IPSec IMS-AKA
Compliance with the VoLTE specification (GSMA PRD IR.92) requires cluster member support for IPsec IMS-AKA (IP Multimedia Services Authentication and Key Agreement) as defined in 3GPP TS 24.299, IP Multimedia Call Control Protocol Based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP): Stage 3, and TS 33.203, 3G Security: Access Security for IP-based Services.
Support for IMS-AKA requires no new additional configuration elements.
Sample IMS-AKA Configuration
The following formatted extract from show running-config ACLI output shows a sample IMS-AKA profile configuration.
ims-aka-profile
name dut2.test
protected-client-port 4060
protected-server-port 4060
encr-alg-list aes-cbc des-ede3-cbc null
auth-alg-list hmac-sha-1-96 hmac-md5-96
last-modified-by admin@172.30.11.18
last-modified-date 2012-01-10 17:31:59Sample Security Policy Configuration
The following formatted extracts from show running-config ACLI output shows three associated security policies.
The first policy, and the one with the highest priority, opens Port 5060 for SIP traffic.
security-policy
name pol1
network-interface M10:0.6
priority 0
local-ip-addr-match 3fff:c0ac::c0ac:ce12
remote-ip-addr-match ::
local-port-match 5060
local-port-match-max 5060
remote-port-match 0
trans-protocol-match ALL
direction both
local-ip-mask ::
remote-ip-mask ::
action allow
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
remote-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
local-port-mask 65535
remote-port-mask 65535
trans-protocol-mask 0
valid enabled
vlan-mask 0xFFF
last-modified-by admin@console
last-modified-date 2012-01-10 17:48:59The second policy opens Port 4444 for CCP traffic.
security-policy
name pol2
network-interface M10:0.6
priority 2
local-ip-addr-match 3fff:b623::b623:ce02
remote-ip-addr-match 3fff:b623::b623:ce01
local-port-match 4444
local-port-match-max 4444
remote-port-match 4444
remote-port-match-max 4444
trans-protocol-match ALL
direction both
local-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
remote-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
action allow
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
remote-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
local-port-mask 65535
remote-port-mask 65535
trans-protocol-mask 0
valid enabled
vlan-mask 0xFFF
last-modified-by admin@console
last-modified-date 2012-01-10 17:49:15The third policy, the policy with the least priority, and, consequently, the last policy applied, requires IPsec on all ports.
security-policy
name pol3
network-interface M10:0.6
priority 10
local-ip-addr-match 3fff:c0ac::c0ac:ce12
remote-ip-addr-match ::
local-port-match 0
remote-port-match 0
trans-protocol-match ALL
direction both
local-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
remote-ip-mask ::
action ipsec
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
remote-ip-mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
local-port-mask 65535
remote-port-mask 65535
trans-protocol-mask 0
valid enabled
vlan-mask 0xFFF
last-modified-by admin@console
last-modified-date 2012-01-10 17:50:42