IPSec for LTE/SAE

Features and Functionality

This section describes IPSec for LTE/SAE networks.

Configuring Optional Features on the MME

The configuration examples in this section are optional and provided to cover the most common uses of the MME in a live network. The intent of these examples is to provide a base configuration for testing.

The following optional configurations are provided in this section:

Configuring Dynamic Node-to-Node IP Security on the S1-MME Interface

The configuration example in this section creates an IKEv2/IPSec dynamic node-to-node tunnel endpoint on the S1-MME interface.

IMPORTANT:

IP Security is a licensed feature and requires the purchase of the IP Security feature license to enable it.

The following configuration examples are included in this section:

Creating and Configuring an IPSec Transform Set

The following example configures an IPSec transform set which is used to define the security association that determines the protocols used to protect the data on the interface:

configure
   context <mme_context_name>
      ipsec
transform-set <ipsec_transform-set_name>
         encryption
aes-cbc-128
         group
none
         hmac
sha1-96
         mode
tunnel
         end

Notes:

  • The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IPSec transform sets configured on the system.
  • The group none command specifies that no crypto strength is included and that Perfect Forward Secrecy is disabled. This is the default setting for IPSec transform sets configured on the system.
  • The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IPSec transform sets configured on the system.
  • The mode tunnel command specifies that the entire packet is to be encapsulated by the IPSec header including the IP header. This is the default setting for IPSec transform sets configured on the system.

Creating and Configuring an IKEv2 Transform Set

The following example configures an IKEv2 transform set:

configure
   context <mme_context_name>
      ikev2-ikesa
transform-set <ikev2_transform-set_name>
         encryption
aes-cbc-128
         group
2
         hmac
sha1-96
         lifetime <sec>
         prf
sha1
         end

Notes:

  • The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IKEv2 transform sets configured on the system.
  • The group 2 command specifies the Diffie-Hellman algorithm as Group 2, indicating medium security. The Diffie-Hellman algorithm controls the strength of the crypto exponentials. This is the default setting for IKEv2 transform sets configured on the system.
  • The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.
  • The lifetime command configures the time the security key is allowed to exist, in seconds.
  • The prf command configures the IKE Pseudo-random Function which produces a string of bits that cannot be distinguished from a random bit string without knowledge of the secret key. The sha1 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.

Creating and Configuring a Crypto Template

The following example configures an IKEv2 crypto template:

configure
   context <mme_context_name>
      crypto
template <crypto_template_name>
ikev2-dynamic
         authentication
local pre-shared-key key <text>
         authentication
remote pre-shared-key key <text>
         ikev2-ikesa
transform-set list <name1>
. . . <name6>
         ikev2-ikesa
rekey
         payload
<name>
match childsa match ipv4
            ipsec
transform-set list <name1>
. . . <name4>
            rekey
            end
Notes:
  • The ikev2-ikesa transform-set list command specifies up to six IKEv2 transform sets.
  • The ipsec transform-set list command specifies up to four IPSec transform sets.

Binding the S1-MME IP Address to the Crypto Template

The following example configures the binding of the S1-MME interface to the crypto template:

configure
   context <mme_context_name>
      mme-service <mme_svc_name>
         bind
s1-mme ipv4-address <address>
ipv4-address <address> crypto-template <enodeb_crypto_template>
         end

Notes:

  • The bind command in the MME service configuration can also be specified as an IPv6 address using the ipv6-address command.
  • This example shows the bind command using multi-homed addresses. The multi-homing feature also supports the use of IPv6 addresses.
  • The bind command also allows the interface(s) to be associated with a crypto map supporting IP Security. This support applies to both IPv4 and IPv6 addresses.

Configuring ACL-based Node-to-Node IP Security on the S1-MME Interface

The configuration example in this section creates an IKEv2/IPSec ACL-based node-to-node tunnel endpoint on the S1-MME interface.

IMPORTANT:

IP Security is a licensed feature and requires the purchase of the IP Security feature license to enable it.

