IPSec Tunnel Definition

Whenever IPSec is used in a test, a local peer will attempt to establish a minimum of one IPSec SA (tunnel) with a remote peer. In some cases, a local peer can establish multiple SAs simultaneously:

With Data IPSec, an MN can establish up to sixteen IPSec tunnels with one or more remote peers and route traffic through a tunnel based on destination and/or data protocol. TCP traffic to one destination could be routed through one tunnel, while UDP traffic to the same destination could be routed through another, for example. You can also configure the test to request that an IPSec gateway assign a private address for each tunnel, and delay IPSec until it is triggered by a DMF.
With MIPv6 IPSec, an MN can establish sixteen different types of tunnels with its HA. Each tunnel is configured to bear a certain type of traffic: Binding messages, Prefix Discovery messages, Route Optimization messages, or Data Traffic (when Route Optimization is not used).
- Learn more about IPSec support for MIPv6

You can choose whether to encrypt traffic in transport or tunnel mode. If the SA will be negotiated using IKE Phase II, you can configure the cipher suite and proposed lifetime for the SA. You can also choose to configure different values to be used with each local peer by provisioning a tunnel with a Test Data File.

This topic describes IKE Phase II settings, the IPSec SA settings, and the settings that determine how traffic is routed when multiple tunnels are supported. The topics listed under Related Parameters describe the Advanced settings used with IKEv2, settings used during IKE Phase I, and the general IPSec options.

Number of Tunnels

Protocol Type

Protocol Type (Data, MIPv6)

Payload Source Port
Security Gateway Address
Alt Security Gateway Address
ESP Data Mode
Encryption Key Type
SA Life Duration
SA Life Duration Type
Enable PFS
Outer IP Type of Service
Use AMF SUT as Security Gateway
Use UPF N3/N9 SUT as Security Gateway
Apply Parameter Values from Test Data File

Payload Destination ID (Data, MIPv6, Other)
Payload Destination Port
Authentication Type

IKE Liveness Check Time
IKE Liveness Mode
Max Liveness Attempts
Use AEAD Type
Oakley Group Type

Source SPI

Peer SPI

Request Private Address
Private IPv4 Address
Private IPv6 Address
Request Private IPv4 DNS
Request IPv4 P-CSCF Address
Request Private IPv4 Network Mask
Request Private IPv6 DNS
Request IPv6 P-CSCF Address
Request Private IPv4 Address
Request Private IPv6 Address

IKE Max Retry Attempts
Automatically Start Tunnel
Number of Cryptographic Suites

Related Parameters

Selection by Destination

When one type of tunnel is supported, Payload Destination ID determines which outbound packets will be encrypted. The destination will typically be a SUT such as an LNS or a Diameter Server. With L2TP IPSec, you can leave the field blank and the SUT's address will be used by default.

Range: any valid IP address

Default: 0

Data Traffic Selection

The combination of protocol type, destination address, and source and destination ports determine what traffic is routed to which tunnel, allowing you to route two DMFs with the same protocols but different destinations through two different tunnels.

NOTE: If a DMF does not match any of the tunnel configurations, its traffic is transmitted without IPSec.

MIPv6 IPSEc

The combination of protocol, destination, and ESP Data Mode determines what traffic is routed through which tunnel when MIPv6 IPSec is used in a test.

Protocol Type

Use the drop-down list to select the IP protocol for the tunnel's traffic.

Options:

Any — Data Traffic
Mobility Header — HA Binding messages
ICMPv6 Header — Prefix Discovery and Route Optimization messages

Default: Any

^ Back to Top

Number of Tunnels

When multiple tunnels are supported (except for Data IPSec), a dropdown list is available to select additional tunnels. Depending on the number of tunnels you select, the parameters for those tunnels are enabled.

On AMF Nodal's and Non 3GPP Access GW Nodes NWu IPSec tab , when the IKE setting is "IKE With Pre-Shared Keys" or "IKE With RSA Signature", on the first tunnel tab is named "NAS PDU". The remaining 15 tunnels are named PDU 1 up to PDU 15. Not all parameters listed below are available for input in the PDU named Tabs.

Range: 1 - 16

NOTE: In Wifi Offload Gateway Nodal test case, the following applies for UE DNS query to learn PDG IP Address:

Tunnel Type should be NONE (tunneled GRE and CAPWAP are not supported).
On the IPSec tab, Identification Type FQDN format must be that of the IMIS (e.g., 505024101215074) so that the MN-NAI in the Mip (PMIPv6 Binding) is IMIS@APN name.
Tunnel Settings on the IPSec tab supports one tunnel (multiple-IPSec tunnel is not supported).

