IPSec Tunnel Definition


Whenever IPSec is used in a test, a local peer will attempt to establish a minimum of one IPSec SA (tunnel) with a remote peer. In some cases, a local peer can establish multiple SAs simultaneously:

You can choose whether to encrypt traffic in transport or tunnel mode. If the SA will be negotiated using IKE Phase II, you can configure the cipher suite and proposed lifetime for the SA. You can also choose to configure different values to be used with each local peer by provisioning a tunnel with a Test Data File.

This topic describes IKE Phase II settings, the IPSec SA settings, and the settings that determine how traffic is routed when multiple tunnels are supported. The topics listed under Related Parameters describe the Advanced settings used with IKEv2, settings used during IKE Phase I, and the general IPSec options.

 

 

 

 

 


An outbound packet's destination IP address determines whether the packet will be protected with IPSec, and Payload Destination ID defines the minimum amount of information required to select the traffic for a tunnel. If you are testing with Data IPSec or MIPv6 IPSec, however, additional information is required to refine the traffic selection since multiple tunnels are supported.

Selection by Destination

When one type of tunnel is supported, Payload Destination ID determines which outbound packets will be encrypted. The destination will typically be a SUT such as an LNS or a Diameter Server. With L2TP IPSec, you can leave the field blank and the SUT's address will be used by default.

Range: any valid IP address

Default: 0

Data Traffic Selection

The combination of protocol type, destination address, and source and destination ports determine what traffic is routed to which tunnel, allowing you to route two DMFs with the same protocols but different destinations through two different tunnels.

NOTE: If a DMF does not match any of the tunnel configurations, its traffic is transmitted without IPSec.

MIPv6 IPSEc

The combination of protocol, destination, and ESP Data Mode determines what traffic is routed through which tunnel when MIPv6 IPSec is used in a test.

Protocol Type

Use the drop-down list to select the IP protocol for the tunnel's traffic.

Options:

Default: Any

^ Back to Top


Number of Tunnels

When multiple tunnels are supported (except for Data IPSec), a dropdown list is available to select additional tunnels. Depending on the number of tunnels you select, the parameters for those tunnels are enabled.

On AMF Nodal's and Non 3GPP Access GW Nodes NWu IPSec tab , when the IKE setting is "IKE With Pre-Shared Keys" or "IKE With RSA Signature", on the first tunnel tab is named "NAS PDU". The remaining 15 tunnels are named PDU 1 up to PDU 15. Not all parameters listed below are available for input in the PDU named Tabs.

Range: 1 - 16

 

NOTE: In Wifi Offload Gateway Nodal test case, the following applies for UE DNS query to learn PDG IP Address:  

  • Tunnel Type should be NONE (tunneled GRE and CAPWAP are not supported).
  • On the IPSec tab, Identification Type FQDN format must be that of the IMIS (e.g., 505024101215074) so that the MN-NAI in the Mip (PMIPv6 Binding) is IMIS@APN name.
  • Tunnel Settings on the IPSec tab supports one tunnel (multiple-IPSec tunnel is not supported).

^ Back to Top


 

Protocol Type

Use the drop-down list to select the lower-most data protocol for the tunnel's traffic. Select TCP for an HTTP message flow, for example.

Options:

  • Any — Any Data Traffic/DMF could be routed through the tunnel.

  • TCP, UDP, ICMP, or RAW — Only DMFs with a matching protocol will be routed through the tunnel.

Default: Any

Tcl Parameter: DataIpSecProtoType1

ESP Data Mode

The Encapsulating Security Payload protocol encrypts the upper IP layer in Transport mode, and encrypts then entire original IP datagram in Tunnel mode. Use the drop-down list to select the mode for the tunnel.

Tcl Parameter: DataIpsecIkePrivateAddrExchType1

Options:

  • Transport (Select for HA Binding and Prefix Discovery messages in a MIPv6 IPSec test)

  • Tunnel (Select for Route Optimization messages and Data Traffic in a MIPv6 IPSec test)

Default: Transport

Tcl Parameter: DataIpSecEspDataMode1

ISAKMP Exchange Type

Available when ESP Data Mode is Tunnel and the Protocol Type is TCP.

The ISAKMP (Internet Security Association and Key Management Protocol) defines the procedures for authenticating a communicating peer, creation and management of Security Associations, key generation techniques, and threat mitigation (e.g.  denial of service and replay attacks).

Payload Source Port

Payload Destination Port

With TCP or UDP traffic, you can route individual DMFs through different tunnels based on the DMF ports. If you are configuring IPSec in a nodal test case, the server is the destination and the client is the source; in the Network Host test case, the client is the destination and the server is the source. Enter 0 to accept any port.

