Ikev2 And Ip Security (Ipsec) Encryption; X.509 Certificate-Based Peer Authentication - Cisco ASR 5000 Series Administration Manual

Femto Network Gateway Overview
• The name of the EAP profile: This profile defines the EAP authentication method and associated parameters. If
the PSK (Pre-Shared Key) authentication method is used, this configuration is not needed.
• IKEv2 and IPSec transform sets: Transform sets define the negotiable algorithms for IKE SAs and Child SAs
to enable calls to connect to the FNG.
• The setup timeout value: This parameter specifies the session setup timeout timer value. The FNG terminates a
connection attempt if the FAP does not establish a successful connection within the specified timeout period.
• Max-sessions: This parameter sets the maximum number of subscriber sessions allowed by this FNG service.
• FNG supports a domain template for storing domain-related configuration: The domain name is taken from
the received Network Address Identifier (NAI) and searched in the domain template database.
• Duplicate session detection parameters: The FNG supports the FAP ID in the form of an NAI for duplicate
session detection. This setting enables duplicate session detection for the FNG service.
When the FNG service is configured in the system with the IP address, crypto template, and so on, the FNG is ready to
accept IKEv2 control packets for establishing IKEv2 sessions.

IKEv2 and IP Security (IPSec) Encryption

The FNG supports IKEv2 and IPSec encryption using IPv4 addressing. IKEv2 and IPSec encryption enables network
domain security for all IP packet-switched networks in order to provide confidentiality, integrity, authentication, and
anti-replay protection.
At the beginning of IKEv2 session setup, the FNG and the FAP exchange capabilities for authentication. IKEv2 and
IPSec transform sets configured in the crypto template define the negotiable algorithms for IKE SA and Child SA setup
to connect calls to the FNG by creating a single IPSec tunnel, called the Tunnel Inner Address (TIA), which is intended
for user traffic coming from the FAP. There can be multiple UEs connecting to a single FAP at the same time, and the
traffic from all of the connected UEs passes through the same IPSec tunnel. The FAP to which a UE is connected can
request one of the following authentication methods:
• EAP-AKA (Extensible Authentication Protocol - Authentication and Key Agreement) authentication
• PSK (Pre-Shared Key) authentication
• X.509 certificate-based peer (client) authentication
The FNG partially supports the EAP MD5 (Extensible Authentication Protocol Message-Digest 5) authentication
method.

X.509 Certificate-based Peer Authentication

In addition to the EAP-AKA (Extensible Authentication Protocol - Authentication and Key Agreement) and PSK (Pre-
Shared Key) peer authentication methods, the FNG supports X.509 certificate-based peer authentication.
The FNG checks the network policy on whether a FAP is authorized to provide service. If the network policy states that
all FAPs that pass device authentication are authorized to provide service, no further authorization check may be
required. If the network policy requires that each FAP be individually authorized for service (in the case where the
FEID is associated with a valid subscription), the FNG sends a RADIUS Access-Request message to the AAA server. If
the AAA server sends a RADIUS Access-Accept message, the FNG proceeds with device authentication. Otherwise, the
FNG terminates the IPSec tunnel setup by sending an IKEv2 Notification message indicating authentication failure.
OL-24872-01
Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄
Features and Functionality ▀
19