Cisco Systems 4 IP Security (IPSec), ePDG Security

25-84

Cisco Prime Network 4.0 User Guide

OL-29343-01

Chapter 25 Monitoring Mobile Technologies

LTE Networks

IP Security (IPSec)

Internet Protocol Security or IPSec is a protocol suite that in ter acts w ith one ano th er to pr ovide se cure

private communications across IP networks. These protocols allow the system to establish and maintain

secure tunnels with peer security gateways. In accordance with the following sta ndards, IPSec provides

a mechanism for establishing secure channels from mobile su bsc ribers t o pre -defined e nd p oint s (s uch

as enterprise or home networks):

• RFC 2401, Security Architecture for the Internet Protocol

• RFC 2402, IP Authentication Header (AH)

• RFC 2406, IP Encapsulating Security Payload (ESP)

• RFC 2409, The Internet Key Exchange (IKE)

• RFC-3193, Securing L2TP using IPSEC, November 2001

IPSec can be implemented for the following applications:

• PDN Access: Subscriber IP traffic is routed over an IPSec tunnel from the system to a secure

gateway on the packet data network (PDN) as determined by access control list (ACL) criteria.

• Mobile IP: Mobile IP control signals and subscriber data is encaps ula ted in IPSe c tu nnel s th at ar e

established between foreign agents (FAs) and home agents (HAs) over the Pi interfaces.

IKEv2 and IPSec Encryption

ePDG supports Internet Key Exchange Version 2 (IKEv2) and IP Security Encapsulating Security

Payload (IPSec ESP) encryption over IPv4 transport. The IKEv2 and IPSec encryption takes care of

network domain security for all IP packet switched networks. It uses cryptographic techniq ues to ensure

ensures confidentiality, integrity, authentication, and anti-replay protection.

ePDG Security

In Prime Network, the following security services are available for ePDG:

• Crypto template—Used to define the IKEv2 and IPSec policies. In other words, it includes IKEv2

and IPSec parameters for keepalive, lifetime, NAT-T and cryptographic and authentication

algorithms.

• EAP Profile—Defines the EAP authentication method and associated parameters.

• Transform Set—Define the negotiable algorithms for IKE SAs (Security Associations) and Child

SAs to enable calls to connect to the ePDG.

Viewing the Crypto Template Service Details

To view the Crypto template details:

Step 1 Right-click the required device in Prime Network Vision and choose Inventory.

Step 2 In the logical inventory window, choose Logical

Inventory > Context > Security Association > Crypto Template. The list of crypto templates are

displayed in the content pane.

Step 3 In the Crypto Template node, choose the crypto template. The template details are displayed in the

content pane. Figure 25-13 displays the crytpo template details.