc_name>
is name of the HNB-GW service which is to be configured for used for Iuh reference
between HNB-GW and HNB
X.509 Certificate-based Peer Authentication
X.509 specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a
certification path validation algorithm. X.509 certificates are configured on each IPSec node so that it can send the
certificate as part of its IKE_AUTH_REQ for the remote node to authenticate it. These certificates can be in PEM
(Privacy Enhanced Mail) or DER (Distinguished Encoding Rules) format, and can be fetched from a repository via
HTTP or FTP.
certification path validation algorithm. X.509 certificates are configured on each IPSec node so that it can send the
certificate as part of its IKE_AUTH_REQ for the remote node to authenticate it. These certificates can be in PEM
(Privacy Enhanced Mail) or DER (Distinguished Encoding Rules) format, and can be fetched from a repository via
HTTP or FTP.
CA certificate authentication is used to validate the certificate that the local node receives from a remote node during an
IKE_AUTH exchange.
IKE_AUTH exchange.
A maximum of sixteen certificates and sixteen CA certificates are supported per system. One certificate is supported per
service, and a maximum of four CA certificates can be bound to one crypto template.
service, and a maximum of four CA certificates can be bound to one crypto template.
The figure below shows the message flow during X.509 certificate-based peer authentication. The table that follows the
figure describes each step in the message flow.
figure describes each step in the message flow.