Sample Configurations
In following sample configuration, the N4/Sx and IPSec interface IP Addresses are defined as:
SMF N4/Sx - 192.0.2.1
UPF N4/Sx - 192.0.2.7
SMF IPSec - 198.51.100.1
UPF IPSec - 198.51.100.2
Note |
|
Control Plane
IPSec Configuration
config
context EPC-CP
ip access-list foo0
permit ip host 192.0.2.1 host 192.0.2.7
#exit
ipsec transform-set A-foo
#exit
ikev2-ikesa transform-set ikesa-foo
#exit
crypto map foo0 ikev2-ipv4
match address foo0
authentication local pre-shared-key key secret
authentication remote pre-shared-key key secret
ikev2-ikesa max-retransmission 3
ikev2-ikesa retransmission-timeout 15000
ikev2-ikesa notify-msg-error no-apn-subscription backoff-timer 0
ikev2-ikesa notify-msg-error network-failure backoff-timer 0
ikev2-ikesa transform-set list ikesa-foo
ikev2-ikesa configuration-attribute p-cscf-v6 private length 0
ikev2-ikesa configuration-attribute p-cscf-v6 iana length 0
keepalive interval 50
payload foo-sa0 match ipv4
ipsec transform-set list A-foo
lifetime 300
rekey keepalive
#exit
peer 198.51.100.2
ikev2-ikesa policy error-notification
notify-payload error-message-type ue base 0
notify-payload error-message-type network-transient-minor base 0
notify-payload error-message-type network-transient-major base 0
notify-payload error-message-type network-permanent base 0
#exit
interface CP_IPSEC loopback
ip address 198.51.100.1 255.255.255.0
crypto-map foo0
#exit
end
N4/Sx Configuration
sx-service SX-1
instance-type controlplane
bind ipv4-address 192.0.2.1
sx-protocol heartbeat retransmission-timeout 20
sx-protocol heartbeat max-retransmissions 5
exit
User Plane
IPSec Configuration
config
context EPC-UP
ip access-list foo0
permit ip host 192.0.2.7 host 192.0.2.1
#exit
ipsec transform-set A-foo
#exit
ikev2-ikesa transform-set ikesa-foo
#exit
crypto map foo0 ikev2-ipv4
match address foo0
authentication local pre-shared-key key secret
authentication remote pre-shared-key key secret
ikev2-ikesa max-retransmission 3
ikev2-ikesa retransmission-timeout 15000
ikev2-ikesa notify-msg-error no-apn-subscription backoff-timer 0
ikev2-ikesa notify-msg-error network-failure backoff-timer 0
ikev2-ikesa transform-set list ikesa-foo
ikev2-ikesa configuration-attribute p-cscf-v6 private length 0
ikev2-ikesa configuration-attribute p-cscf-v6 iana length 0
keepalive interval 50
payload foo-sa0 match ipv4
ipsec transform-set list A-foo
#exit
peer 198.51.100.1
ikev2-ikesa policy error-notification
notify-payload error-message-type ue base 0
notify-payload error-message-type network-transient-minor base 0
notify-payload error-message-type network-transient-major base 0
notify-payload error-message-type network-permanent base 0
#exit
interface UP_IPSEC loopback
ip address 198.51.100.2 255.255.255.0
crypto-map foo0
#exit
end
N4/Sx Configuration
sx-service SX-1
instance-type userplane
bind ipv4-address 192.0.2.7 ipv6-address dddd:51:31:1:209::
sxa max-retransmissions 12
sxb max-retransmissions 12
sxab max-retransmissions 12
sx-protocol heartbeat interval 30
sx-protocol heartbeat retransmission-timeout 20
sx-protocol heartbeat max-retransmissions 3
exit
To validate the IPSec tunnel CLI on the SMF protocol pod and validate the ipsec.yaml file on SMF, see the Interfaces Support > N4 Interface chapter for sample SMI strongSwan configuration.
For the latest strongSwan configurations, see the Ultra Cloud Core Subscriber Microservices Infrastructure Operations Guide.