Manual
 Security Gateway Overview 
Product Overview ▀  
SecGW Administration Guide, StarOS Release 17 ▄ 
17 
SecGW Application 
The StarOS-based Security Gateway (SecGW) application is a solution for Remote-Access (RAS) and Site-to-Site 
(S2S) mobile network environments. It is implemented via StarOS as a WSG (Wireless Security Gateway) service that 
leverages the IPSec features supported by StarOS. 
SecGW delivers the S2S IP Encryption capabilities required in UMTS/HSPA and LTE 3GPP LTE/SAE network 
architectures. 
For complete descriptions of supported IPSec features, see the IPSec Reference. 
Important:  The SecGW is a licensed StarOS feature. A separate license is required for each VPC-VSM instance 
and SecGW. Contact your Cisco account representative for detailed information on specific licensing requirements. 
Key Features 
The following are key features of the SecGW product: 
  Functions in a virtualized environment on one or more VSM blades in an ASR9000 
  Supports IKEv2. 
  Supports DES, 3DES, AES and NULL Encryption algorithms, and MD5, SHA1/2 and AES-XCBC Hash 
algorithms. 
  Provides mechanisms for High Availability both within and outside of the ASR 9000 chassis. 
  IPv6 support encompasses Inner-Outer pairs – v6-v6, v6-v4, v4-v6, v4-v4 
  Allows dynamic provisioning of IPSec configuration when a new SecGW is instantiated on the router. 
Each of the four SecGWs on a VSM must be configured separately. 
Load balancing has not been implemented for the SecGWs; incoming calls will not be automatically distributed across 
the four SecGWs on a VSM. A workaround is to use VLANs for load balancing. The public side interface of each 
SecGW can be configured for a separate VLAN. Calls from multiple peers are routed to the same IP address via a 
different VLAN to distribute the traffic load. 
IPSec Capabilities 
The following IPSec features are supported by StarOS for implementation in an SecGW application: 
  Anti Replay 
  Multiple Child SA (MCSA) 
  Certificate Management Protocol (CMPv2) 
  Session Recovery/Interchassis Session Recovery for both RAS and S2S 
  Support for IKE ID Type 
  PSK support with up to 255 octets 
  Online Certificate Status Protocol (OCSP) 
  Reverse DNS Lookup for Peer IP in show Commands 










