Documente Academic
Documente Profesional
Documente Cultură
02
Date
2013-07-30
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website:
http://www.huawei.com
Email:
support@huawei.com
Issue 02 (2013-07-30)
SingleRAN
IPsec Feature Parameter Description
Contents
Contents
1 About This Document..................................................................................................................1
1.1 Scope..............................................................................................................................................................................1
1.2 Intended Audience..........................................................................................................................................................2
1.3 Change History...............................................................................................................................................................2
2 Overview.........................................................................................................................................5
3 IPsec Working Principles.............................................................................................................7
3.1 Security Association.......................................................................................................................................................7
3.2 IPsec Policies..................................................................................................................................................................8
3.3 IPsec Proposal.................................................................................................................................................................9
3.3.1 Security Protocols........................................................................................................................................................9
3.3.2 Encapsulation Modes.................................................................................................................................................10
3.3.3 Encryption and Verification Algorithms...................................................................................................................13
3.4 IPsec Service Procedure...............................................................................................................................................14
5 IPsec Reliability...........................................................................................................................21
5.1 IPsec Tunnel Backup....................................................................................................................................................22
ii
SingleRAN
IPsec Feature Parameter Description
Contents
7 IPsec Application.........................................................................................................................25
7.1 Typical IPsec Networking............................................................................................................................................25
7.2 Application of IPsec on Macro Base Stations..............................................................................................................26
7.2.1 Application of IPsec on GBTSs.................................................................................................................................26
7.2.2 Application of IPsec on eGBTSs, NodeBs, and eNodeBs........................................................................................28
7.2.3 Application of IPsec on Multimode Base Stations....................................................................................................28
7.3 External IPsec on the Base Station Controller Side.....................................................................................................29
7.4 Application of IPsec on Cascaded Base Stations.........................................................................................................30
7.5 Network Evolution Solutions.......................................................................................................................................31
8 Related Features...........................................................................................................................33
8.1 Features Related to Integrated IPsec on the Base Station.............................................................................................34
8.2 Features Related to IPsec Tunnel Backup....................................................................................................................34
9 Network Impact...........................................................................................................................36
10 Engineering Guidelines...........................................................................................................39
10.1 When to Use IPsec......................................................................................................................................................39
10.2 Required Information.................................................................................................................................................39
10.3 Planning......................................................................................................................................................................41
10.3.1 Network Planning....................................................................................................................................................41
10.3.2 Hardware Planning..................................................................................................................................................43
10.4 Requirements..............................................................................................................................................................44
10.5 Configuration Principles.............................................................................................................................................45
10.5.1 IPsec Policies...........................................................................................................................................................45
10.5.2 ACL Rules...............................................................................................................................................................46
10.6 Deployment of IPsec on a PKI-based Secure Network..............................................................................................47
10.6.1 Deploying IPsec on an eGBTS, NodeB, or eNodeB...............................................................................................47
10.6.2 Deploying IPsec on a GBTS (GTMUb+UMPT_L)................................................................................................69
10.6.3 Deploying IPsec on a GBTS (GTMUb+UTRPc)....................................................................................................71
10.6.4 Deploying Co-IPsec on a GL Dual-Mode Base Station (UMPT_GL/GTMUb+UMPT_L)...................................93
10.6.5 Deploying Co-IPsec on a GU Dual-Mode Base Station (UMPT_GU/GTMUb+UMPT_U)..................................96
10.6.6 Deploying Co-IPsec on a UL Dual-Mode Base Station (UMPT_UL/UMPT_U+UMPT_L).................................99
10.6.7 Deploying Co-IPsec on a GUL Multimode Base Station (UMPT_GUL).............................................................102
10.6.8 Deploying Co-IPsec on a GUL Multimode Base Station (UMPT_L+GTMUb+UCIU in the Root BBU and UMPT_U
in the Leaf BBU)..............................................................................................................................................................104
10.6.9 Deploying Co-IPsec on a GUL Multimode Base Station (UMPT_U+GTMUb+UCIU in the Root BBU and UMPT_L
in the Leaf BBU)..............................................................................................................................................................106
10.7 Deployment of IPsec on a PSK-based Secure Network...........................................................................................108
10.7.1 Data Preparation....................................................................................................................................................109
10.7.2 Initial Configuration..............................................................................................................................................111
10.7.3 Activation Observation..........................................................................................................................................111
10.8 Secure Configuration Modification on a Reconstructed Network...........................................................................112
10.8.1 Reconstruction from an Insecure Network to a PKI-based Secure Network........................................................112
Issue 02 (2013-07-30)
iii
SingleRAN
IPsec Feature Parameter Description
Contents
11 Parameters.................................................................................................................................126
12 Counters....................................................................................................................................203
13 Glossary.....................................................................................................................................207
14 Reference Documents.............................................................................................................208
Issue 02 (2013-07-30)
iv
SingleRAN
IPsec Feature Parameter Description
1.1 Scope
This document describes the Internet Protocol Security (IPsec) , including its technical
principles, related features, network impact, and engineering guidelines.
This document covers the following features:
l
LOFD-003009 IPsec
Any managed objects (MOs), parameters, alarms, or counters described herein correspond to
the software release delivered with this document. Any future updates will be described in the
product documentation delivered with future software releases.
Table 1-1 lists the definitions of all kinds of macro base stations.
Table 1-1 Definitions of all kinds of base stations
Issue 02 (2013-07-30)
Base Station
Name
Definition
GBTS
eGBTS
NodeB
eNodeB
SingleRAN
IPsec Feature Parameter Description
Base Station
Name
Definition
Co-MPT
Multimode Base
Station
Separate-MPT
Multimode Base
Station
Feature change
Changes in features of a specific product version
Editorial change
Changes in wording or addition of information that was not described in the earlier version
02 (2013-07-30)
This issue includes the following changes.
Change Type
Change Description
Parameter
Change
Feature change
None
None
Editorial change
None
01 (2013-04-28)
This issue does not include any changes.
Issue 02 (2013-07-30)
SingleRAN
IPsec Feature Parameter Description
Draft B (2013-04-10)
This issue includes the following changes.
Change Type
Change Description
Parameter
Change
Feature change
None
Editorial change
None
None
Draft A (2012-12-30)
This document is created for SRAN8.0.
As to GSM BSS/WCDMA RAN, the name of the document is changed into IPsec Feature
Parameter Description from Transmission Security Feature Parameter Description.
As to eRAN, this document is derived from Transmission Security Feature Parameter
Description.
Compared with Issue 02 (2012-07-20) of SRAN7.0, Draft A (2012-12-30) of SRAN8.0 includes
the following changes.
Change Type
Change Description
Parameter Change
Feature change
None
None
None
None
None
None
Editorial change
Issue 02 (2013-07-30)
SingleRAN
IPsec Feature Parameter Description
Change Type
Issue 02 (2013-07-30)
Change Description
Parameter Change
None
None
None
SingleRAN
IPsec Feature Parameter Description
2 Overview
Overview
The evolution from radio networks to IP-based networks has improved network performance
and reduced network deployment costs. However, inherent vulnerabilities on IP networks leave
them open to security threats.
Before IPsec is introduced, a base station transmits control-plane data, user-plane data, and
management-plane data in plaintext. Packets transmitted on an insecure network are vulnerable
to unauthorized access or malicious modification. To ensure secure data transmission, Huawei
base stations incorporate the IPsec function, by which IPsec tunnels are established.
As defined by the Internet Engineering Task Force (IETF), IPsec is a security mechanism
implemented at the IP layer and consists of three protocols: Authentication Header (AH),
Encapsulation Security Protocol (ESP), and IKE. IPsec provides transparent end-to-end security
services for IP networks, thereby protecting the networks from cyber attacks.
With IPsec, two communicating peers (also known as IPsec peers) ensure the following security
features of IP packets transmitted on the network by encrypting the packets and authenticating
the data source:
l
Confidentiality: An IPsec entity encrypts user data and transmits the data in ciphertext to
prevent the data from being disclosed on the transmission path. The IPsec entity is the
network element (NE) or network equipment that uses IPsec for communication.
Integrity: The IPsec entity checks the received data to ensure that it has not been tampered
with.
Anti-replay protection: The IPsec entity identifies and rejects packets that are intercepted
and repeatedly sent by malicious users.
IPsec tunnels between the base station and security gateway (SeGW) can protect data
transmission between the base station and base station controller. Figure 2-1 shows a secure
network.
Issue 02 (2013-07-30)
SingleRAN
IPsec Feature Parameter Description
2 Overview
Issue 02 (2013-07-30)
SingleRAN
IPsec Feature Parameter Description
Security protocols
Encapsulation modes
Verification algorithms
Encryption algorithms
There are two types of SAs in the IPsec framework: IPsec SAs and IKE SAs. IPsec SAs are
established by negotiation under the protection of IKE SAs. IKE SAs are established by
negotiation between IKE peers. An IKE SA defines the IKE SA lifetime and encryption,
verification, authentication, and Pseudo-random Function(PRF) algorithms used between IKE
peers. For details, see section 4 IKE Working Principles.
IPsec SAs are unidirectional, and therefore at least two IPsec SAs are required to protect data
flows in two directions. Figure 3-1 shows an example of an IPsec SA.
Issue 02 (2013-07-30)
SingleRAN
IPsec Feature Parameter Description
NOTE
The Security Parameter Index(SPI) is used to identify IPsec SAs. Each IPsec SA has a unique SPI.
Each IPsec SA uses either AH or ESP to provide security services. If both AH and ESP are used,
each IPsec entity requires two IPsec SAs: one for AH and the other for ESP.
An IPsec SA has a limited lifetime. After the lifetime elapses, the IPsec SA becomes invalid.
Before an IPsec SA becomes invalid, IKE establishes a new IPsec SA by negotiation. For details
about the IPsec SA, see IETF RFC 4301.
IPsec proposal
An IPsec proposal defines how to protect data flows, that is, which protocol type,
encapsulation mode, and encryption and verification algorithms are used. For details, see
section 3 IPsec Working Principles.
IKE
IKE is used to specify the identity authentication method and the encryption, verification,
and key generation algorithms before an ISPec SA is established. For details, see chapter
4 IKE Working Principles.
Issue 02 (2013-07-30)
SingleRAN
IPsec Feature Parameter Description
IPsec SA lifetime
The LTCFG, LTS, and LTKB parameters specify the IPsec SA lifetime. If LTCFG is set
to GLOBAL, the IPsec SA lifetime is set to 3600 seconds. If LTCFG is set to LOCAL, the
IPsec SA lifetime is configured by LTS and LTKB. If LTKB is set to 0, traffic-based IPsec
SA validity judgment is disabled. An IPsec SA becomes invalid when its lifetime reaches
the value of LTS or LTKB.
Anti-replay window
The REPLAYWND parameter specifies the anti-replay window size.
If this parameter is set to WND_DISABLE(0), the window size is 0 and therefore the antireplay function is disabled.
If this parameter is set to WND_32(32), WND_64(64), WND_128(128), WND_256
(256), WND_512(512), WND_1024(1024), WND_2048(2048), or WND_4096(4096),
the window size is 32, 64, 128, 256, 512, 1024, 2048, or 4096, respectively. Base stations
check for packet duplicates within the window. If a packet has a duplicate within the
window or falls on the left of the window, base stations discard the packet.
It is recommended that the anti-replay function be disabled if there is a severe out-of-order
problem in IPsec packets on live networks. For example, such a problem could occur when
differentiated services code point (DSCP) values are attached to IPsec packets based on
service types due to scheduling at network nodes. If the anti-replay function is enabled in
this situation, a large number of IPsec packets may be lost, which severely affects service
performance.
Base stations can negotiate one or multiple IPsec SAs based on a set of parameters related to
IPsec policies. The number of negotiated IPsec SAs depends on the number of configured ACL
rules. If the ACTION parameter in an ACLRULE MO is set to PERMIT, one incoming IPsec
SA and one outgoing IPsec SA can be negotiated for the corresponding ACL rule.
Function
Verification Scope
Application
Scenario
AH
l Integrity protection
Non-confidential
data
Confidential data
l Anti-replay
ESP
l Integrity protection
l Anti-replay
l Encryption
Issue 02 (2013-07-30)
SingleRAN
IPsec Feature Parameter Description
AH and ESP can be applied separately or jointly. When both are used, ESP takes precedence
over AH.
IPsec tunnels protect IP packets by encapsulating the packets. Both AH and ESP support two
packet encapsulation modes: transport mode and tunnel mode. The transport mode applies to
the host's packets, whereas the tunnel mode applies to packets transmitted on forwarding
equipment. For details about the packet encapsulation modes, see section 3.3.2 Encapsulation
Modes.
Data integrity protection or encryption provided by AH or ESP relies on the verification and
encryption algorithms. For details, see section 3.3.3 Encryption and Verification
Algorithms .
Protocol types, encapsulation modes, and encryption and verification algorithms are negotiated
between the base station and SeGW. In addition, the key used in data encryption is generated
based on IKE negotiation. For details about IKE, see chapter 4 IKE Working Principles.
For details about AH, see IETF RFC 4302. For details about ESP, see IETF RFC 4303.
Transport Mode
In transport mode, an AH header is inserted after the IP header of the original packet and before
any other transport layer protocol, as shown in Figure 3-2.
Figure 3-2 AH packet encapsulation format used in transport mode
In transport mode, an ESP header is inserted after the IP header of the original packet and before
any other transport layer protocol, and an ESP trailer and an ESP authenticator are attached to
the rear of the original packet, as shown in Figure 3-3.
Figure 3-3 ESP packet encapsulation format used in transport mode
Issue 02 (2013-07-30)
10
SingleRAN
IPsec Feature Parameter Description
In transport mode, the source IP address for packets sent by a base station is the service or
operation and maintenance (O&M) IP address of the base station, and the destination IP address
for the packets is the service or O&M IP address of peer equipment.