^ Back to Top

Protocol Type

Use the drop-down list to select the lower-most data protocol for the tunnel's traffic. Select TCP for an HTTP message flow, for example.

Options:

Any — Any Data Traffic/DMF could be routed through the tunnel.
TCP, UDP, ICMP, or RAW — Only DMFs with a matching protocol will be routed through the tunnel.

Default: Any

Tcl Parameter: DataIpSecProtoType1

ESP Data Mode

The Encapsulating Security Payload protocol encrypts the upper IP layer in Transport mode, and encrypts then entire original IP datagram in Tunnel mode. Use the drop-down list to select the mode for the tunnel.

Tcl Parameter: DataIpsecIkePrivateAddrExchType1

Options:

Transport (Select for HA Binding and Prefix Discovery messages in a MIPv6 IPSec test)
Tunnel (Select for Route Optimization messages and Data Traffic in a MIPv6 IPSec test)

Default: Transport

Tcl Parameter: DataIpSecEspDataMode1

ISAKMP Exchange Type

Available when ESP Data Mode is Tunnel and the Protocol Type is TCP.

The ISAKMP (Internet Security Association and Key Management Protocol) defines the procedures for authenticating a communicating peer, creation and management of Security Associations, key generation techniques, and threat mitigation (e.g. denial of service and replay attacks).

Payload Source Port

Payload Destination Port

With TCP or UDP traffic, you can route individual DMFs through different tunnels based on the DMF ports. If you are configuring IPSec in a nodal test case, the server is the destination and the client is the source; in the Network Host test case, the client is the destination and the server is the source. Enter 0 to accept any port.

Payload Destination Port

Range: 0 — 65535

Default: 0

Tcl Parameter: DataIpSecPortDest1

Payload Source Port

Range: 0 — 65535

Default: 0

Tcl Parameter: DataIpSecSrcPort1

Payload Destination ID

The destination IP address for Data Traffic, which may or may not be the tunnel endpoint. From the MN's perspective, the destination is the Network Host address. From the Network Host's perspective, the destination is the starting MN address.

IMPORTANT: In MME Nodal and Node test cases, to support alternative termination point for IPSec tunnel ensure the following settings/configuration:

Set the Payload Destination ID as 0.0.0.0 for Security GW Node.
When using a Security Gateway in between the eNodeB and the MME, set the Next Hop address in eNodeB Control Node and eNodeB User Node to be the same as the Security Gateway address. (If you are not using a Security Gateway, use Default Routing).
When not using a Security Gateway in between the eNodeB and the MME, set the Payload Destination ID and Security Gw Address to be the same as the MME or SGW.

Range: any valid IP address

Default: N/A

Tcl Parameter: DataIpSecDestination1

MIPv6 IPSec Payload Destination ID

The IP address for the final destination of outgoing traffic. This is not necessarily the IPSec peer — it is used to indicate the type of traffic that will be routed through the tunnel.

Options:

::0 — Data Traffic
HA address — HA binding and prefix discovery messages
CN address — Route Optimization messages

Default: N/A

Security Gateway Address

You can specify the IP address of the Security Gateway that terminates the tunnel (the peer).

In MME Nodal and Node test cases, specify the IP address of the Security Gateway on S1-MME IPSec, Target S1-MME IPSec, S1-U IPSec, and Target S1-U IPSec. In addition, MME Nodal L3-7 | Data IPSec also allows you to specify the IP address of the Security Gateway.
In an L2TP test case, the LAC or LNS is typically the gateway. If this field is left blank in an LNS Nodal or LNS Node test case, the SUT's IP address will be used by default.
In WiFi Offload Gateway Nodal test case, you may select the format of the Security Gateway Address as either IP or FQDN. The WLAN UE supports the standard DNS mechanism to retrieve the IP Address of the remote tunnel end-point (to learn the IP Address of a PDG, the UE performs a DNS query).

If a Security Gateway is not included in a data test, the Network Host can terminate the Data IPSec tunnel. From the Network Host's perspective, the MN is the Security Gateway.

Range: any valid IP address

Default: N/A

Tcl Parameter: DataIpSecEndPoint1

Alt Security Gateway Address

Available in MME Nodal test case under the S1-U interface.

In MME Nodal test cases, select to specify an alternate IP address of the Security Gateway on S1-U IPSec. Used in a S1-U IPSec failover scenario.

Range: any valid IP address

Default: N/A

Tcl Parameter: EnbSgwIpSecAltEndPointEn1

Tcl Parameter: EnbSgwIpSecAltEndPoint1

IKE Liveness Check Time (s)

Indicates the number of seconds to wait before checking the aliveness of IKE-SA or IKE-DPD.

