How The Fng Works; Ipsec Tunnel Establishment - Cisco ASR 5000 Series Administration Manual

Femto Network Gateway Overview

How the FNG Works

This section describes the FNG functioning as a security gateway during IPSec tunnel establishment.

IPSec Tunnel Establishment

The figure below shows the message flow during IPSec tunnel establishment. The table that follows the figure describes
each step in the message flow.
Figure 2. IPSec Tunnel Establishment
FAP
1. Preconfigured FAP device
cert and trusted server CA
certs (for FNG auth)
2. IKE_SA_INT Request (HDR, SA, KE, Ni)
3. IKE_SA_INIT Response (HDR, SA, KE, Nr, CERTREQ)
4. IKE_AUTH Request (HDR, SK {Idi(FEID),
CERT(FEID), CERTREQ, AUTH, SA, Tsi, TSr})
(HDR, SK {IDr(FQDNofFNG), CERT(FNG), AUTH})
9. Verify FNG cert and AUTH
signature; verify discovered
GW ID (FQDN) matches the
identity in the server cert
IKE_SA and first CHILD_SA established
OL-24872-01
1. Preconfigured FNG server
cert and trusted FAP device
5. Verify FAP cert and AUTH
signature; verify IDi matches
8. IKE_AUTH Response
FNG
CA certs (for FAP auth)
cert identity
6. AAA Request (FEID)
7. AAA Response
(Authorization info)
Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄
How the FNG Works ▀
AAA
27