Generally, IP packets transmitted between hosts are encapsulated in transport mode. The sending
equipment encrypts IP packets and the receiving equipment decrypt the IP packets. The transport
mode is used only for end-to-end IPsec protection.
Figure 3-4 shows the end-to-end protocol stack in transport mode.
Figure 3-4 End-to-end protocol stack in transport mode
Tunnel Mode
In tunnel mode, an AH header is prefixed to the IP header of the original packet, and a new IP
header is prefixed to the AH header. Figure 3-5 shows the format used for encapsulating AH
packets in tunnel mode.
Figure 3-5 AH packet encapsulation format used in tunnel mode
In tunnel mode, an ESP header is prefixed to the IP header of the original packet, and a new IP
header is prefixed to the ESP header. Figure 3-6 shows the format used for encapsulating ESP
packets in tunnel mode.
Issue 02 (2013-07-30)
11
SingleRAN
IPsec Feature Parameter Description
AH does not provide integrity protection for some variable fields in an IP packet, such as Type
of Service, Time to Live, and Checksum. This is because these fields may be legally modified
during transmission.
In tunnel mode, IPsec encrypts an IP header of the original packet and generates a new IP header,
which is used for route forwarding. The new IP header always uses the interface IP address of
a base station and the IP address of the peer equipment (usually, an SeGW) as the source and
destination IP addresses, respectively. The IP header of the original packet contains the service
or O&M IP address of the base station.
Figure 3-7 shows the end-to-end protocol stack in tunnel mode.
Figure 3-7 End-to-end protocol stack in tunnel mode
If the sending equipment does not encrypt the packets or the receiving equipment does not
decrypt the packets, IPsec peers usually use the tunnel mode for communication. Figure 3-7
shows an example of using the tunnel mode between a base station and a SeGW.
Figure 3-8 Tunnel mode example
Issue 02 (2013-07-30)
12
SingleRAN
IPsec Feature Parameter Description
Summary
The transport and tunnel modes differ in the following ways:
l
Security: The tunnel mode provides higher security than the transport mode, because the
entire original IP packet is encrypted and integrity protection is performed in tunnel mode.
Performance: The transport mode provides better transmission performance than the tunnel
mode, because a new IP header is added in tunnel mode and therefore more bandwidth is
used.
In addition, in tunnel mode, an SeGW must be deployed on a network to separate the security
and non-security domains. The SeGW must also support functions, such as encapsulation in
tunnel mode, encryption, and integrity protection. In transport mode, both communicating peers
must support functions, such as IKE negotiation, encryption, and integrity protection. Therefore,
users must comprehensively consider security, deployment, and performance when choosing
between the two encapsulation modes. The chosen encapsulation mode must be supported by
the IPsec peer.
The ENCAPMODE parameter specifies the encapsulation mode.
AES192
AES256
Compared with DES and 3DES, AES is more secure and provides higher encryption speed.
3DES is more secure than DES, but 3DES takes longer to encrypt than DES. Therefore, DES is
not recommended for security reasons.
Verification Algorithm
Both AH and ESP can check the integrity of IP packets to determine whether the IP packets
were tampered with during transmission. The verification algorithm is implemented mainly
based on a hash function, which accepts messages of any length and generates outputs of a fixed
length. The outputs are called message digests. Upon receiving a packet from the IPsec local
end, the IPsec peer calculates the digests and compares them with those carried in the packet. If
the two sets of digests are the same, the packet is complete and has not been tampered with. Base
stations support the following verification algorithms:
l
Issue 02 (2013-07-30)
13
SingleRAN
IPsec Feature Parameter Description
SHA-256
AES-XCBC (extension-cipher-block-chaining)-MAC-96
Among the four verification algorithms, MD5 has the lowest security level and therefore is not
recommended.
For details about MD5, see IETF RFC 2403. For details about SHA, see IETF RFC 2404.
2.
3.
During data communication, the IPsec local end encrypts data that complies with ACL
rules, and the IPsec peer end decrypts the received data.
Issue 02 (2013-07-30)
14
SingleRAN
IPsec Feature Parameter Description
4.1 Introduction
IPsec SAs can be manually configured. However, due to an increase in security equipment on
the network, manual configuration is difficult and can hardly ensure security. IKE can be used
to automatically establish SAs to simplify using and managing IPsec.Currently, IPsec SAs can
be established for base stations by using IKE, not manual configuration.
IKE is a security mechanism based on the Internet Security Association and Key Management
Protocol (ISAKMP) framework. It provides encryption and authentication algorithms and key
negotiation for communicating peers. It also securely distributes keys, authenticates identities,
and establishes IPsec SAs on insecure networks. The details are as follows:
l
IKE SA establishment
An ISAKMP SA (also known as IKE SA) is established based on IKE negotiation. The
IKE SA provides an authenticated and secure channel for data exchange. Under the
protection of the IKE SA, an IPsec SA is established by negotiation.
IKE negotiation involves the IKE protocol version, negotiation mode, and IKE proposal.
Identity authentication
Communicating peers exchange identity information to authenticate each other. This
information includes authentication methods agreed upon in IKE negotiation and keys
generated by DH exchange.
IP addresses for the IKE local and peer ends (specified by LOCALIP and REMOTEIP,
respectively) must be specified for IKE negotiation.
For details about IKE, see IETF RFC 4301, IETF RFC 2409, and IETF RFC 4306.
Issue 02 (2013-07-30)
15
SingleRAN
IPsec Feature Parameter Description
In the second phase, the communicating peers negotiate and establish an IPsec SA under
the protection of the IKE SA. The IPsec SA is used for secure data transmission.
A negotiation mode is an information exchange mode used during IKE negotiation. IKEv1
allows for three negotiation modes: main mode, aggressive mode, and quick mode.
In the first phase, either main mode or aggressive mode can be used.
l
If main mode is used, an IKE SA is established after three exchanges, as shown in Figure
4-1.
Policy negotiation: An IKE proposal is negotiated by exchanging IKE policies.
DH exchange: A shared key is generated by exchanging key materials.
Identity authentication: Communicating peers exchange identity information and
authenticate each other based on the negotiated IKE proposal and generated key.
Main mode is recommended in the first phase according to the following comparisons:
l
Main mode is more secure than aggressive mode because identify information is encrypted
in main mode but is not encrypted in aggressive mode.
Multiple IKE proposals can be negotiated at a time in main mode, whereas only one IKE
proposal can be negotiated at a time in aggressive mode.
Main mode provides stronger negotiation capability but more complex negotiation process
than aggressive mode.
NOTE
If a pre-shared key (PSK) is used for IKE authentication, main mode can use only IP addresses for peer
authentication. In this case, the IDTYPE parameter must be set to IP.
The IKEVERSION parameter specifies the IKE version. The EXCHMODE parameter specifies
the negotiation mode in the first phase of IKEv1 negotiation.
Issue 02 (2013-07-30)
16
SingleRAN
IPsec Feature Parameter Description
In the second phase, quick mode is used. In this mode, an IPsec SA is established by exchanging
three messages.
Issue 02 (2013-07-30)
17
SingleRAN
IPsec Feature Parameter Description
Two keys are used for the integrity protection of subsequent messages.
One key is used for IPsec data encryption and integrity protection.
NOTE
Subsequent messages are those sent during IKE negotiation after the DH exchange.
For details about the key generation method, see section 4.3.4 DH Group and PRF
Algorithm.
MD5 and DES are not recommended because they have low security.
PSK
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
18
SingleRAN
IPsec Feature Parameter Description
After encrypting a message with a PSK, the sending party sends the encrypted message to
the receiving party. The receiving party decrypts the message with the same PSK. If the
message is decrypted successfully, the authentication is successful.
When PSK authentication is used, communicating peers must use the same PSK. Users can
predefine the PSK by using a Universal Serial Bus (USB) flash drive on a base station.
l
Digital certificate
This method enables communicating peers to authenticate each other based on digital
certificates. Certificates are difficult to counterfeit and are managed with a complete
mechanism. For example, certificates have validity periods and can be revoked. Therefore,
certificates are more reliable than PSKs. A public key infrastructure (PKI) system manages
digital certificates for network equipment. For details, see PKI Feature Parameter
Description.
The material length determines the security level. A longer length indicates a higher security
level.
PRF is a highly-reliable unidirectional function that generates keys. After the DH exchange of
key materials, communicating peers use these materials as an input to PRF and generate a key.
Base stations support the following PRF algorithms:
l
HMAC_MD5
HMAC_SHA1
AES128_XCBC
The DHGRP parameter specifies a DH group, and the PRFALG parameter specifies a PRF
algorithm.
For details about PRF, see IETF RFC 4306.
19
SingleRAN
IPsec Feature Parameter Description
Identity authentication
The communication peers authenticate each other.
Identity protection
To protect identity data, it is sent in encrypted mode after a key is generated.
The local end does not receive IPsec packets from the peer end within the period specified
by the DPDIDLETIME parameter.
The local end needs to send IPsec packets to the peer end.
If the local end receives an acknowledgement from the peer end after sending a DPD message,
it considers the peer end online or normal. If the local end does not receive any acknowledgement
from the peer end after sending the DPD message multiple times (specified by the
DPDRETRN parameter), it considers the peer end unresponsive. In this case, the local end reinitiates IKE negotiation and begins to record security events. The local end retransmits DPD
messages at an interval specified by the DPDRETRI parameter.
For details about DPD, see IETF RFC 3706.
Issue 02 (2013-07-30)
20
SingleRAN
IPsec Feature Parameter Description
5 IPsec Reliability
5
l
IPsec Reliability
Issue 02 (2013-07-30)
21
SingleRAN
IPsec Feature Parameter Description
5 IPsec Reliability
In the uplink, the base station automatically switches services to the secondary IPsec tunnel.
In the downlink, the SeGW requires that BFD be bound to the dynamic routing protocol in
order to switch services to the secondary IPsec tunnel. If the SeGW detects that the primary
IPsec tunnel is faulty, the SeGW automatically switches services to the secondary IPsec
tunnel.
On the base station side, the source and destination IP addresses for a BFD session must be the
same as the local and peer IP addresses for the associated primary or secondary IPsec tunnel,
respectively.
For details about BFD, see IP Transport Architecture Feature Parameter Description.The
application constraints of IPsec Tunnel Backup are as follows:
l
IPsec Tunnel Backup cannot be used when two SeGWs work in hot backup mode.
When the primary IPsec tunnel is recovered, uplink data flows will not be automatically
switched back to the primary IPsec tunnel, which may cause asymmetrical data flows in
the uplink and downlink. This requires that the firewall on the SeGW side support
unidirectional data flows and the SeGW can trigger IKE negotiation.
IPsec Tunnel Backup does not apply to scenarios where the base station provides one
transmission port with VLAN configurations and one transmission port without VLAN
configurations.
If IPsec tunnel backup is enabled and the OM channel is IPsec-encrypted,the base station
cannot be deployed in PnP mode.
Issue 02 (2013-07-30)
22
SingleRAN
IPsec Feature Parameter Description
Data processing at the IP and Media Access Control (MAC) layers may be delayed. To eliminate
the delay and provide accurate timestamps for clock packets, IEEE 1588v2 defines that a
timestamp is attached after data processing at the MAC layer and before data processing at the
physical layer, as shown in Figure 6-1 . After an IEEE 1588v2 clock packet is encapsulated by
MAC and upper-layer protocols, an NE uses equipment to detect the User Datagram Protocol
(UDP) port number carried in the packet before data processing at the physical layer. If the UDP
port number is 319, the NE attaches a timestamp to the packet to record the leaving or arrival
time of the packet.
Figure 6-1 Timestamp processing in IEEE 1588v2
IPsec encrypts and verifies packets at the IP layer, whereas timestamps are attached to IEEE
1588v2 clock packets between data processing at the MAC layer and data processing at the
physical layer. As a result, two problems occur when IPsec is used to provide confidentiality
and data integrity protection for IEEE 1588v2 clock packets. The problems are as follows:
l
After IPsec encryption, the UDP port number carried in an IEEE 1588v2 clock packet
cannot be identified.
After IPsec data integrity protection by the sender, an IEEE 1588v2 clock packet fails the
data integrity check performed by the receiver due to an attached timestamp.
Issue 02 (2013-07-30)
23
SingleRAN
IPsec Feature Parameter Description
To solve these problems, the IEEE 1588v2 over IPsec solution is introduced. This solution
enables IPsec encryption for Layer 3 (L3) unicast packets in frequency synchronization. The
procedure is as follows:
1.
Upon receiving an encrypted packet that cannot be identified as an IEEE 1588v2 clock
packet, the base station records the arrival time of the packet and sends the timestamp to
the upper layer together with the encrypted packet.
2.
The base station decrypts the encrypted packet and checks whether the packet is an IEEE
1588v2 clock packet based on the UDP port number.
3.
If the packet is an IEEE 1588v2 clock packet, the base station checks the leaving time of
the packet. The base station then uses the Adapter Clock Recover (ACR) algorithm to
restore the clock frequency based on the leaving and arrival time of the packet.
NOTE
This solution applies only to L3 unicast packets in frequency synchronization. This solution does not apply
to time synchronization because time synchronization has the following restrictions:
l Timestamps are required for all L3 equipment between the base station and SeGW.
l Intermediate equipment cannot identify IEEE 1588v2 clock packets within encrypted packets.
Issue 02 (2013-07-30)
24
SingleRAN
IPsec Feature Parameter Description
7 IPsec Application
IPsec Application
Issue 02 (2013-07-30)
25
SingleRAN
IPsec Feature Parameter Description
7 IPsec Application
NOTE
The connection mode between the router and SeGW is determined in the network plan.
l On an existing network, an SeGW is recommended on the router side.
l On a newly deployed network, the router should connect directly to the SeGW.
In the typical IPsec networking, the base station must obtain a device certificate from the CA
before an IPsec tunnel is established between the base station and SeGW. For details about how
to apply for a device certificate, see PKI Feature Parameter Description.