The following configuration examples are included in this section:

Creating and Configuring a Crypto Access Control List

The following example configures a crypto ACL (Access Control List), which defines the matching criteria used for routing subscriber data packets over an IPSec tunnel:

configure
   context <mme_context_name>
      ip
access-list <acl_name>
         permit
tcp host <source_host_address>
host <dest_host_address>
         end

Notes:

  • The permit command in this example routes IPv4 traffic from the peer server with the specified destination host IPv4 address to this MME with the specified source host IPv4 address.

Creating and Configuring an IPSec Transform Set

The following example configures an IPSec transform set which is used to define the security association that determines the protocols used to protect the data on the interface:

configure
   context <mme_context_name>
      ipsec
transform-set <ipsec_transform-set_name>
         encryption
aes-cbc-128
         group
none
         hmac
sha1-96
         mode
tunnel
         end

Notes:

  • The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IPSec transform sets configured on the system.
  • The group none command specifies that no crypto strength is included and that Perfect Forward Secrecy is disabled. This is the default setting for IPSec transform sets configured on the system.
  • The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IPSec transform sets configured on the system.
  • The mode tunnel command specifies that the entire packet is to be encapsulated by the IPSec header including the IP header. This is the default setting for IPSec transform sets configured on the system.

Creating and Configuring an IKEv2 Transform Set

The following example configures an IKEv2 transform set:

configure
   context <mme_context_name>
      ikev2-ikesa
transform-set <ikev2_transform-set_name>
         encryption
aes-cbc-128
         group
2
         hmac
sha1-96
         lifetime <sec>
         prf
sha1
         end

Notes:

  • The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IKEv2 transform sets configured on the system.
  • The group 2 command specifies the Diffie-Hellman algorithm as Group 2, indicating medium security. The Diffie-Hellman algorithm controls the strength of the crypto exponentials. This is the default setting for IKEv2 transform sets configured on the system.
  • The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.
  • The lifetime command configures the time the security key is allowed to exist, in seconds.
  • The prf command configures the IKE Pseudo-random Function which produces a string of bits that cannot be distinguished from a random bit string without knowledge of the secret key. The sha1 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.

Creating and Configuring a Crypto Map

The following example configures an IKEv2 crypto map:

configure
   context <mme_context_name>
      crypto
map <crypto_map_name> ikev2-ipv4
         match
address <acl_name>
         peer <ipv4_address>
         authentication
local pre-shared-key key <text>
         authentication
remote pre-shared-key key <text>
         payload
<name>
match ipv4
            lifetime <seconds>
            ipsec
transform-set list <name1>
. . . <name4>
            exit
         exit
      interface
<s1-mme_intf_name>
         ip
address <ipv4_address>
         crypto
map <crypto_map_name>
         exit
      exit
   port
ethernet <slot_number/port_number>
      no
shutdown
      bind
interface <s1-mme_intf_name> <mme_context_name>
      end

Notes:

  • The type of crypto map used in this example is IKEv2/IPv4 for IPv4 addressing. An IKEv2/IPv6 crypto map can also be used for IPv6 addressing.
  • The ipsec transform-set list command specifies up to four IPSec transform sets.

Configuring Optional Features on the eGTP S-GW

The configuration examples in this section are optional and are provided to cover the most common uses of the eGTP S-GW in a live network. The intent of these examples is to provide a base configuration for testing.

The following optional configurations are provided in this section:

Configuring ACL-based Node-to-Node IP Security on the S1-U and S5 Interfaces

The configuration example in this section creates an IKEv2/IPSec ACL-based node-to-node tunnel endpoint on the S1-U and S5 interfaces.

IMPORTANT:

IP Security is a licensed feature and requires the purchase of the IP Security feature license to enable it.

The following configuration examples are included in this section:

Creating and Configuring a Crypto Access Control List

The following example configures a crypto ACL (Access Control List), which defines the matching criteria used for routing subscriber data packets over an IPSec tunnel:

configure
   context <sgw_context_name>
      ip
access-list <acl_name>
         permit
tcp host <source_host_address>
host <dest_host_address>
         end

Notes:

  • The permit command in this example routes IPv4 traffic from the peer server with the specified destination host IPv4 address to this SGW with the specified source host IPv4 address.