  • Payload Destination Port

Range: 0 — 65535

Default: 0

Tcl Parameter: DataIpSecPortDest1

  • Payload Source Port

Range: 0 — 65535

Default: 0

Tcl Parameter: DataIpSecSrcPort1

Payload Destination ID

The destination IP address for Data Traffic, which may or may not be the tunnel endpoint. From the MN's perspective, the destination is the Network Host address. From the Network Host's perspective, the destination is the starting MN address.

 

IMPORTANT: In MME Nodal and Node test cases, to support alternative termination point for IPSec tunnel ensure the following settings/configuration:

  • Set the Payload Destination ID as 0.0.0.0 for Security GW Node.  
  • When using a Security Gateway in between the eNodeB and the MME, set the Next Hop address in eNodeB Control Node and eNodeB User Node to be the same as the Security Gateway address. (If you are not using a Security Gateway, use Default Routing).

  • When not using a Security Gateway in between the eNodeB and the MME, set the Payload Destination ID and Security Gw Address to be the same as the MME or SGW.

 

Range: any valid IP address

Default: N/A

Tcl Parameter: DataIpSecDestination1

MIPv6 IPSec Payload Destination ID

The IP address for the final destination of outgoing traffic. This is not necessarily the IPSec peer it is used to indicate the type of traffic that will be routed through the tunnel.

Options:

  • ::0 Data Traffic

  • HA address HA binding and prefix discovery messages

  • CN address Route Optimization messages

Default: N/A

Security Gateway Address

You can specify the IP address of the Security Gateway that terminates the tunnel (the peer).

  • In MME Nodal and Node test cases, specify the IP address of the Security Gateway on S1-MME IPSec, Target S1-MME IPSec, S1-U IPSec, and Target S1-U IPSec. In addition, MME Nodal L3-7 | Data IPSec also allows you to specify the IP address of the Security Gateway.
  • In an L2TP test case, the LAC or LNS is typically the gateway. If this field is left blank in an LNS Nodal or LNS Node test case, the SUT's IP address will be used by default.
  • In WiFi Offload Gateway Nodal test case, you may select the format of the Security Gateway Address as either IP or FQDN. The WLAN UE supports the standard DNS mechanism to retrieve the IP Address of the remote tunnel end-point (to learn the IP Address of a PDG, the UE performs a DNS query).

If a Security Gateway is not included in a data test, the Network Host can terminate the Data IPSec tunnel. From the Network Host's perspective, the MN is the Security Gateway.

Range: any valid IP address

Default: N/A

Tcl Parameter: DataIpSecEndPoint1

Alt Security Gateway Address

Available in MME Nodal test case under the S1-U interface.

In MME Nodal test cases, select to specify an alternate IP address of the Security Gateway on S1-U IPSec. Used in a S1-U IPSec failover scenario.

Range: any valid IP address

Default: N/A

Tcl Parameter: EnbSgwIpSecAltEndPointEn1

Tcl Parameter: EnbSgwIpSecAltEndPoint1

IKE Liveness Check Time (s)

Indicates the number of seconds to wait before checking the aliveness of IKE-SA or IKE-DPD.

Range: 0 — 65535

Default: 0

Tcl Parameter: DataIkev2DeadPeerTimeX1

When there is outgoing traffic on an SA, the aliveness check is performed to confirm whether the SA is alive to avoid missing messages. If no messages are received on an IKE-SA for a period mentioned in the IKE Liveness Check Times(s), an aliveness check is performed. Receiving messages on an IKE-SA ensures it’s aliveness.

Select IKE Liveness Mode - Interval or Idle Time.

Max Liveness Attempts

Landslide will initiate a Dead Peer Detection (DPD) exchange by sending "Notify Payload" if it detects idleness, followed by outbound traffic if connection is available. Likewise, an entity can initiate a Dead Peer Detection (DPD) exchange if it has sent outbound IPSec traffic but has not received any inbound IPSec packets in response.

The parameter is available for IKE V1 and V2.

NOTE: If Max Liveness Attempts is set set to 2, after the first time out and re-transmission the attempts would be counted as 2 and there would not be a 3rd attempt.  This parameter is related to DPD messaging. (The setting is not the number of retries after the first time out).

 

Range: 0 - 255

Default: 2

Tcl Parameter: DataIkeMaxAttemptsDpd1

Source SPI

The SPI used by the MN in all modes. If you define multiple tunnels, you must use a unique SPI for each tunnel. If the IPSec SA is refreshed, a new SPI will be formed by appending digits to this value.