Base stations can be deployed in two modes in the typical IPsec networking:
l
GTMUb+UMPT_L/LMPT
The GTMUb and UMPT_L/LMPT communicate with each other through the BBU
backplane, and the UMPT_L/LMPT provides IPsec and transfers GBTS data.
Figure 7-2 shows an example of implementing IPsec on a GBTS configured with the
GTMUb and UMPT_L.
Issue 02 (2013-07-30)
26
SingleRAN
IPsec Feature Parameter Description
7 IPsec Application
Figure 7-2 Example of implementing IPsec on a GBTS configured with the GTMUb and
UMPT_L
NOTE
UMPT_L refers to a UMPT working in LTE(FDD) mode,and UMPT_T refers to a UMPT working in LTE
(TDD) mode.
GTMUb+UTRPc
The GTMUb and UTRPc communicate with each other through the BBU backplane, and
the UTRPc provides IPsec and connects to the transport network.
Figure 7-3 shows an example of implementing IPsec on a GBTS configured with the
GTMUb and UTRPc.
Figure 7-3 Example of implementing IPsec on a GBTS configured with the GTMUb and the
UTRPc
Issue 02 (2013-07-30)
27
SingleRAN
IPsec Feature Parameter Description
7 IPsec Application
UMPT_G refers to the UMPT working in GSM mode, UMPT_U refers to the UMPT working in UMTS
mode, UMPT_L refers to the UMPT working in LTE(FDD) mode,and UMPT_T refers to the UMPT
working in LTE(TDD) mode.
To implement IPsec on an existing 3812 series base station or to enable the base station to support
IPsec after being upgraded to a multimode base station, an external SeGW must be deployed on
the base station side.
A co-MPT GUL multimode base station uses a UMPT_GUL, as shown in Figure 7-6.
The UMPT_GUL supports GSM, UMTS, and LTE and provides IPsec for eGBTS, NodeB,
and eNodeB data flows.
Issue 02 (2013-07-30)
28
SingleRAN
IPsec Feature Parameter Description
7 IPsec Application
Figure 7-6 Example of implementing co-IPsec on a co-MPT GUL multimode base station
Figure 7-7 Example of networking for co-IPsec on a separate-MPT GUL multimode base station
NOTE
29
SingleRAN
IPsec Feature Parameter Description
7 IPsec Application
controllers do not support integrated IPsec and therefore can only use external IPsec. Figure
7-8 shows an example of external IPsec on the base station controller side.
Figure 7-8 Example of external IPsec on the base station controller side
The throughput of an external SeGW must exceed the planned total traffic volume on GSM and
UMTS user planes.
If no SeGW is deployed on the operator's network, it is recommended that you use Huawei
Eudemon1000E-X or Eudemon8000E-X to implement external IPsec on the base station
controller side.
It is recommended that the following functions be disabled on the SeGW:
l
Whitelist
Interface boards on a base station controller have firewalls and provide the whitelist
function.
Each base station has a separate IPsec tunnel and the Hub base station provides route
forwarding, as shown in Figure 7-9 .
The Hub base station provides one IPsec tunnel or all cascaded base stations, as shown in
Figure 7-10 .
Issue 02 (2013-07-30)
30
SingleRAN
IPsec Feature Parameter Description
7 IPsec Application
Figure 7-9 Separate IPsec tunnel for each base station and route forwarding by the Hub base
station
Figure 7-10 IPsec tunnel provided by the Hub base station for all cascaded base stations
In base station cascading scenarios, it is recommended that the Hub base station be used only
for route forwarding, as shown in Figure 7-9 .
Issue 02 (2013-07-30)
31
SingleRAN
IPsec Feature Parameter Description
7 IPsec Application
In the evolution from an insecure transport network to a secure network, if the SeGW and PKI
system have already been deployed, operators can directly upgrade the insecure transport
network to a PKI-based secure network. During the evolution, users need to download and
activate configuration data. This process interrupts ongoing services.
In the evolution from a PSK-based secure network to a PKI-based secure network, users need
to modify configuration data online and specify a board where a certificate is to be deployed.
The base station must be reset for the modifications to take effect, which interrupts ongoing
services. Users can run the SET BTSCERTDEPLOY and SET CERTDEPLOY commands
to set a board where a certificate is to be deployed on the GBTS and the eGBTS/NodeB/eNodB,
respectively.
Issue 02 (2013-07-30)
32
SingleRAN
IPsec Feature Parameter Description
8 Related Features
Related Features
LOFD-003009 IPsec
Issue 02 (2013-07-30)
33
SingleRAN
IPsec Feature Parameter Description
8 Related Features
LOFD-003009 IPsec
If IPsec uses digital certificate authentication, this feature requires the LOFD-003010
Public Key Infrastructure(PKI) feature.
Impacted Features
None
34
SingleRAN
IPsec Feature Parameter Description
8 Related Features
Impacted Features
None
Issue 02 (2013-07-30)
35
SingleRAN
IPsec Feature Parameter Description
9 Network Impact
Network Impact
System Capacity
No impact.
Network Performance
IPsec ensures transmission security by encapsulating and encrypting IP packets. This reduces
the transmission efficiency of service packets on the bearer network.
Take ESP encapsulation in tunnel mode as an example. Assume that the IP payload is 500 bytes,
the packet length (including the IP header and Ethernet header) before IPsec encapsulation is
540 bytes, the encryption algorithm is 3DES, and the authentication algorithm is MD5. Then,
the packet structure after encapsulation is as follows:
20 bytes (Ethernet header) + 20 bytes (external IP header) + 8 bytes (ESP header) + 20 bytes
(internal IP header) + 8 bytes (initialization vector) + 500 bytes (payload) + 2 bytes (padding)
+ 2 bytes (ESP trailer) + 16 bytes (integrity check value for MD5)
The total length is 596 bytes. The transmission efficiency decreases from 92.59% to 83.89%.
The impact of IPsec on the transmission efficiency of service data varies depending on the
protocol, algorithm, and encapsulation mode. Table 9-1 and Table 9-2 describe the impact of
IPsec on the transmission efficiency when AH and the MD5, SHA, or SHA2 (256 bits) algorithm
are used for data integrity check.
Table 9-1 Impact of IPsec on the transmission efficiency in transport mode
Service
FR
MCS9
AMR
12.2k
PS
32kbps
CS
64kbps
PS
128kbp
s
PS
384kbps
IPsec
disabled
32%
65.5%
29%
51.6%
69.3%
78.6%
83.5%
MD5
25%
58.3%
22.9%
43.7%
61.8%
73.6%
79.6%
SHA
24.4%
57.4%
22.3%
42.8%
60.8%
72.9%
78.9%
Algorith
m
Issue 02 (2013-07-30)
36
SingleRAN
IPsec Feature Parameter Description
Service
9 Network Impact
FR
MCS9
AMR
12.2k
PS
32kbps
CS
64kbps
PS
128kbp
s
PS
384kbps
22.4%
54.8%
20.5%
40.2%
58.2%
71.0%
77.5%
Algorith
m
SHA2
FR
MCS-9
AMR
12.2k
PS 32kbps
CS
64kbps
PS
128kbps
PS
384kbps
IPsec
disabled
32%
65.5%
29%
51.6%
69.3%
78.6%
83.5%
MD5
21.9%
54%
20.0%
39.4%
57.4%
70.3%
77.0%
SHA
21.3%
53.2%
19.4%
38.6%
56.5%
69.7%
76.6%
SHA2
19.8%
51%
18.4%
36.5%
54.2%
67.9%
75.1%
Algorith
m
Table 9-3 and Table 9-4 describe the impact of IPsec on the transmission efficiency when ESP
and the DES, 3DES, or AES algorithm are used for encryption.
Table 9-3 Impact of IPsec on the transmission efficiency in transport mode
Service
FR
MCS-9
AMR
12.2k
PS
32kbps
CS
64kbps
PS
128kbps
PS
384kbps
IPsec
disabled
32%
65.5%
29%
51.6%
69.3%
78.6%
83.5%
DES/
3DES
23.9%
56.4%
22.1%
43.0%
60.2%
72.4%
78.7%
23.2%
55.6%
21.5%
42.1%
59.3%
71.7%
78.2%
AES
+MD5
23.9%
55.6%
20.9%
41.2%
58.4%
71.1%
78.7%
AES
+SHA
23.2%
54.8%
20.3%
40.4%
57.6%
70.5%
78.2%
Algorith
m
+MD5
DES/
3DES
+SHA
Issue 02 (2013-07-30)
37
SingleRAN
IPsec Feature Parameter Description
9 Network Impact
FR
MCS-9
AMR
12.2k
PS
32kbps
CS
64kbps
PS
128kbps
PS
384kbps
IPsec
disabled
32%
65.5%
29%
51.6%
69.3%
78.6%
83.5%
DES/
3DES
20.4%
52.5%
18.7%
38.1%
56.7%
69.9%
76.7%
19.9%
51.7%
18.3%
37.4%
55.9%
69.3%
76.2%
AES
+MD5
19.4%
52.5%
18.7%
38.1%
55.2%
68.7%
76.7%
AES
+SHA
19.4%
51.7%
18.3%
37.4%
54.4%
68.1%
76.2%
Algorith
m
+MD5
DES/
3DES
+SHA
If IPsec is enabled on an operator's network, the time required for initial base station deployment
increases by less than 2 minutes when transmission is available. The increased time, caused by
certificate requests and IPsec tunnel setups, depends on the response speed of the public DHCP
server and the encryption protocol used by the SeGW.
Issue 02 (2013-07-30)
38
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
10
Engineering Guidelines
Issue 02 (2013-07-30)
Information to Be Collected
IKE information
IKE version
Version
Exchange Mode
Local ID Type
Remote IP Address
39
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Information to Be Collected
IKE name of the SeGW
NOTE
l If a PSK is used for identity
authentication, obtain the local
name of the SeGW.
l If digital certificates are used
for identity authentication,
obtain information about the
subjectaltname field in the
device certificate used by the
SeGW.
Encryption Algorithm
Authentication Algorithm
PRF Algorithm
IKE DH group
Diffie-Hellman Group
DPD switch
DPD Mode
NOTE
If DPD is enabled on the SeGW,
obtain the following information:
l DPD Idle Time
l DPD Retransmission Interval
l DPD Retransmission Count
IPsec information
Issue 02 (2013-07-30)
Authentication method
Authentication Method
Encapsulation Mode
Transform
AH integrity protection
algorithm
AH Authentication Algorithm
40
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
10.3 Planning
10.3.1 Network Planning
IPsec Networking
IPsec networking concerns three major factors:
l
Authentication method
Two authentication methods can be used between the base station and SeGW: PKI and
PSK authentication. Depending on the authentication method, IPsec networks are classified
into PKI- and PSK-based secure networks. They have different deployment requirements.
For details, see section 10.4 Requirements.
Figure 10-1 shows an example of the PKI-based secure network in which O&M data flows are
protected by IPsec and can be protected by SSL first.
Figure 10-1 Example of the PKI-based secure network in which O&M data flows are protected
by IPsec
Figure 10-2 shows an example of the PKI-based secure network in which O&M data flows are
protected by SSL rather than IPsec.
Issue 02 (2013-07-30)
41
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Figure 10-2 Example of the PKI-based secure network in which O&M data flows are protected
by SSL rather than IPsec
Issue 02 (2013-07-30)
If two physical ports are provided, IPsec policies are bound to the two ports and BFD is
enabled, as shown in Figure Figure 10-4 .
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
42
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Figure 10-4 Example of networking in which the base station provides two physical ports
If one physical port is provided, security policies are bound to the same port and BFD is
enabled, as shown in Figure 10-5 .
Figure 10-5 Example of networking in which the base station provides one physical port
NodeB
To support IPsec and IPsec Tunnel Backup, 3900 series WCDMA base stations must be
configured with a UMPT_U or UTRPc.
eNodeB
3900 series LTE base stations must be configured with a UMPT_L, LMPT, or UTRPc to support
IPsec and IPsec Tunnel Backup.
43
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
10.4 Requirements
The IPsec feature has the following deployment requirements:
l
The SeGW complies with the encryption protocol defined in IETF RFC 2409 or 4306 and
supports PKI or PSK authentication.
The license for the IPsec feature has been activated.Table 10-2 lists the license information
for IPsec.
Table 10-2 License information for IPsec
Feature ID
Feature
Name
License
Control Item
NE
Sales Unit
GBFD-113524
BTS Integrated
IPsec
BTS Integrated
IPsec
GBTS/
eGBTS
Per GBTS/
eGBTS
WRFD-14020
9
NodeB
Integrated
IPsec
NodeB
Integrated
IPsec
NodeB
Per NodeB
LOFD-003009
IPsec
IPsec
eNodeB
Per eNodeB
MRFD-21160
2
Co-IPsec
Between GSM,
UMTS and
LTE (GSM)
Co-IPsec
Between GSM,
UMTS and
LTE (GSM)
MBTS
Per MBTS
MRFD-22160
2
Co-IPsec
Between GSM,
UMTS and
LTE (UMTS)
Co-IPsec
Between GSM,
UMTS and
LTE (UMTS)
MBTS
Per MBTS
MRFD-23160
2
Co-IPsec
Between GSM,
UMTS and
LTE (LTE)
Co-IPsec
Between GSM,
UMTS and
LTE (LTE)
MBTS
Per MBTS
NOTE
The co-IPsec license activation rules for a multimode base station are as follows:
l The co-IPsec license needs to be activated only for the mode that provides a transmission port. For
example, to implement co-IPsec on a GU dual-mode base station, only the license for the
MRFD-221602 Co-IPsec Between GSM, UMTS and LTE (UMTS) feature needs to be activated if a
transmission port is provided by the UMTS mode.
l If a UTRPc provides a transmission port, the co-IPsec license needs to be activated for the mode that
controls the UTRPc. For example, if the UMTS mode controls the UTRPc, the license for the
MRFD-221602 Co-IPsec Between GSM, UMTS and LTE (UMTS) feature must be activated.
