Table of Contents
Advertisement
▀ IPSec for LTE/SAE Networks
Interface
Description
S1-MME
This interface is the reference point for the control plane protocol between the eNodeB and the MME. The S1-
Interface
MME interface uses S1-AP (S1- Application Protocol) over SCTP (Stream Control Transmission Protocol) as the
transport layer protocol for guaranteed delivery of signaling messages between the MME and the eNodeB (S1).
When configured, the S1-AP over SCTP signaling traffic gets carried over an IPSec tunnel.
When a subscriber UE initiates a connection with the eNodeB, the eNodeB initiates an IPSec tunnel with the MME,
and SCTP signaling for all subsequent subscriber UEs served by this MME gets carried over the same IPSec tunnel.
The MME can also initiate an IPSec tunnel with the eNodeB when the following conditions exist:
The first tunnel setup is always triggered by the eNodeB. This is the tunnel over which initial SCTP
exchanges occur.
The MME initiates additional tunnels to the eNodeB after an SCTP connection is set up if the MME is
multi-homed: a tunnel is initiated from MME's second address to the eNodeB.
The eNodeB is multi-homed: tunnels are initiated from the MME's primary address to each secondary
address of the eNodeB.
Both of the prior two conditions: a tunnel is initiated from each of MME's addresses to each address of the
eNodeB.
S1-U
This interface is the reference point for bearer channel tunneling between the eNodeB and the S-GW.
Interface
Typically, the eNodeB initiates an IPSec tunnel with the S-GW over this interface for subscriber data traffic. But the
S-GW may also initiate an IPSec tunnel with the eNodeB, if required.
S5
This interface is the reference point for tunneling between the S-GW and the P-GW.
Interface
Based on the requested APN from a subscriber UE, the MME selects both the S-GW and the P-GW that the S-GW
connects to. GTP-U data traffic is carried over the IPSec tunnel between the S-GW and P-GW for the current and
all subsequent subscriber UEs.
IPSec Tunnel Termination
IPSec tunnel termination occurs during the following scenarios:
Idle Tunnel Termination: When a session manager for a service detects that all subscriber sessions using a
given IPSec tunnel have terminated, the IPSec tunnel also gets terminated after a timeout period.
Service Termination: When a service running on a network node is brought down for any reason, all
corresponding IPSec tunnels get terminated. This may be caused by the interface for a service going down, a
service being stopped manually, or a task handling an IPSec tunnel restarting.
Unreachable Peer: If a network node detects an unreachable peer via Dead Peer Detection (DPD), the IPSec
tunnel between the nodes gets terminated. DPD can be enabled per P-GW, S-GW, and MME service via the
system CLI during crypto template configuration.
E-UTRAN Handover Handling: Any IPSec tunnel that becomes unusable due to an E-UTRAN network
handover gets terminated, while the network node to which the session is handed initiates a new IPSec tunnel
for the session.
▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide
190
IP Security
OL-25069-03
Advertisement
Table of Contents