Range: N/A

Default: 0

Tcl Parameter: DataIpSecSrcSpi1

Peer SPI

The SPI used by the peer, which is known by the MN in Pre-Provisioned mode.

Range: N/A

Default: 0

Tcl Parameter: DataIpSecPeerSpi1

Automatically Start Tunnel

When this box is checked (default), SA negotiation begins when an MN's session is established. You can clear the box and trigger SA negotiation when required by a DMF with event controls, allowing you to only protect some of the DMF messages with IPSec. You can send an event from the DMF to start the tunnel, wait for that event to be sent back to the DMF after the tunnel has been established, send an event to stop the tunnel, and also wait for a stop event before continuing.

Tcl Parameter: DataAutoStartTun1

Enable PFS

When IKEv1 is used in the test, Perfect Forward Security (PFS) is optional and can be disabled by clearing the checkbox. When PFS is enabled, a second Diffie-Hellman exchange will be performed during IKE Phase II and you can select the Oakley Group Type...that will be used for the exchange.

Tcl Parameter: DataIpSecEnablePfs1

 

Outer IP Type of Service

A value used in the outer IP header’s Type of Service. Click ... (TOS Calculator) to select and calculate the appropriate value.

Available in the Non 3GPP Access GW Node's NWu IPSec tab (Mode = N3IWF) on the PDU 1-15 tunnels tabs.  Value range is 0-255, default 0.  Tcl variable is "NWuOuterIpTos<suffix>", where suffix = 2-16.  The first tunnel tab is NAS PDU that has suffix "1", which does not show Outer IP ToS.  So, PDU 1 Tcl var is "NWuOuterIpTos2", PDU 2 is "NWuOuterIpTos3", etc.

Enabling requires NWu|TCP Version >= 16.4.0.

NOTE: Even though this header is added by the Access Point, it can be unique to a mobile subscriber, hence included.
 
Use AMF SUT as Security Gateway

Available on AMF Nodal N2 Interface IPSec/Tunnel. Select to use AMF SUT as the Security Gateway.

Tcl Parameter: GnbAmfUseSutAsSgAddrEn1

Use UPF N3/N9 SUT as Security Gateway

Available on UPF Nodal N3 Interface IPSec/Tunnel. Select to use UPF N3/N9 SUT as the Security Gateway.

Tcl Parameter: GnbUpfUseSutAsSgAddrEn1

Number of Cryptograhic Suites

 

For the IPSec IKEv2 you may configure a maximum of 5 cryptographic suites, where each suite contains the Authentication type, Encryption Key Type, Use AEAD Type, Oakley Group type, and Hash type.

NOTE: The multiple cryptographic suite configuration is not applicable for IKE Pre-Provisioned or IKE Version 1.

The multiple cryptographic suite configuration is also applicable to the Tunnel Settings. If the IPSec peer(s) use multiple suites in the tunnel negotiation, there must be a match of 1 suite between the peers; otherwise, the tunnel will not establish.

See for IPSec Algorithm and Keys topic for a description of these parameters:

Encryption Key Type

Use the drop-down list to select the ESP encryption algorithm used by the local peer. Enter the local peer's private key in Private Key.

Options: NULL, 3DES, AES128, AES192, or AES256

Default: NULL

Tcl ParameterDataPrivateKeyType1

NOTE: When IKE = Pre-Provisioned, the Cryptographic suite panel is disabled but Enable ESN is available.

Enable ESN: If enabled , the ESN (Extended Sequence Number) support field in the Transform Payload changes from “No Extended Sequence Numbers (0)” to “Extended Sequence Numbers (1)”.

Tcl Parameter:

DataNumCryptoSuites1

DataAuthKeyType1_1

DataPrivateKeyType1_1

DataIpSecEnableEsn1_1

DataIpSecOakleyType1_1

 

 

IPSec SA Lifetime

The SA lifetime is requested during IKE Phase II. The test will attempt to refresh the SA with the peer prior to expiration of the lifetime. A different lifetime can be requested for the IKE SA during IKE Phase I.

  • SA Life Duration Type — Use the drop-down list to select the way in which the lifetime will be measured.

Options: Seconds or Kilobytes

Default: Seconds

Tcl Parameter: DataSaLifeDur1

  • SA Life Duration — The maximum lifetime in seconds or kilobytes.