Issue 02 (2013-07-30)
44
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
If digital certificate authentication is used between the base station and SeGW, the PKI
deployment requirements must also be met. For details, see PKI Feature Parameter
Description.
If PSK authentication is used between the base station and SeGW, the same PSK must be
preconfigured on both sides.
The IPsec Tunnel Backup feature has the following deployment requirements:
l
Single- or multi-hop BFD sessions can be established between the base station and SeGW.
The SeGW can publish the BFD status to NEs in the security domain, enabling the NEs to
dynamically modify downlink routes.
The license for the IPsec Tunnel Backup feature has been activated. Table 10-3 lists the
license information for IPsec Tunnel Backup.
Table 10-3 License information for IPsec Tunnel Backup
Feature ID
Feature Name
License
NE
Sales Unit
LOFD-003019
IPsec Tunnel
Backup
IPsec Tunnel
Backup
eNodeB
Per eNodeB
The license for the LOFD-003007 Bidirectional Forwarding Detection feature has been
activated.
NOTE
GBTSs, eGBTSs, and NodeBs do not have the license for the IPsec Tunnel Backup feature.
45
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
NOTE
Each IPsec tunnel corresponds to an IPsec policy, which is specified by the SPGN and SPSN parameters.
Multiple IPsec SAs can be established in an IPsec tunnel. The number of IPsec SAs depends on the number
of configured ACL rules. The operator can configure specific ACL rules for different types of data flows
to establish individual IPsec SAs for these data flows.
In various network conditions, the configuration of LMPT is the same as that of UMPT_L.
The IKECFG MO is optional. For PSK-based secure networks, the IKELNM parameter in the IKECFG
MO must be set when the IDTYPE parameter in the IKEPEER MO is set to FQDN.
If the operator requires multiple IPsec tunnels, multiple IPsec policies must be configured and
bound to different IKE peers and ACLs. If the operator requires multiple IPsec policies to be
bound to the same port, these policies must have the same SPGN value but different SPSN
values. Multiple IPsec policies can be bound to the same port by using the SPGN parameter.
Any to Any
The value of RULEID for an ACL rule whose ACTION is set to DENY must be smaller
than that for an ACL rule whose ACTION is set to PERMIT. In Any to Any mode,
configure ACL rules as follows:
1.
2.
Configure ACL rules for data flows that do not need to be protected by IPsec.
The parameter settings for the ACL rules are as follows:
- SIP: set to the source IP address of the data flow.
-SWC and DIP: set to 0.0.0.0.
- DWC: set to 255.255.255.255.
- ACTION: set to DENY.
3.
Issue 02 (2013-07-30)
Configure an ACL rule in Any to Any mode with the parameter settings as follows:
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
46
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
IP to Any
Configure ACL rules for data flows that need to be protected by IPsec.
The parameter settings for the ACL rules are as follows:
SIP: set to the source IP address of the data flow
SWC and DIP: set to 0.0.0.0.
DWC: set to 255.255.255.255.
ACTION: set to PERMIT.
NOTE
l Any to Any mode applies only to scenarios where a base station is interconnected with an SeGW
provided by Juniper. The following sections use IP to Any mode as an example to describe how to
configure ACL rules. The specific method for configuring ACL rules depends on the network plan.
l No two ACL rules can apply to the same data flow.
Issue 02 (2013-07-30)
47
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
In this networking scenario, the UMPT_L provides IPsec for the following data flows:
l
Data flows generated when the eNodeB obtains CRLs or certificate files from the CRL
server.
NOTE
IPsec configurations are the same for co-MPT and separate-MPT multimode base stations. Therefore, the
following configurations apply to both.
Data Preparation
"-" in the following tables in this section indicates that there is no special requirement for setting
the parameters. Set the parameters based on site requirements.
Table 10-4 lists the data to prepare for an IKE proposal (the IKEPROPOSAL MO in MML
configurations and the IKEPROPOSAL or IKE Proposal MO in CME configurations).
Table 10-4 Data to prepare for an IKE proposal
Issue 02 (2013-07-30)
Parameter
Name
Parameter ID
Setting Notes
Data Source
Proposal ID
PROPID
User-defined
Encryption
Algorithm
ENCALG
Network plan
Authentication
Algorithm
AUTHALG
Authentication
Method
AUTHMETH
Diffie-Hellman
Group
DHGRP
PRF Algorithm
PRFALG
48
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter
Name
Parameter ID
Setting Notes
ISAKMP SA
Duration(s)
DURATION
Data Source
Table 10-5 lists the data to prepare for an IKE peer (the IKEPEER MO in MML configurations
and the IKEPEER or IKE Peer MO in CME configurations).
Table 10-5 Data to prepare for an IKE peer
Issue 02 (2013-07-30)
Parameter
Name
Parameter ID
Setting Notes
Data Source
PEERNAME
User-defined
IKE Proposal ID
PROPID
Version
IKEVERSION
Exchange Mode
EXCHMODE
Local ID Type
IDTYPE
If digital certificate
authentication is used, the
recommended value of this
parameter is FQDN.
Network plan
Negotiation
with the IKE
peer
49
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter
Name
Parameter ID
Setting Notes
Data Source
Remote IP
Address
REMOTEIP
l If ENCAPMODE in the
IPSECPROPOSAL MO is
set to TRANSPORT, the
value of this parameter must
be the same as that of DIP in
the ACLRULE MO.
Otherwise, encrypted packets
cannot be decrypted.
Network plan
l If ENCAPMODE in the
IPSECPROPOSAL MO is
set to TUNNEL, the value of
this parameter must be the
same as the IP address of the
peer SeGW.
Remote Name
REMOTENAME
Pre-shared Key
Issue 02 (2013-07-30)
PKEY
DPD Mode
DPD
DPDIDLETIME
DPD
Retransmission
Interval(s)
DPDRETRI
DPD
Retransmission
Count
DPDRETRN
If digital certificate
authentication is used, this
parameter does not need to be set.
l Network
plan
Network plan
l Negotiatio
n with the
IKE peer
50
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter
Name
Parameter ID
Setting Notes
Local IP Address
LOCALIP
Data Source
Table 10-6lists the data to prepare for an ACL (the ACL MO in MML configurations and the
ACL or Access Control List MO in CME configurations)
Table 10-6 Data to prepare for an ACL
Parameter
Name
Parameter ID
Setting Notes
Data Source
ACL ID
ACLID
User-defined
l If an ACL is bound to an
IPsec policy, the value of
this parameter ranges from
3000 to 3999.
Description
ACLDESC
Table 10-7 lists the data to prepare for an ACL rule (the ACLRULE MO in MML configurations
and the ACLRULE or Access Control List Rule MO in CME configurations). Multiple ACL
rules can be configured to protect different types of data flows. How many ACL rules are
configured depends on the network plan.
Issue 02 (2013-07-30)
51
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter ID
Setting Notes
Data
Source
ACL ID
ACLID
User-defined
Rule ID
RULEID
Action
ACTION
Network
plan
Issue 02 (2013-07-30)
Protocol Type
PT
Source IP Address
SIP
If ENCAPMODE in the
IPSECPROPOSAL MO is set
to TRANSPORT, the value of
this parameter must be a
configured device IP address.
Otherwise, encrypted packets
cannot be decrypted.
52
SingleRAN
IPsec Feature Parameter Description
Issue 02 (2013-07-30)
10 Engineering Guidelines
Parameter
Name
Parameter ID
Setting Notes
Destination IP
Address
DIP
If ENCAPMODE in the
IPSECPROPOSAL MO is set
to TRANSPORT, the value of
this parameter must be a host IP
address, not a network segment
address. The value of this
parameter must be the same as
that of REMOTEIP in the
IKEPEER MO. Otherwise,
encrypted packets cannot be
decrypted.
Source Wildcard
SWC
Destination
Wildcard
DWC
Match Source
Port
SMPT
Source Port
Operate
SOP
Source Port 1
SPT1
Source Port 2
SPT2
Match
Destination Port
DMPT
Destination Port
Operate
DOP
Destination Port 1
DPT1
Destination Port 2
DPT2
Match DSCP
MDSCP
DSCP
DSCP
Data
Source
53
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter
Name
Parameter ID
Setting Notes
Data
Source
Match Fragment
Message
MFRG
VLAN ID
Operate
VLANIDOP
VLAN ID 1
VLANID1
VLAN ID 2
VLANID2
Table 10-8 lists the data to prepare for an IPsec proposal (the IPSECPROPOSAL MO in MML
configurations and the IPSECPROPOSAL or IPsec Proposal MO in CME configurations).
Table 10-8 Data to prepare for an IPsec proposal
Issue 02 (2013-07-30)
Parameter Name
Parameter ID
Setting Notes
Data Source
PROPNAME
User-defined
Encapsulation Mode
ENCAPMODE
l Network plan
Transform
TRANMODE
The parameter
settings on thebase
station and SeGW
sides must be the
same.
AH Authentication
Algorithm
AHAUTHALG
The parameter
settings on the base
station and SeGW
sides must be the
same.
l Negotiation with
the IKE peer
54
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter Name
Parameter ID
Setting Notes
ESP Authentication
Algorithm
ESPAUTHALG
The parameter
settings on the base
station and SeGW
sides must be the
same.
ESP Encryption
Algorithm
ESPENCALG
The parameter
settings on the base
station and SeGW
sides must be the
same.
Data Source
Table 10-9 lists the data to prepare for an IPsec policy (the IPSECPOLICY MO in MML
configurations and the IPSECPOLICY or IPsec Policy MO in CME configurations)
Table 10-9 Data to prepare for an IPsec policy
Issue 02 (2013-07-30)
Parameter Name
Parameter ID
Setting Notes
Data Source
SPGN
User-defined
SPSN
ACL ID
ACLID
This parameter
specifies the binding
between an IPsec
policy and an ACL.
Only data flows that
comply with rules in
the ACL are processed
based on the IPsec
policy.
PROPNAME
PEERNAME
55
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter Name
Parameter ID
Setting Notes
Data Source
Perfect Forward
Secrecy
PFS
l Network plan
SA Duration Mode
LTCFG
l If this parameter is
set to GLOBAL,
LTS and LTKB are
permanently set to
3600 and
69120000,
respectively.
Network plan
l Negotiation
with the IKE
peer
l If this parameter is
set to LOCAL, the
IPsec SA lifetime is
specified by LTS
and LTKB.
Lifetime Based On
Time(s)
LTS
Lifetime Based On
Traffic(KB)
LTKB
Anti-Replay
Windows
REPLAYWND
An IPsec policy takes effect only after it is bound to a port. Table 10-10 lists the data to prepare
for the binding between an IPsec policy and a port (the IPSECBIND MO in MML configurations
and the IPSECBIND or IPsec Policy Group Binding MO in CME configurations).
Issue 02 (2013-07-30)
56
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Table 10-10 Data to prepare for the binding between an IPsec policy and a port
Parameter Name
Parameter ID
Setting Notes
Data Source
Cabinet No.
CN
Network plan
Subrack No.
SRN
Slot No.
SN
Subboard Type
SBT
Port Type
PT
Port No.
PN
SPGN
If PT is set to
ETH, the port
specified by PN
cannot be a
member of an
Ethernet trunk.
The value of this
parameter must be
the same as the
value of SPGN in
the
IPSECPOLICY
MO.
User-defined
(Optional) Prepare data related to basic IKE configurations. Table 10-11 lists the data to prepare
for basic IKE configurations (the IKECFG MO in MML configurations and the IKECFG or
IKE Basic Configuration MO in CME configurations).
Table 10-11 Data to prepare for basic IKE configurations
Parameter Name
Parameter ID
Setting Notes
Data Source
Local Name
IKELNM
If AUTHMETH is set
to IKE_RSA_SIG, this
parameter does not
need to be set.
l Network plan
Network plan
Keepalive Interval
IKEKLI
l Negotiation with
the IKE peer
Issue 02 (2013-07-30)
57
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter Name
Parameter ID
Keepalive Timeout
IKEKLT
Setting Notes
Data Source
DSCP
DSCP
This parameter
specifies the
differentiated services
code point (DSCP) for
IKE negotiation
packets. The
recommended value of
this parameter is 48.
(Optional) Prepare data related to the IPsec replay alarm switch. Table 10-12 lists the data to
prepare for the switch (the IPGUARD MO in MML and CME configurations).
Table 10-12 Data to prepare for the IPsec replay alarm switch
Issue 02 (2013-07-30)
Parameter Name
Parameter ID
Setting Notes
Data
Source
IPSECREPLAY
CHKSW
Network
plan
58
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter Name
Parameter ID
Setting Notes
Data
Source
IPSECREPLAYALMTHD
Network
plan
If a pair of primary and secondary IPsec tunnels are to be established, BFD detection must be
enabled to detect the connectivity of the primary and secondary IPsec tunnels. Table 10-13 lists
the data to prepare for BFD detection (the BFDSESSION MO in MML configurations and the
BFDSESSION or BFD Session MO in CME configurations).
Table 10-13 Data to prepare for BFD detection
Issue 02 (2013-07-30)
Parameter Name
Parameter ID
Setting Notes
Data Source
Cabinet No.
CN
User-defined
Subrack No.
SRN
Slot No.
SN
Session ID
BFDSN
Source IP
SRCIP
Network plan
Destination IP
DSTIP
Hop Type
HT
Min TX Interval
(ms)
MINTI
Min RX Interval
(ms)
MINRI
Detection Multiplier
DM
59
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter Name
Parameter ID
Session Catalog
CATLOG
DSCP
DSCP
Protocol Version
VER
Setting Notes
Data Source
Prepare data if a pair of primary and secondary IPsec tunnels are to be established. Table
10-14 lists the data to prepare for the primary and secondary IPsec tunnels (the IPSECDTNL
MO in MML configurations and the IPSECDTNL or IPsec Tunnel Pair MO in CME
configurations).