Range: 0 — 65535

Default: 0

Tcl Parameter: DataIkev2DeadPeerTimeX1

When there is outgoing traffic on an SA, the aliveness check is performed to confirm whether the SA is alive to avoid missing messages. If no messages are received on an IKE-SA for a period mentioned in the IKE Liveness Check Times(s), an aliveness check is performed. Receiving messages on an IKE-SA ensures it’s aliveness.

Select IKE Liveness Mode - Interval or Idle Time.

Max Liveness Attempts

Landslide will initiate a Dead Peer Detection (DPD) exchange by sending "Notify Payload" if it detects idleness, followed by outbound traffic if connection is available. Likewise, an entity can initiate a Dead Peer Detection (DPD) exchange if it has sent outbound IPSec traffic but has not received any inbound IPSec packets in response.

The parameter is available for IKE V1 and V2.

NOTE: If Max Liveness Attempts is set set to 2, after the first time out and re-transmission the attempts would be counted as 2 and there would not be a 3rd attempt. This parameter is related to DPD messaging. (The setting is not the number of retries after the first time out).

Range: 0 - 255

Default: 2

Tcl Parameter: DataIkeMaxAttemptsDpd1

Source SPI

The SPI used by the MN in all modes. If you define multiple tunnels, you must use a unique SPI for each tunnel. If the IPSec SA is refreshed, a new SPI will be formed by appending digits to this value.

Range: N/A

Default: 0

Tcl Parameter: DataIpSecSrcSpi1

Peer SPI

The SPI used by the peer, which is known by the MN in Pre-Provisioned mode.

Range: N/A

Default: 0

Tcl Parameter: DataIpSecPeerSpi1

Automatically Start Tunnel

When this box is checked (default), SA negotiation begins when an MN's session is established. You can clear the box and trigger SA negotiation when required by a DMF with event controls, allowing you to only protect some of the DMF messages with IPSec. You can send an event from the DMF to start the tunnel, wait for that event to be sent back to the DMF after the tunnel has been established, send an event to stop the tunnel, and also wait for a stop event before continuing.

Tcl Parameter: DataAutoStartTun1

Enable PFS

When IKEv1 is used in the test, Perfect Forward Security (PFS) is optional and can be disabled by clearing the checkbox. When PFS is enabled, a second Diffie-Hellman exchange will be performed during IKE Phase II and you can select the Oakley Group Type...that will be used for the exchange.

Tcl Parameter: DataIpSecEnablePfs1

Outer IP Type of Service

A value used in the outer IP header’s Type of Service. Click ... (TOS Calculator) to select and calculate the appropriate value.

Available in the Non 3GPP Access GW Node's NWu IPSec tab (Mode = N3IWF) on the PDU 1-15 tunnels tabs. Value range is 0-255, default 0. Tcl variable is "NWuOuterIpTos<suffix>", where suffix = 2-16. The first tunnel tab is NAS PDU that has suffix "1", which does not show Outer IP ToS. So, PDU 1 Tcl var is "NWuOuterIpTos2", PDU 2 is "NWuOuterIpTos3", etc.

Enabling requires NWu|TCP Version >= 16.4.0.

NOTE: Even though this header is added by the Access Point, it can be unique to a mobile subscriber, hence included.

Use AMF SUT as Security Gateway

Available on AMF Nodal N2 Interface IPSec/Tunnel. Select to use AMF SUT as the Security Gateway.

Tcl Parameter: GnbAmfUseSutAsSgAddrEn1

Use UPF N3/N9 SUT as Security Gateway

Available on UPF Nodal N3 Interface IPSec/Tunnel. Select to use UPF N3/N9 SUT as the Security Gateway.

Tcl Parameter: GnbUpfUseSutAsSgAddrEn1

Number of Cryptograhic Suites

For the IPSec IKEv2 you may configure a maximum of 5 cryptographic suites, where each suite contains the Authentication type, Encryption Key Type, Use AEAD Type, Oakley Group type, and Hash type.

NOTE: The multiple cryptographic suite configuration is not applicable for IKE Pre-Provisioned or IKE Version 1.

The multiple cryptographic suite configuration is also applicable to the Tunnel Settings. If the IPSec peer(s) use multiple suites in the tunnel negotiation, there must be a match of 1 suite between the peers; otherwise, the tunnel will not establish.

See for IPSec Algorithm and Keys topic for a description of these parameters:

Encryption Key Type

Use the drop-down list to select the ESP encryption algorithm used by the local peer. Enter the local peer's private key in Private Key.