Creating and Configuring an IPSec Transform Set

The following example configures an IPSec transform set which is used to define the security association that determines the protocols used to protect the data on the interface:

configure
   context <sgw_context_name>
      ipsec
transform-set <ipsec_transform-set_name>
         encryption
aes-cbc-128
         group
none
         hmac
sha1-96
         mode
tunnel
         end

Notes:

  • The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IPSec transform sets configured on the system.
  • The group none command specifies that no crypto strength is included and that Perfect Forward Secrecy is disabled. This is the default setting for IPSec transform sets configured on the system.
  • The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IPSec transform sets configured on the system.
  • The mode tunnel command specifies that the entire packet is to be encapsulated by the IPSec header including the IP header. This is the default setting for IPSec transform sets configured on the system.

Creating and Configuring an IKEv2 Transform Set

The following example configures an IKEv2 transform set:

configure
   context <sgw_context_name>
      ikev2-ikesa
transform-set <ikev2_transform-set_name>
         encryption
aes-cbc-128
         group
2
         hmac
sha1-96
         lifetime <sec>
         prf
sha1
         end

Notes:

  • The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IKEv2 transform sets configured on the system.
  • The group 2 command specifies the Diffie-Hellman algorithm as Group 2, indicating medium security. The Diffie-Hellman algorithm controls the strength of the crypto exponentials. This is the default setting for IKEv2 transform sets configured on the system.
  • The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.
  • The lifetime command configures the time the security key is allowed to exist, in seconds.
  • The prf command configures the IKE Pseudo-random Function which produces a string of bits that cannot be distinguished from a random bit string without knowledge of the secret key. The sha1 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.

Creating and Configuring a Crypto Map

The following example configures an IKEv2 crypto map and applies it to the S1-U interface:

configure
   context <sgw_ingress_context_name>
      crypto
map <crypto_map_name> ikev2-ipv4
         match
address <acl_name>
         peer <ipv4_address>
         authentication
local pre-shared-key key <text>
         authentication
remote pre-shared-key key <text>
         payload
<name>
match ipv4
            lifetime <seconds>
            ipsec
transform-set list <name1>
. . . <name4>
            exit
         exit
      interface
<s1-u_intf_name>
         ip
address <ipv4_address>
         crypto
map <crypto_map_name>
         exit
      exit
   port
ethernet <slot_number/port_number>
      no
shutdown
      bind
interface <s1_u_intf_name> <sgw_ingress_context_name>
      end

Notes:

  • The type of crypto map used in this example is IKEv2/IPv4 for IPv4 addressing. An IKEv2/IPv6 crypto map can also be used for IPv6 addressing.
  • The ipsec transform-set list command specifies up to four IPSec transform sets.

The following example configures an IKEv2 crypto map and applies it to the S5 interface:

configure
   context <sgw_egress_context_name>
      crypto
map <crypto_map_name> ikev2-ipv4
         match
address <acl_name>
         peer <ipv4_address>
         authentication
local pre-shared-key key <text>
         authentication
remote pre-shared-key key <text>
         payload
<name>
match ipv4
            lifetime <seconds>
            ipsec
transform-set list <name1>
. . . <name4>
            exit
         exit
      interface <s5_intf_name>
         ip
address <ipv4_address>
         crypto
map <crypto_map_name>
         exit
      exit
   port
ethernet <slot_number/port_number>
      no
shutdown
      bind
interface <s5_intf_name> <sgw_egress_context_name>
      end

Notes:

  • The type of crypto map used in this example is IKEv2/IPv4 for IPv4 addressing. An IKEv2/IPv6 crypto map can also be used for IPv6 addressing.
  • The ipsec transform-set list command specifies up to four IPSec transform sets.