Table 10-14 Data to prepare for the primary and secondary IPsec tunnels
Parameter Name
Parameter ID
Setting Notes
Data Source
DUALID
User-defined
Master Policy
Group Name
MSPGN
Master IPsec
Sequence No.
MSPSN
Network plan
SSPGN
User-defined
Slave IPsec
Sequence No.
SSPSN
Network plan
Master Tunnel's
BFD Session ID
MBFDSN
SBFDSN
Initial Configuration
Using MML Commands
The procedure for configuring an IPsec tunnel is as follows:
Step 1 Run the ADD IKEPROPOSAL command to add an IKE proposal.
Step 2 Run the ADD IKEPEER command to add an IKE peer.
Step 3 Run the ADD ACL command to add an ACL.
Step 4 Run the ADD ACLRULE command to add a rule to the ACL.
Issue 02 (2013-07-30)
60
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Issue 02 (2013-07-30)
61
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
NOTE
The following is an example of configuring a pair of primary and secondary IPsec tunnels
(configure one IPsec tunnel by following the preceding MML command example and then
configure as follows):
//Adding the second IKE peer
ADD IKEPEER: PEERNAME="Ike2", PROPID=10, IKEVERSION=IKE_V1, EXCHMODE=MAIN,
IDTYPE=IP, REMOTEIP="80.80.80.80", REMOTENAME="Secgw2", DPD=PERIODIC,
DPDIDLETIME=20, DPDRETRI=4, DPDRETRN=6, LOCALIP="21.21.21.188";
//Adding the second IPsec policy when two ports are used
ADD IPSECPOLICY: SPGN="Policy1", SPSN=2, ACLID=3000, PROPNAME="prop0",
PEERNAME="Ike2", PFS= DISABLE, LTCFG=LOCAL, LTS=86400, REPLAYWND=WND_DISABLE;
NOTE
If one port is used, the two IPsec policies have the same group name but different numbers, and they are
bound to the same port at a time.
If two ports are used, the two IPsec policies have different group names but may
have the same number. The two IPsec policies are separately bound to the two
ports.
//Adding the binding between the second IPsec policy and a transmission port
ADD IPSECBIND: CN=0, SRN=0, SN=7, SBT=BASE_BOARD, PT=ETH, PN=0, SPGN="Policy1";
//Adding BFD sessions for the two IPsec tunnels
ADD BFDSESSION: CN=0, SRN=0, SN=7, BFDSN=1, SRCIP="20.20.20.188",
DSTIP="90.90.90.90", HT=MULTI_HOP, MINTI=100, MINRI=100, DM=3, CATLOG=RELIABILITY,
DSCP=0, VER=DRAFT4;
ADD BFDSESSION: CN=0, SRN=0, SN=7, BFDSN=2, SRCIP="21.21.21.188",
DSTIP="80.80.80.80", HT=MULTI_HOP, MINTI=100, MINRI=100, DM=3, CATLOG=RELIABILITY,
DSCP=0, VER=DRAFT4;
//Configuring the two IPsec tunnels as primary and secondary IPsec tunnels
ADD IPSECDTNL: DUALID=0, MSPGN="Policy0", MSPSN=1, SSPGN="Policy1", SSPSN=2,
MBFDSN=1, SBFDSN=2;
62
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Using the CME to Perform Batch Configuration for Newly Deployed Base Stations
Enter the values of the parameters listed in Table 10-15 in a summary data file, which also
contains other data for the new base stations to be deployed. Then, import the summary data file
into the CME for batch configuration.
The summary data file may be a scenario-specific file provided by the CME or a customized
file, depending on the following conditions:
l
The MOs in Table 10-15 are contained in a scenario-specific summary data file. In this
situation, set the parameters in the MOs, and then verify and save the file.
Some MOs in Table 10-15are not contained in a scenario-specific summary data file. In
this situation, customize a summary data file to include the MOs before you can set the
parameters.
Sheet in the
Summary Data
File
Parameter Group
Remarks
IKEPROPOSAL
Common Data
l PROPID
l ENCALG
l AUTHALG
l AUTHMETH
l DHGRP
l PRFALG
l DURATION
IKEPEER
Common Data
l PEERNAME
l PROPID
l IKEVERSION
l EXCHMODE
l IDTYPE
l REMOTEIP
l REMOTENAME
l DPD
l DPDIDLETIME
l DPDRETRI
l DPDRETRN
Issue 02 (2013-07-30)
63
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
MO
Sheet in the
Summary Data
File
Parameter Group
Remarks
IKEPEER
Base Station
Transport Data
l PKEY
PKEY and
LOCALIP are
unique for each
base station.
Therefore, it is
recommended
that these two
parameters be
customized on
the Base Station
Transport Data
sheet.
Common Data
l PROPNAME
IPSECPROPOSA
L
l LOCALIP
l ENCAPMODE
l TRANMODE
l AHAUTHALG
l ESPAUTHALG
l ESPENCALG
IPSECPOLICY
Common Data
l SPGN
l SPSN
l ACLID
l PROPNAME
l PEERNAME
l PFS
l LTCFG
l LTS
l LTKB
l REPLAYWND
IPSECBIND
Common Data
l CN
l SRN
l SN
l SBT
l PT
l PN
l SPGN
ACL
Common Data
l ACLID
l ACLDESC
Issue 02 (2013-07-30)
64
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
MO
Sheet in the
Summary Data
File
Parameter Group
Remarks
ACLRULE
ACLPattern
l ACLID
l RULEID
l ACTION
l PT
l SIP
l DIP
l SWC
l DWC
l SMPT
l SOP
l SPT1
l SPT2
l DMPT
l DOP
l DPT1
l DPT2
l MDSCP
l DSCP
l MFRG
l VLANIDOP
l VLANID1
l VLANID2
IPGUARD
User-defined
l IPSECREPLAYCHK
SW
l IPSECREPLAYALMTHD
For instructions about performing batch configuration for each type of base station, see the
following sections in 3900 Series Base Station Initial Configuration Guide.
l
Using the CME to Perform Batch Configuration for Existing Base Stations
Issue 02 (2013-07-30)
65
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Batch reconfiguration using the CME is the recommended method to activate a feature on
existing base stations. This method reconfigures all data, except neighbor relationships, for
multiple base stations in a single procedure. The procedure is as follows:
Step 1 Choose CME > Advanced > Customize Summary Data File from the main menu of an M2000
client, or choose Advanced > Customize Summary Data File from the main menu of a CME
client, to customize a summary data file for batch reconfiguration.
Step 2 Export the NE data stored on the CME into the customized summary data file.
l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Export Data > Export Base Station Bulk Configuration Data from the
main menu of the M2000 client, or choose SRAN Application > MBTS Application >
Export Data > Export Base Station Bulk Configuration Data from the main menu of the
CME client.
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Export Data > eGBTS Bulk Configuration Data from the
main menu of the M2000 client, or choose GSM Application > Export Data > Export
eGBTS Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Export Data > Export Base Station Bulk Configuration
Data from the main menu of the M2000 client, or choose UMTS Application > Export
Data > Export Base Station Bulk Configuration Data from the main menu of the CME
client.
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose CME
> LTE Application > Export Data > Export Base Station Bulk Configuration Data from
the main menu of the M2000 client, or choose LTE Application > Export Data > Export
Base Station Bulk Configuration Data from the main menu of the CME client.
Step 3 In the summary data file, set the parameters in the MOs listed in Table 10-15 and close the file.
Step 4 Import the summary data file into the CME.
l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Import Base Station Bulk Configuration Data from the main menu of the
M2000 client, or choose SRAN Application > MBTS Application > Import Data > Import
Base Station Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Import Data > Import eGBTS Bulk Configuration Data
from the main menu of the M2000 client, or choose GSM Application > Import Data >
Import eGBTS Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Import Data > Import Base Station Bulk Configuration
Data from the main menu of the M2000 client, or choose UMTS Application > Import
Data > Import Base Station Bulk Configuration Data from the main menu of the CME
client.
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose CME
> LTE Application > Import Data > Import Base Station Bulk Configuration Data from
the main menu of the M2000 client, or choose LTE Application > Import Data > Import
Base Station Bulk Configuration Data from the main menu of the CME client.
----End
For details about how to import and export data, see the M2000 online help.
Issue 02 (2013-07-30)
66
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Activation Observation
Observing the IPsec Tunnel
Step 1 Run the DSP IKESA command to check the SA status.
As shown in the following figure, all SAs are successfully established when the command output
indicates both of the following:
l The status of SAs in the first and second phases is Ready StayAlive.
l The number of SAs in the second phase is the same as the number of ACL rules whose
ACTION is set to PERMIT.
Step 2 Run the DSP IPSECSA command to check the IPsec SA status.
The following is an example of the command output.
Step 3 Check whether services protected by the IPsec tunnel are normal.
l If service data is protected by IPsec, initiate a voice service and a data service and then check
whether the two services are running normally.
l If O&M data is protected by IPsec, observe whether the base station deployed with the IPsec
tunnel is online on the M2000 topology view.
Step 4 Check the IPsec replay status.
1.
Check whether ALM-25950 Base Station Being Attacked is reported with "Specific
Problem" set to IPsec Replay. If so, IPsec replay attacks exist.
2.
If IPsec replay attacks exist, run the DSP INVALIDPKTINFO command to query IPsec
replay packets.
Only the latest 100 invalid packets can be displayed in the command output and only the first
64 bytes of an invalid packet can be displayed in the value of the Invalid Packet Data parameter.
The following is an example of the command output.
Issue 02 (2013-07-30)
67
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
eGBTSs, NodeBs, and eNodeBs support IKE and IPsec performance monitoring, whereas GBTSs do not.
68
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
2.
Run the DSP IPSECDTNL command to check whether the IPsec policy in use is the
standby IPsec SA.
The following is an example of the command output.
3.
Initiate a voice service and a data service and then check whether the two services are
running normally.
4.
Observe whether the base station deployed with the primary and secondary IPsec tunnels
is online on the M2000 topology view.
----End
69
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
The GTMUb and UMPT_L communicate with each other through the BBU backplane.
The UMPT_L transfers GBTS data and provides IPsec for the following data flows:
GBTS signaling and service data flows.
eNodeB O&M data flows.
Certificate management-related data flows between the eNodeB and CA.
Data flows generated when the eNodeB obtains CRLs or certificate files from the CRL
server.
Data Preparation
For details, see Data Preparation in section 10.6.1 Deploying IPsec on an eGBTS, NodeB,
or eNodeB.
Initial Configuration
For details, see Initial Configuration in section 10.6.1 Deploying IPsec on an eGBTS, NodeB,
or eNodeB. The following describes only the differences in initial configuration of a PKI-based
secure network between an eGBTS/NodeB/eNodeB and a GBTS using GTMUb+UMPT_L.
Using MML Commands
Run the ADD ACLRULE command as follows:
ADD ACLRULE: ACLID=3000, RULEID=1, ACTION=PERMIT, PT=IP, SIP="35.35.35.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=2, ACTION=PERMIT, PT=IP, SIP="31.31.31.188",
SWC="0.0.0.0", DIP="0.0.0.0, DWC="255.255.255.255", MDSCP=NO;
Issue 02 (2013-07-30)
70
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
NOTE
Activation Observation
For details, see Activation Observation in section 10.6.1 Deploying IPsec on an eGBTS,
NodeB, or eNodeB.When the IPsec feature is deployed on a GBTS using GTMUb+UMPT_L,
observe the online status of the GBTS and eNodeB.
The GTMUb and UTRPc communicate with each other through the BBU backplane.
The UTRPc only provides IPsec for the following data flows because the GBTS has no
O&M channel:
Issue 02 (2013-07-30)
71
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Data Preparation
"-" in the following tables in this section indicates that there is no special requirement for setting
the parameters. Set the parameters based on site requirements.
Table 10-16 lists the data to prepare for an IKE proposal (the BTSIKEPROPOSAL MO in
MML configurations and the BTSIKEPROPOSAL or BTS IKE Proposal MO in CME
configurations).
Table 10-16 Data to prepare for an IKE proposal
Issue 02 (2013-07-30)
Parameter
Name
Parameter ID
Setting Notes
Data Source
Index Type
IDTYPE
It is recommended that
the ID be used to identify
a GBTS.
Network plan
BTS Index
BTSID
BTS Name
BTSNAME
Proposal ID
PROPID
User-defined
Encryption
Algorithm
ENCALG
l Network plan
Authentication
Algorithm
AUTHALG
Authentication
Method
AUTHMETH
Diffie-Hellman
Group
DHGRP
l Negotiation
with the IPsec
peer
72
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter
Name
Parameter ID
Setting Notes
PRF Algorithm
PRFALG
Data Source
DURATION
Table 10-17 lists the data to prepare for an IKE peer (the BTSIKEPEER MO in MML
configurations and the BTSIKEPEER or BTS IKE Peer MO in CME configurations).
Table 10-17 Data to prepare for an IKE peer
Parameter
Name
Parameter ID
Setting Notes
Data Source
Index Type
IDTYPE
Network plan
BTS Index
BTSID
BTS Name
BTSNAME
PEERNAME
IKE Proposal
ID
PROPID
Version
IKEVERSION
Exchange
Mode
Issue 02 (2013-07-30)
EXCHMODE
User-defined
l Network
plan
l Negotiati
on with
the IPsec
peer
73
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter
Name
Parameter ID
Setting Notes
Local ID Type
IDTYPE
If digital certificate
authentication is used, the
recommended value of this
parameter is FQDN.
Remote IP
Address
REMOTEIP
l If ENCAPMODE in the
BTSIPSECPROPOSAL
MO is set to
TRANSPORT, set this
parameter to a value same as
that of DIP in the
BTSACLRULE MO.
Otherwise, encrypted
packets cannot be
decrypted.
Data Source
Network plan
l If ENCAPMODE in the
BTSIPSECPROPOSAL
MO is set to TUNNEL, set
this parameter to a value
same as the IP address of the
peer SeGW.