Options: NULL, 3DES, AES128, AES192, or AES256

Default: NULL

Tcl Parameter: DataPrivateKeyType1

NOTE: When IKE = Pre-Provisioned, the Cryptographic suite panel is disabled but Enable ESN is available.

Enable ESN: If enabled , the ESN (Extended Sequence Number) support field in the Transform Payload changes from “No Extended Sequence Numbers (0)” to “Extended Sequence Numbers (1)”.

Tcl Parameter:

DataNumCryptoSuites1	DataAuthKeyType1_1	DataPrivateKeyType1_1
DataIpSecEnableEsn1_1	DataIpSecOakleyType1_1

IPSec SA Lifetime

The SA lifetime is requested during IKE Phase II. The test will attempt to refresh the SA with the peer prior to expiration of the lifetime. A different lifetime can be requested for the IKE SA during IKE Phase I.

SA Life Duration Type — Use the drop-down list to select the way in which the lifetime will be measured.

Options: Seconds or Kilobytes

Default: Seconds

Tcl Parameter: DataSaLifeDur1

SA Life Duration — The maximum lifetime in seconds or kilobytes.

Range: N/A

Default: 0

Tcl Parameter: DataSaLifeDurType1

Request Private Address

Private IPv4 Address

Private IPv6 Address

Request Private IPv4 DNS

Request IPv4 P-CSCF Address

Request For Private IPv4 Network Mask

Request Private IPv6 DNS

Request IPv6 P-CSCF Address

Request Private IPv4 Address

Request Private IPv6 Address

When you select ESP Data Mode as Tunnel mode, you can request that the Security Gateway assign a private address and IPv4 or IPv6 DNS to the tunnel endpoint, allowing the MN to communicate with devices in the private network. Selecting Request Private Address also enables

Private IPv4 Address, Private IPv6 Address, and Request For Private IPv4 Network Mask.

Request Private IPv6 DNS/Request IPv6 P-CSCF Address/Request For Private IPv4 Network Mask are available when IKE Version = 2.

For IPSec tabs with NWu variable prefix that show the Request Private addresses (example : N3IWF Node test case - NWu IPSec tab), the default will be set to selected / true and both Private IPv4 Address and Private IPv6 Address will be defaulted to:

On AMF Nodal's NWu IPSec tab, when the IKE setting is "IKE With Pre-Shared Keys" or "IKE With RSA Signature", on the first tunnel tab named "NAS PDU" two checkboxes labeled "Request Private IPv4 Address" and "Request Private IPv6 Address" become available. Both are optional. Per spec TS 24.502

"The UE shall include the INTERNAL_IP4_ADDRESS attribute, the INTERNAL_IP6_ADDRESS attribute, or both, indicating the type of IP address to be used for the IP tunnels, in the CFG_REQUEST configuration payload. The INTERNAL_IP4_ADDRESS attribute shall contain no value and the length field shall be set to 0. The INTERNAL_IP6_ADDRESS attribute shall contain no value and the length field shall be set to 0".

Private IPv4 Address = 1.1.1.1

Private IPv6 Address = 2001::1

NOTEs:

An address should always be requested in a PDG Micro-Mobility test unless the local IP addresses defined on the Mobile Node sub-tab are compatible with the MN's home network or the visited network.
Request IPv4/v6 P-CSCF Address" options are no longer available on the N2/N3/N4 IPSec in all 5G test cases. If a previous test case was saved with these options, users will see "Removed Extra/Unexpected Tcl Variable" messages for the two checkboxes depending on which N2/N3/N4 IPSec tab they were enabled. Reference : TS 33.210 and RFC 7296

Tcl Parameter: DataIkeReqPrivateAddrEn1

Tcl Parameter: DataReqPrivateIpV4Addr1

Tcl Parameter: DataReqPrivateIpV6Addr1

Tcl Parameter: DataRequestIpV4DNS1

Tcl Parameter: DataRequestIpV4Pcscf1

Tcl Parameter: DataRequestIpV4NetMask1

Tcl Parameter: DataRequestIpV6DNS1

Tcl Parameter: DataRequestIpV6Pcscf1

Tcl Parameter: WfoApIkeReqPrivateAddrEn1

Tcl Parameter: WfoApRequestIpV4DNS1

Tcl Parameter: WfoApPrivateIpV6Addr1

Tcl Parameter: WfoApRequestIpV4Pcscf1

Tcl Parameter: WfoApRequestIpV4NetMask1

Tcl Parameter: WfoApRequestIpV6DNS1

Tcl Parameter: WfoApRequestIpV6Pcscf1

Tcl Parameter: NWuIkeReqPrivateAddrEn1

Tcl Parameter: NWuReqPrivateIpV4Addr1

Tcl Parameter: NWuReqPrivateIpV6Addr1

Tcl Parameter: NWuIkev2ReqPrivIpV4AddrEn1

Tcl Parameter: NWuIkev2ReqPrivIpV6AddrEn1

Tcl Parameter: NWuRequestIpV4DNS1

Advanced...

