Manual
x.509 Certificate Configuration
Use the following example to configure the x.509 certificates on the system to provide security certification
between FAP and SeGW on HNB-GW.
configure
certificate name <x.509_cert_name> pem { data <pem_data_string> | url <pem_data_url>} private-key
pem { [encrypted] data <PKI_pem_data_string> | url <PKI_pem_data_url>}
ca-certificate name <ca_root_cert_name> pem { data <pem_data_string> | url <pem_data_url>}
exit
crypto template <segw_crypto_template> ikev2-dynamic
authentication local certificate
authentication remote certificate
keepalive interval <dur> timeout <dur_timeout>
certificate <x.509_cert_name>
ca-certificate list ca-cert-name <ca_root_cert_name>
payload <crypto_payload_name> match childsa [match {ipv4 | ipv6}]
ip-address-alloc dynamic
ipsec transform-setlist <ipsec_trans_set>
end
configure
context <vpn_ctxt_name>
subscriber default
ip context-name <vpn_ctxt_name>
ip address pool name <ip_pool_name>
end
Notes:
•
<vpn_ctxt_name> is name of the source context in which HNB-GW service is configured.
•
<x.509_cert_name> is name of the x.509 certificate where PEM data <pem_data_string> and PKI
<PKI_pem_data_string> is configured.
•
<ca_root_cert_name> is name of the CA root certificate where PEM data <pem_data_string> is
configured for CPE.
Security Gateway and Crypto map Template Configuration
Use the following example to configure the IPsec profile and Crypto map template enabling SeGW on
HNB-GW for IPsec tunneling.
configure
context <vpn_ctxt_name>
eap-profile <eap_prof_name>
mode authentication-pass-through
exit
ip pool ipsec <ip_address> <subnetmask>
ipsec transform-set <ipsec_trans_set>
exit
ikev2 transform-set <ikev2_trans_set>
exit
crypto template <crypto_template>
authentication eap-profile <eap_prof_name>
HNB-GW Administration Guide, StarOS Release 19
101
HNB-GW Service Configuration Procedures
x.509 Certificate Configuration