Remote Name
REMOTENAME
Pre-shared Key
Issue 02 (2013-07-30)
PKEY
DPD Mode
DPD
DPDIDLETIME
l Network
plan
Network plan
l Negotiati
on with
the IPsec
peer
74
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter
Name
Parameter ID
Setting Notes
DPD
Retransmission
Interval(s)
DPDRETRI
DPD
Retransmission
Count
DPDRETRN
NAT Traversal
NATTRAV
Local IP
Address
LOCALIP
Data Source
Table 10-18 lists the data to prepare for an ACL (the BTSACL MO in MML configurations
and the BTSACL or BTS Access Control List MO in CME configurations).
Table 10-18 Data to prepare for an ACL
Issue 02 (2013-07-30)
Parameter Name
Parameter ID
Setting Notes
Data Source
Index Type
IDTYPE
Network plan
BTS Index
BTSID
75
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter Name
Parameter ID
Setting Notes
BTS Name
BTSNAME
ACL ID
ACLID
Data Source
User-defined
Table 10-19 lists the data to prepare for an ACL rule (the BTSACLRULE MO in MML
configurations and the BTSACLRULE or BTS Access Control List Rule MO in CME
configurations). Multiple ACL rules can be configured to protect different types of data flows.
How many ACL rules are configured depends on the network plan.
Table 10-19 Data to prepare for an ACL rule
Issue 02 (2013-07-30)
Parameter
Name
Parameter ID
Setting Notes
Data Source
Index Type
IDTYPE
Network plan
BTS Index
BTSID
BTS Name
BTSNAME
Rule Type
RULETYPE
ACL ID
ACLID
Rule ID
RULEID
User-defined
76
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter
Name
Parameter ID
Setting Notes
Data Source
Action
ACTION
Network plan
Issue 02 (2013-07-30)
Protocol
Type
PT
Source IP
Address
SIP
If ENCAPMODE in the
BTSIPSECPROPOSAL
MO is set to TRANSPORT,
the value of this parameter
must be a configured device
IP address. Otherwise,
encrypted packets cannot be
decrypted.
77
SingleRAN
IPsec Feature Parameter Description
Issue 02 (2013-07-30)
10 Engineering Guidelines
Parameter
Name
Parameter ID
Setting Notes
Destination
IP Address
DIP
If ENCAPMODE in the
BTSIPSECPROPOSAL
MO is set to TRANSPORT,
the value of this parameter
must be a host IP address, not
a network segment address.
The value of this parameter
must be the same as that of
REMOTEIP in the
BTSIKEPEER MO.
Otherwise, encrypted
packets cannot be decrypted.
Source
Wildcard
SWC
Destination
Wildcard
DWC
Match
Source Port
SMPT
Source Port
Operate
SOP
Source Port 1
SPT1
Source Port 2
SPT2
Match
Destination
Port
DMPT
Destination
Port Operate
DOP
Destination
Port 1
DPT1
Destination
Port 2
DPT2
Match DSCP
MDSCP
Data Source
78
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter
Name
Parameter ID
Setting Notes
Data Source
Match
Fragment
Message
MFRG
VLAN ID
Filter
Criteria
VLANIDOP
If an ACL is bound to an
IPsec policy, this parameter
does not need to be set.
VLAN ID 1
VLANID1
If an ACL is bound to an
IPsec policy, this parameter
does not need to be set.
VLAN ID 2
VLANID2
If an ACL is bound to an
IPsec policy, this parameter
does not need to be set.
Table 10-20 lists the data to prepare for an IPsec proposal (the BTSIPSECPROPOSAL MO
in MML configurations and the BTSIPSECPROPOSAL or BTS IPsec Proposal MO in CME
configurations).
Table 10-20 Data to prepare for an IPsec proposal
Issue 02 (2013-07-30)
Parameter Name
Parameter ID
Setting Notes
Data Source
Index Type
IDTYPE
It is recommended that
the ID be used to identify
a GBTS.
Network plan
BTS Index
BTSID
BTS Name
BTSNAME
PROPNAME
User-defined
Encapsulation Mode
ENCAPMODE
l Network plan
Transform
TRANMODE
AH Authentication
Algorithm
AHAUTHALG
l Negotiation
with the IPsec
peer
79
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter Name
Parameter ID
Setting Notes
ESP Authentication
Algorithm
ESPAUTHALG
ESP Encryption
Algorithm
ESPENCALG
Data Source
Table 10-21 lists the data to prepare for an IPsec policy (the BTSIPSECPOLICY MO in MML
configurations and the BTSIPSECPOLICY or BTS IPsec Policy MO in CME configurations).
Table 10-21 Data to prepare for an IPsec policy
Issue 02 (2013-07-30)
Parameter
Name
Parameter ID
Setting Notes
Data
Source
Index Type
IDTYPE
Network
plan
BTS Index
BTSID
BTS Name
BTSNAME
ACL ID
ACLID
IPsec Proposal
Name
PROPNAME
PEERNAME
Policy Group
Name
SPGN
IPsec
Sequence No.
SPSN
User-defined
80
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter
Name
Parameter ID
Setting Notes
Data
Source
Perfect
Forward
Secrecy
PFS
l Network
plan
SA Duration
Mode
LTCFG
Network
plan
l Negotiati
on with
the IPsec
peer
LTS
Lifetime Based
On Traffic
(KB)
LTKB
Anti-Replay
Windows
REPLAYWND
An IPsec policy takes effect only after it is bound to a port.Table 10-22 lists the data to prepare
for the binding between an IPsec policy and a port (the BTSIPSECBIND MO in MML
configurations and the BTSIPSECBIND or BTS IPsec Policy Group Binding MO in CME
configurations).
Issue 02 (2013-07-30)
81
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Table 10-22 Data to prepare for the binding between an IPsec policy and a port
Parameter
Name
Parameter ID
Setting Notes
Data Source
Index Type
IDTYPE
Network plan
BTS Index
BTSID
BTS Name
BTSNAME
Cabinet No.
CN
Subrack No.
SRN
Slot No.
SN
Port Type
PT
Port No.
PN
Policy Group
Name
SPGN
User-defined
(Optional) Prepare data related to the IPsec replay alarm switch.Table 10-23 lists the data to
prepare for the switch (the BTSIPGUARD MO in MML and CME configurations).
Table 10-23 Data to prepare for the IPsec replay alarm switch
Issue 02 (2013-07-30)
Parameter
Name
Parameter ID
Setting Notes
Data Source
Index Type
IDTYPE
Network plan
BTS Index
BTSID
BTS Name
BTSNAME
IPsec Replay
Alarm Switch
IPSECREPLAYCHKSW
82
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter
Name
Parameter ID
Setting Notes
Data Source
IPsec Replay
Alarm
Threshold
IPSECREPLAYALARMTHD
(Optional) Prepare data related to basic IKE configurations.Table 10-24 lists the data to prepare
for basic IKE configurations (the BTSIKECFG MO in MML configurations and the
BTSIKECFG or BTS IKE Basic Configuration MO in CME configurations).
Table 10-24 Data to prepare for basic IKE configurations
Issue 02 (2013-07-30)
Parameter
Name
Parameter ID
Setting Notes
Data Source
Index Type
IDTYPE
Network plan
BTS Index
BTSID
BTS Name
BTSNAME
Local Name
IKELNM
If AUTHMETH in the
BTSIKEPROPOSAL MO
and IDTYPE in the
BTSIKEPEER MO are set to
IKE_RSA_SIG and FQDN,
respectively, this parameter
does not need to be set. This is
because the GBTS directly
uses the value of the
SubjectAltName field in its
digital certificate as the value
of this parameter.
l Network plan
Network plan
Keepalive
Interval
IKEKLI
Keepalive
Timeout
IKEKLT
NAT Keepalive
Timeout
NATKLI
l Negotiation
with the IPsec
peer
83
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter
Name
Parameter ID
Setting Notes
DSCP
DSCP
Data Source
Table 10-25 lists the data to prepare for BFD detection (the BTSBFD MO in MML
configurations and the BTSBFD or BFD Sessions of BTS MO in CME configurations).
Table 10-25 Data to prepare for BFD detection
Issue 02 (2013-07-30)
Parameter Name
Parameter ID
Setting Notes
Data Source
Index Type
IDTYPE
Network plan
BTS Index
BTSID
BTS Name
BTSNAME
Cabinet No.
CN
Subrack No.
SRN
Slot No.
SN
BFDSN
User-defined
Source IP Address
SRCIP
Network plan
Destination IP
Address
DSTIP
Hop Type
HT
Min TX Interval
MINTXINTERVAL
Min RX Interval
MINRXINTERVAL
Detection
Multiplier
DETECTMULT
84
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter Name
Parameter ID
DSCP
DSCP
Setting Notes
Data Source
Prepare data if a pair of primary and secondary IPsec tunnels are to be established. Table
10-26 lists the data to prepare for the primary and secondary IPsec tunnels (the
BTSIPSECDTNL MO in MML configurations and the BTSIPSECDTNL or BTS IPsec
Tunnel Pair MO in CME configurations).
Table 10-26 Data to prepare for the primary and secondary IPsec tunnels
Parameter Name
Parameter ID
Setting Notes
Data Source
Index Type
IDTYPE
It is recommended that
the ID be used to identify
a GBTS.
Network plan
BTS Index
BTSID
BTS Name
BTSNAME
DUALID
MSPGN
MSPSN
Network plan
SSPGN
User-defined
SSPSN
Network plan
BFD Session ID of
Master Tunnel
MBFDSN
BFD Session ID of
Slave Tunnel
SBFDSN
User-defined
Initial Configuration
Using MML Commands
The procedure for configuring an IPsec tunnel is as follows:
Step 1 Run the ADD BTSIKEPROPOSAL command to add an IKE proposal.
Step 2 Run the ADD BTSIKEPEER command to add an IKE peer.
Step 3 Run the ADD BTSACL command to add an ACL.
Issue 02 (2013-07-30)
85
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Step 4 Run the ADD BTSACLRULE command to add a rule to the ACL.
Step 5 Run the ADD BTSIPSECPROPOSAL command to add an IPsec proposal.
Step 6 Run the ADD BTSIPSECPOLICY command to add an IPsec policy.
Step 7 Run the ADD BTSIPSECBIND command to add the binding between the IPsec policy and a
transmission port.
Step 8 (Optional) Run the SET BTSIPGUARD command to set the IPsec replay alarm switch and
threshold.
----End
The procedure for configuring a pair of primary and secondary IPsec tunnels is as follows:
Configure one IPsec tunnel according to the preceding operations in Step 1 through Step
7.Configure another IPsec tunnel by performing the following steps:
Step 1 Run the ADD BTSIKEPEER command to add an IKE peer.
Step 2 Run the ADD BTSIPSECPOLICY command to add an IPsec policy.
Step 3 Run the ADD BTSIPSECBIND command to add the binding between the IPsec policy and a
transmission port.
Step 4 Run the ADD BTSBFDSESSION command to add BFD sessions for the two IPsec tunnels.
Step 5 Run the ADD BTSIPSECDTNL command to configure the two IPsec tunnels as a pair of
primary and secondary IPsec tunnels.
----End
MML Command Examples
The following is an example of configuring an IPsec tunnel:
//Adding an IKE proposal
ADD BTSIKEPROPOSAL: IDTYPE=BYID, BTSID=0, PROPID=10, ENCALG=3DES, AUTHALG=MD5,
AUTHMETH=IKE_RSA_SIG, DHGRP=DH_GROUP14, DURATION=86400;
//Adding an IKE peer
ADD BTSIKEPEER: IDTYPE=BYID, BTSID=0, PEERNAME="ike", PROPID=10,
IKEVERSION=IKE_V1, EXCHMODE=MAIN, IDTYPE=IP, REMOTEIP="90.90.90.90",
REMOTENAME="secgw", DPD=PERIODIC, DPDIDLETIME=20, DPDRETRI=4, DPDRETRN=6,
LOCALIP="20.20.20.188";
//Adding an ACL
ADD BTSACL: IDTYPE=BYID, BTSID=0, ACLID=3000, ACLDESC="For IPsec";
//Adding a rule to the ACL
ADD
BTSACLRULE:IDTYPE=BYID,BTSID=0,RULETYPE=ADV,ACLID=3000,RULEID=1,ACTION=PERMIT,
PT=IP,
SIP="35.35.35.188",SWC="0.0.0.0",DIP="0.0.0.0",DWC="255.255.255.255",MDSCP=NO;
ADD
BTSACLRULE:IDTYPE=BYID,BTSID=0,RULETYPE=ADV,ACLID=3000,RULEID=2,ACTION=PERMIT,
PT=IP,
SIP="35.35.35.188",SWC="0.0.0.0",DIP="0.0.0.0",DWC="255.255.255.255",MDSCP=NO;
NOTE
Issue 02 (2013-07-30)
86
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
The following is an example of configuring a pair of primary and secondary IPsec tunnels
(configure one IPsec tunnel by following the preceding MML command example and then
configure as follows):
//Adding the second IKE peer
ADD BTSIKEPEER: IDTYPE=BYID, BTSID=0,PEERNAME="Ike2", PROPID=10,
IKEVERSION=IKE_V1, EXCHMODE=MAIN, IDTYPE=IP, REMOTEIP="80.80.80.80",
REMOTENAME="Secgw2", DPD=PERIODIC, DPDIDLETIME=20, DPDRETRI=4, DPDRETRN=6,
LOCALIP="21.21.21.188";
//Adding the second IPsec policy when two ports are used ADD BTSIPSECPOLICY:
IDTYPE=BYID, BTSID=0, SPGN="Policy1", SPSN=2, ACLID=3000, PROPNAME="prop0",
PEERNAME="Ike2", PFS= DISABLE, LTCFG=LOCAL, LTS=86400, REPLAYWND=WND_DISABLE;
NOTE
l If one port is used, the two IPsec policies have the same group name but different numbers, and they
are bound to the same port at a time.
l If two ports are used, the two IPsec policies have different group names but may have the same number.