Range: N/A

Default: 0

Tcl Parameter: DataSaLifeDurType1

Request Private Address

Private IPv4 Address

Private IPv6 Address

Request Private IPv4 DNS

Request IPv4 P-CSCF Address

Request For Private IPv4 Network Mask

Request Private IPv6 DNS

Request IPv6 P-CSCF Address

 

 

Request Private IPv4 Address

Request Private IPv6 Address

When you select ESP Data Mode as Tunnel mode, you can request that the Security Gateway assign a private address and IPv4 or IPv6 DNS to the tunnel endpoint, allowing the MN to communicate with devices in the private network. Selecting Request Private Address also enables

Private IPv4 Address, Private IPv6 Address, and Request For Private IPv4 Network Mask.

Request Private IPv6 DNS/Request IPv6 P-CSCF Address/Request For Private IPv4 Network Mask are available when IKE Version = 2.

For IPSec tabs with NWu variable prefix that show the Request Private addresses (example : N3IWF Node test case - NWu IPSec tab), the default will be set to selected / true and both Private IPv4 Address and Private IPv6 Address will be defaulted to:

On AMF Nodal's NWu IPSec tab, when the IKE setting is "IKE With Pre-Shared Keys" or "IKE With RSA Signature", on the first tunnel tab named "NAS PDU" two checkboxes labeled "Request Private IPv4 Address" and "Request Private IPv6 Address" become available. Both are optional. Per spec TS 24.502

"The UE shall include the INTERNAL_IP4_ADDRESS attribute, the INTERNAL_IP6_ADDRESS attribute, or both, indicating the type of IP address to be used for the IP tunnels, in the CFG_REQUEST configuration payload. The INTERNAL_IP4_ADDRESS attribute shall contain no value and the length field shall be set to 0. The INTERNAL_IP6_ADDRESS attribute shall contain no value and the length field shall be set to 0".

 

Private IPv4 Address = 1.1.1.1

Private IPv6 Address = 2001::1

NOTEs:

  • An address should always be requested in a PDG Micro-Mobility test unless the local IP addresses defined on the Mobile Node sub-tab are compatible with the MN's home network or the visited network.
  • Request IPv4/v6 P-CSCF Address" options are no longer available on the N2/N3/N4 IPSec in all 5G test cases. If a previous test case was saved with these options, users will see "Removed Extra/Unexpected Tcl Variable" messages for the two checkboxes depending on  which N2/N3/N4 IPSec tab they were enabled. Reference : TS 33.210 and RFC 7296

Tcl Parameter: DataIkeReqPrivateAddrEn1

Tcl Parameter: DataReqPrivateIpV4Addr1

Tcl Parameter: DataReqPrivateIpV6Addr1

Tcl Parameter: DataRequestIpV4DNS1

Tcl Parameter: DataRequestIpV4Pcscf1

Tcl Parameter: DataRequestIpV4NetMask1

Tcl Parameter: DataRequestIpV6DNS1

Tcl Parameter: DataRequestIpV6Pcscf1

Tcl Parameter: WfoApIkeReqPrivateAddrEn1

Tcl Parameter: WfoApRequestIpV4DNS1

Tcl Parameter: WfoApPrivateIpV6Addr1

Tcl Parameter: WfoApRequestIpV4Pcscf1

Tcl Parameter: WfoApRequestIpV4NetMask1

Tcl Parameter: WfoApRequestIpV6DNS1

Tcl Parameter: WfoApRequestIpV6Pcscf1

Tcl Parameter: NWuIkeReqPrivateAddrEn1

Tcl Parameter: NWuReqPrivateIpV4Addr1

Tcl Parameter: NWuReqPrivateIpV6Addr1

Tcl Parameter: NWuIkev2ReqPrivIpV4AddrEn1

Tcl Parameter: NWuIkev2ReqPrivIpV6AddrEn1

Tcl Parameter: NWuRequestIpV4DNS1

Advanced...

See Advanced IPSec Settings if you are testing with IKEv2.

^ Back to Top


Apply Parameter Values from Test Data File

You can provision explicit values for each MN by using a Test Data File for a tunnel definition. Download a sample IPSec file by right-clicking the link below.

Tcl Parameter:

DataCfgFileEn1

BsAsnCfgFileEn1

Mip4CfgFileEn1

Mip6CfgFileEn1

NOTES:

  • Each IPSec file includes IKE Phase I as well as IKE Phase II settings for the applicable tunnel.

  • When you configure a file for IKE With Pre-Shared Keys, enter the shared key in both the Peer Public Key and Private Key values.

  • Encryption Key Type for both IKE Phase I and IKE Phase II is handled by Private Key Type in the data file.

^ Back to Top