Manualshelf

Manual

ManualsBrandsCisco ManualsSoftwareCisco IOS Software Release 12.3(11)T
21222324252627282930
Cisco Packet Data Serving Node (PDSN) Release 2.0
Resource Management
26
12.3(11)T
The HA determines which type of security association (if any) is required with a PDSN. The HA uses
the same security policy that is specified in the Home RADIUS server and returned to the PDSN in the
3GPP2 security level attribute. All MN will receive the same security level while accessing the same
PDSN.
Configuring IPSec in Cisco IOS
To employ IS835-B IPSec on the PDSN requires that you configure the following commands:
[no] ip mobile cdma ipsec—enables or disables the CDMA IPSec feature. This command is only
present in crypto images for the Cisco 7200 Series Internet Router, and in non-crypto images for the
Cisco MWAM.
[no] ip mobile cdma ipsec profile profile-tag—This command is only present in crypto images for
the Cisco 7200 Series Internet Router.
show ip mobile cdma ipsec—This command shows if the feature is enabled.
show ip mobile cdma ipsec profile—This command shows the crypto profile configured.
[no] debug ip mobile cdma ipsec—This turns on the debug on this feature.
Here is a sample configuration:
Router(config)#crypto isakmp policy 1
authentication pre-share
Router(config)#crypto isakmp key cisco address 7.0.0.2
Router(config)#crypto ipsec transform-set mobile-set1 esp-3des
Router(config)#crypto ipsec profile testprof
set transform-set mobile-set1
Router(config)#crypto identity pdsntest
Router(config)#ip mobile cdma ipsec
Router(config)# ip mobile cdma ipsec profile testprof
Router(config)#ip mobile foreign-agent reg-wait 30
Additionally, to employ Cisco IOS IPSec on the PDSN you must configure “Transform” and
“CryptoMap,” and apply Cryptomap to the interface.
The Transform set represents a certain combination of security protocols and algorithms. During the
IPSec security association negotiation, the peers agree to use a particular transform set for protecting
particular data flow. Use the crypto ipsec transform-set mobile-set1 esp-3des command to configure
the transforms set.
The Crypto map entries created for IPSec pull together the various parts used to set up IPSec security
associations, including the following:
Which traffic should be protected by IPSec (per a crypto access list).
The granularity of the flow to be protected by a set of security associations.
The location IPSec-protected traffic should be sent (remote IPSec peer).
The local address used for IPSec traffic (applying Crypto map to interface).
The type of IPSec security that should be applied to this traffic (selected from a list of one or more
transform sets).
Whether security associations are manually established, or established with IKE.
The parameters that might be necessary to define an IPSec security association.
Crypto map entries with the same crypto map name (but different map sequence numbers) are grouped
into a crypto map set. These Crypto map sets are applied to interface; then all traffic passing through the
interface is evaluated against the applied crypto map set.