25-84
Cisco Prime Network 4.0 User Guide
OL-29343-01
Chapter 25 Monitoring Mobile Technologies
LTE Networks
IP Security (IPSec)
Internet Protocol Security or IPSec is a protocol suite that in ter acts w ith one ano th er to pr ovide se cure
private communications across IP networks. These protocols allow the system to establish and maintain
secure tunnels with peer security gateways. In accordance with the following sta ndards, IPSec provides
a mechanism for establishing secure channels from mobile su bsc ribers t o pre -defined e nd p oint s (s uch
as enterprise or home networks):
RFC 2401, Security Architecture for the Internet Protocol
RFC 2402, IP Authentication Header (AH)
RFC 2406, IP Encapsulating Security Payload (ESP)
RFC 2409, The Internet Key Exchange (IKE)
RFC-3193, Securing L2TP using IPSEC, November 2001
IPSec can be implemented for the following applications:
PDN Access: Subscriber IP traffic is routed over an IPSec tunnel from the system to a secure
gateway on the packet data network (PDN) as determined by access control list (ACL) criteria.
Mobile IP: Mobile IP control signals and subscriber data is encaps ula ted in IPSe c tu nnel s th at ar e
established between foreign agents (FAs) and home agents (HAs) over the Pi interfaces.
IKEv2 and IPSec Encryption
ePDG supports Internet Key Exchange Version 2 (IKEv2) and IP Security Encapsulating Security
Payload (IPSec ESP) encryption over IPv4 transport. The IKEv2 and IPSec encryption takes care of
network domain security for all IP packet switched networks. It uses cryptographic techniq ues to ensure
ensures confidentiality, integrity, authentication, and anti-replay protection.
ePDG Security
In Prime Network, the following security services are available for ePDG:
Crypto template—Used to define the IKEv2 and IPSec policies. In other words, it includes IKEv2
and IPSec parameters for keepalive, lifetime, NAT-T and cryptographic and authentication
algorithms.
EAP Profile—Defines the EAP authentication method and associated parameters.
Transform Set—Define the negotiable algorithms for IKE SAs (Security Associations) and Child
SAs to enable calls to connect to the ePDG.
Viewing the Crypto Template Service Details
To view the Crypto template details:
Step 1 Right-click the required device in Prime Network Vision and choose Inventory.
Step 2 In the logical inventory window, choose Logical
Inventory > Context > Security Association > Crypto Template. The list of crypto templates are
displayed in the content pane.
Step 3 In the Crypto Template node, choose the crypto template. The template details are displayed in the
content pane. Figure 25-13 displays the crytpo template details.