Configuring Optional Features on the P-GW

The configuration examples in this section are optional and provided to cover the most common uses of the P-GW in a live network. The intent of these examples is to provide a base configuration for testing.

The following optional configurations are provided in this section:

Configuring ACL-based Node-to-Node IP Security on the S5 Interface

The configuration example in this section creates an IKEv2/IPSec ACL-based node-to-node tunnel endpoint on the S5 interface.

IMPORTANT:

IP Security is a licensed feature and requires the purchase of the IP Security feature license to enable it.

The following configuration examples are included in this section:

Creating and Configuring a Crypto Access Control List

The following example configures a crypto ACL (Access Control List), which defines the matching criteria used for routing subscriber data packets over an IPSec tunnel:

configure
   context <pgw_context_name>
      ip
access-list <acl_name>
         permit
tcp host <source_host_address>
host <dest_host_address>
         end

Notes:

  • The permit command in this example routes IPv4 traffic from the peer server with the specified destination host IPv4 address to this PGW with the specified source host IPv4 address.

Creating and Configuring an IPSec Transform Set

The following example configures an IPSec transform set which is used to define the security association that determines the protocols used to protect the data on the interface:

configure
   context <pgw_context_name>
      ipsec
transform-set <ipsec_transform-set_name>
         encryption
aes-cbc-128
         group
none
         hmac
sha1-96
         mode
tunnel
         end

Notes:

  • The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IPSec transform sets configured on the system.
  • The group none command specifies that no crypto strength is included and that Perfect Forward Secrecy is disabled. This is the default setting for IPSec transform sets configured on the system.
  • The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IPSec transform sets configured on the system.
  • The mode tunnel command specifies that the entire packet is to be encapsulated by the IPSec header including the IP header. This is the default setting for IPSec transform sets configured on the system.

Creating and Configuring an IKEv2 Transform Set

The following example configures an IKEv2 transform set:

configure
   context <pgw_context_name>
      ikev2-ikesa
transform-set <ikev2_transform-set_name>
         encryption
aes-cbc-128
         group
2
         hmac
sha1-96
         lifetime <sec>
         prf
sha1
         end

Notes:

  • The encryption algorithm, aes-cbc-128, or Advanced Encryption Standard Cipher Block Chaining, is the default algorithm for IKEv2 transform sets configured on the system.
  • The group 2 command specifies the Diffie-Hellman algorithm as Group 2, indicating medium security. The Diffie-Hellman algorithm controls the strength of the crypto exponentials. This is the default setting for IKEv2 transform sets configured on the system.
  • The hmac command configures the Encapsulating Security Payload (ESP) integrity algorithm. The sha1-96 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.
  • The lifetime command configures the time the security key is allowed to exist, in seconds.
  • The prf command configures the IKE Pseudo-random Function which produces a string of bits that cannot be distinguished from a random bit string without knowledge of the secret key. The sha1 keyword uses a 160-bit secret key to produce a 160-bit authenticator value. This is the default setting for IKEv2 transform sets configured on the system.

Creating and Configuring a Crypto Map

The following example configures an IKEv2 crypto map:

configure
   context <pgw_context_name>
      crypto
map <crypto_map_name> ikev2-ipv4
         match
address <acl_name>
         peer <ipv4_address>
         authentication
local pre-shared-key key <text>
         authentication
remote pre-shared-key key <text>
         payload
<name>
match ipv4
            lifetime <seconds>
            ipsec
transform-set list <name1>
. . . <name4>
            exit
         exit
      interface <s5_intf_name>
         ip
address <ipv4_address>
         crypto
map <crypto_map_name>
         exit
      exit
   port
ethernet <slot_number/port_number>
      no
shutdown
      bind
interface <s5_intf_name> <pgw_context_name>
      end

Notes:

  • The type of crypto map used in this example is IKEv2/IPv4 for IPv4 addressing. An IKEv2/IPv6 crypto map can also be used for IPv6 addressing.
  • The ipsec transform-set list command specifies up to four IPSec transform sets.