The two IPsec policies are separately bound to the two ports.
//Adding the binding between the second IPsec policy and a transmission port
ADD BTSIPSECBIND: IDTYPE=BYID, BTSID=0, CN=0, SRN=0, SN=4, SBT=BASE_BOARD, PT=ETH,
PN=0, SPGN="Policy1";
//Adding BFD sessions for the two IPsec tunnels
ADD BTSBFDSESSION: IDTYPE=BYID, BTSID=0,CN=0, SRN=0, SN=4, BFDSN=1,
SRCIP="20.20.20.188", DSTIP="90.90.90.90", HT=MULTI_HOP, MINTI=100, MINRI=100,
DM=3, CATLOG=RELIABILITY, DSCP=0, VER=DRAFT4;
ADD BTSBFDSESSION: IDTYPE=BYID, BTSID=0,CN=0, SRN=0, SN=4, BFDSN=2,
SRCIP="21.21.21.188", DSTIP="80.80.80.80", HT=MULTI_HOP, MINTI=100, MINRI=100,
DM=3, CATLOG=RELIABILITY, DSCP=0, VER=DRAFT4;
//Configuring the two IPsec tunnels as primary and secondary IPsec tunnels
ADD BTSIPSECDTNL: IDTYPE=BYID, BTSID=0,DUALID=0, MSPGN="Policy0", MSPSN=1,
SSPGN="Policy1", SSPSN=2, MBFDSN=1, SBFDSN=2;
Issue 02 (2013-07-30)
The MOs in Table Table 10-27 are contained in a scenario-specific summary data file. In
this situation, set the parameters in the MOs, and then verify and save the file.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
87
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Some MOs in Table 10-27 are not contained in a scenario-specific summary data file. In
this situation, customize a summary data file to include the MOs before you can set the
parameters.
Sheet in the
Summary
Data File
Parameter Group
Remarks
BTSIKEPROPOSAL
BTS Transport
Layer
l PROPID
l ENCALG
l AUTHALG
l AUTHMETH
l DHGRP
l PRFALG
l DURATION
BTSIKEPEER
l PEERNAME
l PROPID
l IKEVERSION
l EXCHMODE
l IDTYPE
l REMOTEIP
l REMOTENAME
l DPD
l DPDIDLETIME
l DPDRETRI
l DPDRETRN
BTSIKEPEER
BTSIPSECPROPOS
AL
BTS Transport
Layer
l PKEY
BTS Transport
Layer
l PROPNAME
l LOCALIP
-
l ENCAPMODE
l TRANMODE
l AHAUTHALG
l ESPAUTHALG
l ESPENCALG
Issue 02 (2013-07-30)
88
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
MO
Sheet in the
Summary
Data File
Parameter Group
Remarks
BTSIPSECPOLICY
BTS Transport
Layer
l SPGN
l SPSN
l ACLID
l PROPNAME
l PEERNAME
l PFS
l LTCFG
l LTS
l LTKB
l REPLAYWND
BTSIPSECBIND
BTS Transport
Layer
l CN
l SRN
l SN
l SBT
l PT
l PN
l SPGN
BTSACL
Issue 02 (2013-07-30)
BTS Transport
Layer
l ACLID
l ACLDESC
89
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
MO
Sheet in the
Summary
Data File
Parameter Group
Remarks
BTSACLRULE
BTS Transport
Layer
l ACLID
l RULEID
l ACTION
l PT
l SIP
l DIP
l SWC
l DWC
l SMPT
l SOP
l SPT1
l SPT2
l DMPT
l DOP
l DPT1
l DPT2
l MDSCP
l DSCP
l MFRG
l VLANIDOP
l VLANID1
l VLANID2
BTSIPGUARD
Common Data
l IPSECREPLAYCHKSW
l IPSECREPLAYALARMTHD
For the batch configuration of GBTSs, see the section "Creating GBTSs in Batches"section in
3900 Series Base Station Initial Configuration Guide.
Using the CME to Perform Batch Configuration for Existing Base Stations
Batch reconfiguration using the CME is the recommended method to activate a feature on
existing base stations. This method reconfigures all data, except neighbor relationships, for
multiple eNodeBs in a single procedure. The procedure is as follows:
Step 1 Choose CME > Advanced > Customize Summary Data File from the main menu of an M2000
client, or choose Advanced > Customize Summary Data File from the main menu of a CME
client, to customize a summary data file for batch reconfiguration.
Issue 02 (2013-07-30)
90
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Step 2 Export the NE data stored on the CME into the customized summary data file.
l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Export Data > Export Base Station Bulk Configuration Data from the
main menu of the M2000 client, or choose SRAN Application > MBTS Application >
Export Data > Export Base Station Bulk Configuration Data from the main menu of the
CME client.
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Export Data > eGBTS Bulk Configuration Data from the
main menu of the M2000 client, or choose GSM Application > Export Data > Export
eGBTS Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Export Data > Export Base Station Bulk Configuration
Data from the main menu of the M2000 client, or choose UMTS Application > Export
Data > Export Base Station Bulk Configuration Data from the main menu of the CME
client.
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose CME
> LTE Application > Export Data > Export Base Station Bulk Configuration Data from
the main menu of the M2000 client, or choose LTE Application > Export Data > Export
Base Station Bulk Configuration Data from the main menu of the CME client.
Step 3 In the summary data file, set the parameters in the MOs listed in Table 10-27 and close the file.
Step 4 Import the summary data file into the CME.
l For co-MPT multimode base stations: Choose CME > SRAN Application > MBTS
Application > Import Base Station Bulk Configuration Data from the main menu of the
M2000 client, or choose SRAN Application > MBTS Application > Import Data > Import
Base Station Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT GSM-involved multimode base stations or GO base stations: Choose
CME > GSM Application > Import Data > Import eGBTS Bulk Configuration Data
from the main menu of the M2000 client, or choose GSM Application > Import Data >
Import eGBTS Bulk Configuration Data from the main menu of the CME client.
l For separate-MPT UMTS-involved multimode base stations or UO base stations: Choose
CME > UMTS Application > Import Data > Import Base Station Bulk Configuration
Data from the main menu of the M2000 client, or choose UMTS Application > Import
Data > Import Base Station Bulk Configuration Data from the main menu of the CME
client.
l For separate-MPT LTE-involved multimode base stations or LO base stations: Choose CME
> LTE Application > Import Data > Import Base Station Bulk Configuration Data from
the main menu of the M2000 client, or choose LTE Application > Import Data > Import
Base Station Bulk Configuration Data from the main menu of the CME client.
For details about how to import and export data, see the M2000 online help.
----End
Activation Observation
Observing the IPsec Tunnel
Step 1 Run the DSP BTSIKESA command to check the SA status.
Issue 02 (2013-07-30)
91
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
As shown in the following figure, all SAs are successfully established when the command output
indicates both of the following:
l The status of SAs in the first and second phases is Ready StayAlive.
l The number of SAs in the second phase is the same as the number of ACL rules whose
ACTION is set to PERMIT.
Step 2 Run the DSP BTSIPSECSA command to check the IPsec SA status.
The following is an example of the command output.
Step 3 Check whether services protected by the IPsec tunnel are normal.
l If voice services are protected by IPsec, initiate a voice service and check whether the service
is running normally.
l If management packets are protected by IPsec, observe whether the GBTS deployed with the
IPsec tunnel is online on the M2000 topology view.
Step 4 Check the IPsec replay status.
1.
Check whether ALM-25950 Base Station Being Attacked is reported with "Specific
Problem" set to IPsec Replay. If so, IPsec replay attacks exist.
2.
If IPsec replay attacks exist, run the DSP BTSINVALIDPKTINFO command to query
IPsec replay packets.
Only the latest 100 invalid packets can be displayed in the command output and only the
first 64 bytes of an invalid packet can be displayed in the value of the Invalid Packet
Dataparameter. The following is an example of the command output.
Issue 02 (2013-07-30)
92
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
----End
Observing the Primary and Secondary IPsec Tunnels
Step 1 Run the DSP BTSIPSECSA command to separately check the status of the primary and
secondary IPsec tunnels.
If data about the primary and secondary IPsec SAs is displayed in the command output, the
primary and secondary IPsec tunnels have been established successfully.
Step 2 Disable the primary IPsec tunnel and then check whether services are running normally.
1.
2.
Run the DSP BTSIPSECDTNL command to check whether the IPsec policy in use is the
standby IPsec SA.
3.
Initiate a voice service and a data service and then check whether the two services are
running normally.
4.
Observe whether the base station deployed with the primary and secondary IPsec tunnels
is online on the M2000 topology view.
----End
Issue 02 (2013-07-30)
93
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
On the co-MPT GL dual-mode base station, the UMPT_GL provides IPsec for the following
data flows:
l
Certificate management-related data flows between the GL dual-mode base station and CA.
Data flows generated when the GL dual-mode base station obtains CRLs from the CRL
server.
The GTMUb and UMPT_L communicate with each other through the BBU backplane.
The UMPT_L transfers GBTS data and provides IPsec for the following data flows:
GBTS/eNodeB signaling and service data flows.
eNodeB O&M data flows.
Certificate management-related data flows between the eNodeB and CA.
Data flows generated when the eNodeB obtains CRLs from the CRL server.
Issue 02 (2013-07-30)
94
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
NOTE
If an IPsec network with an eNodeB using UMPT_L is evolved into a co-IPsec network with a GL dualmode base station using UMPT_GL:
l Do not modify IPsec configurations if an existing ACL rule applies to eGBTS signaling and service
data flows, that is, an ACL rule in Any to Any mode whose ACTION is set to PERMIT has been
configured.
l Add an ACL rule whose ACTION is set to PERMIT for eGBTS signaling and service data flows if
existing ACL rules do not apply to these data flows.
If an IPsec network with an eNodeB using UMPT_L is evolved into a co-IPsec network with a GL dualmode base station using GTMUb+UMPT_L:
l Do not modify IPsec configurations if an existing ACL rule applies to GBTS signaling and service data
flows, that is, an ACL rule in Any to Any mode whose ACTION is set to PERMIT has been configured.
l Add an ACL rule whose ACTION is set to PERMIT for GBTS signaling and service data flows if
existing ACL rules do not apply to these data flows.
Data Preparation
For details, see Data Preparation in section 10.6.1 Deploying IPsec on an eGBTS, NodeB,
or eNodeB.
Initial Configuration
For details, see Initial Configuration in section 10.6.1 Deploying IPsec on an eGBTS, NodeB,
or eNodeB. The following describes only the differences in initial configuration of a PKI-based
secure network between an eGBTS/NodeB/eNodeB and a GL dual-mode base station.
Using MML Commands
On the co-MPT GL dual-mode base station using UMPT_GL, run the ADD ACLRULE
command as follows:
ADD ACLRULE: ACLID=3000, RULEID=1, ACTION=PERMIT, PT=IP, SIP="35.35.35.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=2, ACTION=PERMIT, PT=IP, SIP="33.33.33.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=3, ACTION=PERMIT, PT=IP, SIP="31.31.31.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
NOTE
On the separate-MPT GL dual-mode base station using GTMUb+UMPT_L, run the ADD
ACLRULE command as follows:
Issue 02 (2013-07-30)
95
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Activation Observation
For details, see Activation Observation in section 10.6.1 Deploying IPsec on an eGBTS,
NodeB, or eNodeB. When co-IPsec is implemented on a GL dual-mode base station, observe
the status of GSM and LTE services and the online status of the GBTS/eGBTS and eNodeB.
Issue 02 (2013-07-30)
96
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
On the co-MPT GU dual-mode base station, the UMPT_GU provides IPsec for the following
data flows:
l
Certificate management-related data flows between the GU dual-mode base station and
CA.
Data flows generated when the GU dual-mode base station obtains CRLs from the CRL
server.
The GTMUb and UMPT_U communicate with each other through the BBU backplane.
The UMPT_U transfers GBTS data and provides IPsec for the following data flows:
GBTS/NodeB signaling and service data flows.
NodeB O&M data flows.
Certificate management-related data flows between the NodeB and CA.
Data flows generated when the NodeB obtains CRLs from the CRL server.
Issue 02 (2013-07-30)
97
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
NOTE
If an IPsec network with a NodeB using UMPT_U is evolved into a co-IPsec network with a GU dualmode base station using UMPT_GU:
l Do not modify IPsec configurations if an existing ACL rule applies to eGBTS signaling and service
data flows, that is, an ACL rule in Any to Any mode whose ACTION is set to PERMIT has been
configured.
l Add an ACL rule whose ACTION is set to PERMIT for eGBTS signaling and service data flows if
existing ACL rules do not apply to these data flows.
If an IPsec network with a NodeB using UMPT_U is evolved into a co-IPsec network with a GU dualmode base station using GTMUb+UMPT_U:
l Do not modify IPSec configurations if an existing ACL rule applies to GBTS signaling and service
data flows, that is, an ACL rule in Any to Any mode whose ACTION is set to PERMIT has been
configured.
l Add an ACL rule whose ACTION is set to PERMIT for GBTS signaling and service data flows if
existing ACL rules do not apply to these data flows.
Data Preparation
For details, see Data Preparation in section 10.6.1 Deploying IPsec on an eGBTS, NodeB,
or eNodeB.
Initial Configuration
For details, see Initial Configuration in section 10.6.1 Deploying IPsec on an eGBTS, NodeB,
or eNodeB. The following describes only the differences in initial configuration of a PKI-based
secure network between an eGBTS/NodeB/eNodeB and a GU dual-mode base station.
Using MML Commands
On the co-MPT GU dual-mode base station using UMPT_GU, run the ADD ACLRULE
command as follows:
ADD ACLRULE: ACLID=3000, RULEID=1, PT=IP, SIP="35.35.35.188", SWC="0.0.0.0",
DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=2, PT=IP, SIP="32.32.32.1", SWC="0.0.0.0",
DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=3, PT=IP, SIP="30.30.30.1", SWC="0.0.0.0",
DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
NOTE
On the separate-MPT GU dual-mode base station using GTMUb+UMPT_U, run the ADD
ACLRULE command as follows:
Issue 02 (2013-07-30)
98
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Activation Observation
For details, see Activation Observation in section 10.6.1 Deploying IPsec on an eGBTS,
NodeB, or eNodeB. When co-IPsec is implemented on a GU dual-mode base station, observe
the status of GSM and UMTS services and the online status of the GBTS/eGBTS and NodeB.