See Advanced IPSec Settings if you are testing with IKEv2.

^ Back to Top

Apply Parameter Values from Test Data File

You can provision explicit values for each MN by using a Test Data File for a tunnel definition. Download a sample IPSec file by right-clicking the link below.

See Apply TDFSee Apply TDF topic

See Test Data Files for further explanation and sample files. If a sample is not found for the specific TDF, you can obtain a sample file from your Technical Support representative. You may also use the following options to select an existing TDF or create/edit TDF-CSV files (TDF-CSV Editor).

For most TDF Parameters used for Applying Parameters, each row in the file is the overridden value for a different “Session”, aka a different UE. But some TDFs are done in other dimensions, like Bearers, eNodeBs, Subscribers (2 per UE sometimes) or even Hosts, etc. Tooltips on the TDF Parameter:

Note that the “ID” is a unique ID. Please Provide the ID when reporting issues with a TDF. For TDFs that do not apply / override Parameters, but instead are just their own configuration or data or media files you won’t see TDF ID row details.

TIP: When including large files, please be aware of memory limitations, since the TDF Editor shares memory with the Client.

NOTE: The available TDF options vary. on the L3-7 | IPSec tab > IKE with RSA Settings you may only select the Certificate TDF from TAS (these are non-CSV TDFs).

In addition, where applicable, any rules for defining TDFs are included in specific Test Cases. (For example, In MME Node test case, see MME Node - Provisioning TDF.)

From the DMF Window, press Shift+Alt+A to display the Save DMF as Tcl window. Click the Save to File button to save as Tcl file. See additional details on Using the Tcl API.

Select/Create a new TDF-CSV

Allows you to create a new TDF by entering a file name that doesn’t already exist or select an existing file by entering a file name that already exists.

Click to open the Select Existing or Create window.

Navigate to the relevant library/folder,
Enter the name of the file:
If the file name already exists, the file is selected and applied in the test case.
If the file name does not exist, a message displays that says you are creating a new TDF and the embedded TDF-CSV will be launched.
- Click Yes to launch the TDF-CSV Editor and create/save the new TDF-CSV.
- Click No to select a different file

NOTE: If you do not have permission to save in the selected library, an error displays when you try to create a new file.

TIP: You may also navigate to the relevant library/folder and select file, and click OK.

Upload a New TDF to TAS

Click to import a new TDF file from your local folder and select in the test Case (instead of having to go to TDF Admin).

Navigate to the file on your local folder and select.
Then navigate to the location (library) where you want to save it on the TAS. You may rename the file, if required.

View Edit Selected TDF in TDF-CSV Editor

Available only when you have selected a TDF on TAS. Click to open the selected file in TDF-CSV Editor (in place, that is, within the Test Case).

Edit the file and save. You may also click Save As to save the edited TDF-CSV to a different library and also rename the file, if required.

NOTE: You may also select a TDF from a library to which you do not have write permissions, edit the file as required, and save (Save As) only to a different library with the same file name or a different name.

The only options available are Save As and Cancel.

Open Selected TDF in Standalone TDF-CSV Editor

Available only when you have selected a TDF on TAS. Select to retrieve the CSV file and open it in the stand alone TDF-CSV Editor.

Generate Stub TDF-CSV

TIP: Available only when a CSV specification has been defined for in the Test Case for the TDF widget ( View TDF Actions/Options Menu)

Opens an example context specific test data parametersexample context specific test data parameters, which you may save as a .CSV file or open in the TDF-CSV Editor.

Launch Standalone TDF-CSV Editor

Click to open a blank TDF-CSV Editor.

The Launch Standalone TDF-CSV editor options handles very large TDFs that may use too much Client memory if opened within the Test Case/in the embedded editor. You may set the standalone TDF-CSV Editor memory high to edit large TDFs.

Tcl Parameter:

DataCfgFileEn1

BsAsnCfgFileEn1

Mip4CfgFileEn1

Mip6CfgFileEn1

NOTES:

Each IPSec file includes IKE Phase I as well as IKE Phase II settings for the applicable tunnel.
When you configure a file for IKE With Pre-Shared Keys, enter the shared key in both the Peer Public Key and Private Key values.
Encryption Key Type for both IKE Phase I and IKE Phase II is handled by Private Key Type in the data file.

^ Back to Top