Manual
Cisco Packet Data Serving Node (PDSN) Release 2.0
Resource Management
38
12.3(11)T
Hardware IPSec Acceleration Using IPSec Acceleration Module—Static IPSec
Note The Cisco PDSN Release on the Cisco 6500 and 7600 platforms requires the support of the Cisco IPSec
Services Module (VPNSM), a blade that runs on the Catalyst 6500 switch and the Cisco 7600 Internet
Router. VPNSM does not have any physical WAN or LAN interfaces, and utilizes VLAN selectors for
its VPN policy. For more information on Catalyst 6500 Security Modules visit
http://wwwin.cisco.com/issg/isbu/products/6000/6500security.shtml. For more information on the Cisco
7600 Internet Router visit http://wwwin.cisco.com/rtg/routers/products/7600/techtools/index.shtml.
IPSec-based security may be applied on tunnels between the PDSN and the HA depending on parameters
received from Home AAA server. A single tunnel may be established between each PDSN-HA pair. It
is possible for a single tunnel between the PDSN-HA pair to have three types of traffic streams: Control
Messages, Data with IP-in-IP encapsulation, and Data with GRE-in-IP encapsulation. All Traffic carried
in the tunnel will have the same level of protection provided by IPSec.
IS-835-B defines MobileIP service as described in RFC 2002; the Cisco PDSN provides Mobile IP
service and Proxy Mobile IP service.
In Proxy Mobile service, the Mobile-Node is connected to the PDSN/FA through Simple IP, and the
PDSN/FA acts as Mobile IP Proxy for the MN to the HA.
Once Security Associations (SAs, or tunnels) are established, they remain active until there is traffic on
the tunnel, or the lifetime of the SAs expire.
Figure 7 illustrates the IS-835-B IPSec network topology.