Cisco ASR 5000 Series Administration Manual page 32

▀ How the FNG Works
Step Description
2. Upon FAP power-up, using the FNG discovery procedures such as DNS discovery, the FAP determines the FQDN/IP
address of the appropriate FNG.
3. The FAP initiates an IKEv2 exchange with the FNG, known as the IKE_SA_INIT exchange, by issuing an IKE_SA_INIT
Request to negotiate cryptographic algorithms, exchange nonces, and perform a Diffie-Hellman exchange with the FNG. In
addition, using the NAT Traversal procedures, the FAP includes NAT_DETECTION_SOURCE_IP and
NAT_DETECTION_DESTINATION_IP payloads to negotiate support for UDP encapsulation.
4. The FNG responds with an IKE_SA_INIT Response by choosing a cryptographic suite from the initiator's offered choices,
completing the Diffie-Hellman and nonce exchanges with the FAP. In addition, the FNG includes the list of FAP CA
certificates that it will accept in its CERTREQ payload. For successful FAP authentication, the CERTREQ payload must
contain at least one CA certificate that is in the trust chain of the FAP device certificate. At this point in the negotiation, the
IKE_SA_INIT exchange is complete and all but the headers of all the messages that follow are encrypted and integrity-
protected.
5. The FAP initiates an IKE_AUTH exchange with the FNG by setting the IDi payload to the FEID in FQDN format (from
the subjectAltName extension of the FAP certificate), setting the CERT payload to the FAP device certificate
corresponding to the FEID, and including the AUTH payload containing the signature of the previous IKE_SA_INIT
Request message (in step 3) generated using the private key of the FAP device certificate. The authentication algorithm
used to generate the AUTH payload is also included in the AUTH payload. The FAP also includes the CERTREQ payload
containing the list of SHA-1 hash algorithms for server authentication. For successful server authentication, the CERTREQ
payload must contain at least one CA certificate that is in the trust chain of the FNG server certificate.
6. Using the CA certificate corresponding to the FAP device certificate, the FNG first verifies that the FAP device certificate
in the CERT payload has not been modified and the identity included in the IDi corresponds to the identity in the FAP
device certificate. If the verification is successful, using the public key of the FAP device certificate, the FNG generates the
expected AUTH payload and compares it with the received AUTH payload. If they match, the authentication of the FAP is
successful. Otherwise, the FNG sends an IKEv2 Notification message indicating authentication failure.
7. If the network policy requires femtocell subscription authorization, the FNG contacts the AAA server to verify that the FAP
identified by the FEID is authorized to provide service.
8. The AAA server responds with the authorization result. If the authorization is not successful, the FNG sends an IKEv2
Notification message indicating authorization failure. Otherwise, the FNG proceeds with server authentication.
9. The FNG responds with the IKE_AUTH Response by setting the IDr payload to the FQDN (or IP address) of the FNG,
setting the CERT payload to the FNG server certificate corresponding to the FQDN (or IP address), and including the
AUTH payload containing the signature of the IKE_SA_INIT Response message (in step 4) generated using the private key
of the FNG server certificate. The authentication algorithm used to generate the AUTH payload is also included in the
AUTH payload.
10. Using the CA certificate corresponding to the FNG server certificate, the FAP first verifies that the FNG server certificate
in the CERT payload has not been modified and the identity included in the IDi corresponds to the identity in the server
certificate and contains the expected FNG value as discovered during the FNG discovery procedures. If the verification is
successful, using the public key of the FNG server certificate, the FAP generates the expected AUTH payload and
compares it with the received AUTH payload. If they match, FNG server authentication is successful. This completes the
IKE_AUTH exchange.
11. An IPSec SA is established between the FAP and the FNG. If more IPSec SAs are needed, either the FAP or the FNG can
initiate the creation of additional Child SAs using a CREATE_CHILD_SA exchange.
▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide
32
Femto Network Gateway Overview
OL-24872-01