Issue 02 (2013-07-30)
99
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
On the co-MPT UL dual-mode base station, the UMPT_UL provides IPsec for the following
data flows:
l
Certificate management-related data flows between the UL dual-mode base station and CA.
Data flows generated when the UL dual-mode base station obtains CRLs from the CRL
server.
The UMPT_U and UMPT_L communicate with each other through the BBU backplane.
The UMPT_L transfers NodeB data and provides IPsec for the following data flows:
NodeB/eNodeB signaling and service data flows.
NodeB/eNodeB O&M data flows.
Certificate management-related data flows between the eNodeB and CA.
Data flows generated when the eNodeB obtains CRLs from the CRL server.
NOTE
If an IPsec network with an eNodeB using UMPT_L is evolved into a co-IPsec network with a UL dualmode base station using UMPT_UL:
l Do not modify IPsec configurations if an existing ACL rule applies to NodeB signaling and service
data flows, that is, an ACL rule in Any to Any mode whose ACTION is set to PERMIT has been
configured.
l Add an ACL rule whose ACTION is set to PERMIT for NodeB signaling and service data flows if
existing ACL rules do not apply to these data flows.
If an IPsec network with an eNodeB using UMPT_L is evolved into a co-IPsec network with a UL
dual-mode base station using UMPT_U+UMPT_L:
l If an existing ACL rule applies to NodeB signaling and service data flows (that is, an ACL rule in Any
to Any mode whose ACTION is set to PERMIT has been configured):
- Do not modify IPsec configurations when O&M data is protected by IPsec.
- Add an ACL rule whose ACTION is set to DEDY for NodeB O&M data flows when O&M data is
not protected by IPsec. ACLID for this ACL rule must be smaller than that for any ACL rule in Any
to Any mode.
l If existing ACL rules do not apply to NodeB signaling, service, and O&M data flows, add an ACL rule
whose ACTION is set to PERMIT for these data flows.
Data Preparation
For details, see Data Preparation in section 10.6.1 Deploying IPsec on an eGBTS, NodeB,
or eNodeB.
Initial Configuration
For details, see Initial Configuration in section 10.6.1 Deploying IPsec on an eGBTS, NodeB,
or eNodeB. The following describes only the differences in initial configuration of a PKI-based
secure network between an eGBTS/NodeB/eNodeB and a UL dual-mode base station.
Using MML Commands
Issue 02 (2013-07-30)
100
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
On the co-MPT UL dual-mode base station using UMPT_UL, run the ADD ACLRULE
command as follows:
ADD ACLRULE: ACLID=3000, RULEID=1, ACTION=PERMIT, PT=IP, SIP="32.32.32.1",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=2, ACTION=PERMIT, PT=IP, SIP="33.33.33.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=3, ACTION=PERMIT, PT=IP, SIP="31.31.31.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
NOTE
On the separate-MPT UL dual-mode base station using UMPT_U+UMPT_L, run the ADD
ACLRULE command as follows:
ADD ACLRULE: ACLID=3000, RULEID=1, ACTION=PERMIT, PT=IP, SIP="32.32.32.1",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=2, ACTION=PERMIT, PT=IP, SIP="33.33.33.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=3, ACTION=PERMIT, PT=IP, SIP="30.30.30.1",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=4, ACTION=PERMIT, PT=IP, SIP="31.31.31.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
NOTE
Issue 02 (2013-07-30)
101
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Activation Observation
For details, see Activation Observation in section 10.6.1 Deploying IPsec on an eGBTS,
NodeB, or eNodeB. When co-IPsec is implemented on a UL dual-mode base station, observe
the status of UMTS and LTE services and the online status of the NodeB and eNodeB.
In this networking scenario, the UMPT_GUL provides IPsec for the following data flows:
l
Certificate management-related data flows between the GUL multimode base station and
CA.
Data flows generated when the GUL multimode base station obtains CRLs from the CRL
server.
Issue 02 (2013-07-30)
102
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
NOTE
If an IPsec network with an eNodeB using UMPT_L is evolved into a co-IPsec network with a GUL
multimode base station using UMPT_GUL:
l Do not modify IPsec configurations if an existing ACL rule applies to eGBTS and NodeB signaling
and service data flows, that is, an ACL rule in Any to Any mode whose ACTION is set to PERMIT.
l Add an ACL rule whose ACTION is set to PERMIT for eGBTS and NodeB signaling and service
data flows data flows if existing ACL rules do not apply to these data flows.
Data Preparation
For details, see Data Preparation in section 10.6.1 Deploying IPsec on an eGBTS, NodeB,
or eNodeB.
Initial Configuration
For details, see Initial Configuration in section 10.6.1 Deploying IPsec on an eGBTS, NodeB,
or eNodeB. The following describes only the differences in initial configuration of a PKI-based
secure network between an eGBTS/NodeB/eNodeB and a GUL multimode base station.
Using MML Commands
Run the ADD ACLRULE command as follows:
ADD ACLRULE: ACLID=3000, RULEID=1, ACTION=PERMIT, PT=IP, SIP="35.35.35.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;ADD ACLRULE:
ACLID=3000, RULEID=2, ACTION=PERMIT, PT=IP, SIP="32.32.32.1", SWC="0.0.0.0",
DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=3, ACTION=PERMIT, PT=IP, SIP="33.33.33.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=4, ACTION=PERMIT, PT=IP, SIP="31.31.31.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
NOTE
Activation Observation
For details, see Activation Observation in section 10.6.1 Deploying IPsec on an eGBTS,
NodeB, or eNodeB. When co-IPsec is implemented on a GUL multimode base station, observe
the status of GSM, UMTS, and LTE services and the online status of the eGBTS, NodeB, and
eNodeB.
Issue 02 (2013-07-30)
103
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
In the root BBU, the GTMUb and UCIU communicate with the UMPT_L through the BBU
backplane.
The root and leaf BBUs are interconnected by connecting the UCIU and UMPT_U.
Issue 02 (2013-07-30)
104
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
NOTE
If an IPsec network with an eNodeB using UMPT_L is evolved into a co-IPsec network with a GUL
multimode base station (UMPT_L+GTMUb+UCIU in the root BBU and UMPT_U in the leaf BBU):
l If an existing ACL rule applies to eGBTS/NodeB signaling and service data flows and NodeB O&M
data flows (that is, an ACL rule in Any to Any mode whose ACTION is set to PERMIT has been
configured):
- Do not modify IPsec configurations when O&M data is protected by IPsec.
- Add an ACL rule whose ACTION is set to DEDY for NodeB O&M data flows when O&M data is
not protected by IPsec. ACLID for this ACL rule must be smaller than that for any ACL rule in Any
to Any mode.
l If existing ACL rules do not apply to these data flows, add ACL rules whose ACTION is set to PERMIT
for eGBTS/NodeB signaling and service data flows and for NodeB O&M data flows.
Data Preparation
For details, see Data Preparation in section 10.6.1 Deploying IPsec on an eGBTS, NodeB,
or eNodeB.
Initial Configuration
For details, see Initial Configuration in section 10.6.1 Deploying IPsec on an eGBTS, NodeB,
or eNodeB. The following describes only the differences in initial configuration of a PKI-based
secure network between an eGBTS/NodeB/eNodeB and a GUL multimode base station.
Using MML Commands
Run the ADD ACLRULE command as follows:
ADD ACLRULE: ACLID=3000, RULEID=1, ACTION=PERMIT, PT=IP, SIP="35.35.35.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=2, ACTION=PERMIT, PT=IP, SIP="32.32.32.1",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=3, ACTION=PERMIT, PT=IP, SIP="33.33.33.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=4, ACTION=PERMIT, PT=IP, SIP="30.30.30.1",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=5, ACTION=PERMIT, PT=IP, SIP="31.31.31.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
Issue 02 (2013-07-30)
105
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
NOTE
Activation Observation
For details, see Activation Observation in section 10.6.1 Deploying IPsec on an eGBTS,
NodeB, or eNodeB. When co-IPsec is implemented on a GUL multimode base station, observe
the status of GSM, UMTS, and LTE services and the online status of the GBTS, NodeB, and
eNodeB.
Issue 02 (2013-07-30)
106
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Figure 10-15 Example of deploying co-IPsec on a GUL multimode base station on a PKI-based
secure network
In the root BBU, the GTMUb and UCIU communicate with the UMPT_U through the BBU
backplane.
The root and leaf BBUs are interconnected by connecting the UCIU and UMPT_L.
If an IPsec network with a NodeB using UMPT_U is evolved into a co-IPsec network with a GUL
multimode base station (UMPT_U+GTMUb+UCIU in the root BBU and UMPT_L in the leaf BBU):
l If an existing ACL rule applies to eGBTS/eNodeB signaling and service data flows and eNodeB O&M
data flows (that is, an ACL rule in Any to Any mode whose ACTION is set to PERMIT has been
configured):
l Do not modify IPsec configurations when O&M data is protected by IPsec.
Add an ACL rule whose ACTION is set to DEDY for eNodeB O&M data flows when O&M data is
not protected by IPsec. ACLID for this ACL rule must be smaller than that for any ACL rule in Any
to Any mode.
l If existing ACL rules do not apply to eGBTS/eNodeB signaling and service data flows and eNodeB
O&M data flows, add ACL rules whose ACTION is set to PERMIT for these data flows.
Data Preparation
For details, see Data Preparation in section 10.6.1 Deploying IPsec on an eGBTS, NodeB,
or eNodeB.
Issue 02 (2013-07-30)
107
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Initial Configuration
For details, see Initial Configuration in section 10.6.1 Deploying IPsec on an eGBTS, NodeB,
or eNodeB. The following describes only the differences in initial configuration of a PKI-based
secure network between an eGBTS/NodeB/eNodeB and a GUL multimode base station.
Using MML Commands
Run the ADD ACLRULE command as follows:
ADD ACLRULE: ACLID=3000, RULEID=1, ACTION=PERMIT, PT=IP, SIP="35.35.35.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=2, ACTION=PERMIT, PT=IP, SIP="32.32.32.1",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=3, ACTION=PERMIT, PT=IP, SIP="33.33.33.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=4, ACTION=PERMIT, PT=IP, SIP="31.31.31.188",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
ADD ACLRULE: ACLID=3000, RULEID=5, ACTION=PERMIT, PT=IP, SIP="30.30.30.1",
SWC="0.0.0.0", DIP="0.0.0.0", DWC="255.255.255.255", MDSCP=NO;
NOTE
Activation Observation
For details, see Activation Observation in section 10.6.1 Deploying IPsec on an eGBTS,
NodeB, or eNodeB. When co-IPsec is implemented on a GUL multimode base station, observe
the status of GSM, UMTS, and LTE services and the online status of the GBTS, NodeB, and
eNodeB.
108
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
REMOTENAME in the IKEPEER MO must be set to the same value as Local Name in
the IKE MO on the SeGW. PKEY must be set and its settings on the local and peer ends
must be the same.
In the IKEPEER MO, if IKEVERSION and EXCHMODE are set to IKE_V1 and
MAIN, respectively, IDTYPE must be set to IP.
If IKEVERSION and IDTYPE in the IKEPEER MO are set to IKE_V2 and FQDN,
respectively, IKELNM in the IKECFG MO must be set, and the value of IKELNM must
be the same as the value of Remote Name in the IKE MO on the SeGW.
In the ACLRULE MO, ACL rules do not need to be configured for certificate managementrelated data flows and CRL-related data flows.
The following uses the network shown in Figure 10-16 as an example to describe how to deploy
IPsec on an eNodeB on a PSK-based secure network. IPsec configurations in other scenarios
are similar and are not described in this document.
Figure 10-16 Example of deploying IPsec on an eNodeB on a PSK-based secure network
Issue 02 (2013-07-30)
Parameter
Name
Parameter ID
Setting Notes
Data Source
Authentication
Method
AUTHMETH
l Network plan
l Negotiation
with the IKE
peer
109
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Parameter
Name
Parameter ID
Setting Notes
Data Source
Local ID Type
IDTYPE
If PSK authentication
is used and if
IKEVERSION and
EXCHMODE are set
to IKE_V1 and
MAIN, respectively,
set this parameter to
IP.
l Network plan
Remote Name
REMOTENAME
If PSK authentication
is used, set this
parameter to a value
same as the IKE local
name configured at the
SeGW.
Pre-shared
Key
PKEY
If PSK authentication
is used, set this
parameter to a value
same as that of the IKE
peer.
l Negotiation
with the IKE
peer
Parameter ID
Setting Notes
Data Source
Local Name
IKELNM
Issue 02 (2013-07-30)
110
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Data flows generated when the eNodeB obtains CRLs form the CRL server
Issue 02 (2013-07-30)
111
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Issue 02 (2013-07-30)
112
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Figure 10-17 Example of reconstructing an insecure network into a PKI-based secure network
for an eNodeB
Before the reconstruction, the eNodeB must meet the hardware requirements described in section
10.3.2 Hardware Planning.
General Procedure
The general procedure for IPsec and PKI configuration modification is as follows:
Issue 02 (2013-07-30)
113
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
A PKI system, in which the CA is preconfigured with the Huawei root certificate.
Issue 02 (2013-07-30)
Information about the CA, including the CA name, uniform resource locator (URL) of the
CA, and signature algorithm used by the CA.
114
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Data Planning
Reconstructing an insecure network to a PKI-based secure network requires special IP address
planning, as described in Table 10-31.
Table 10-31 Special IP address planning for reconstructing an insecure network into a PKIbased secure network
Item
Example
Remarks
20.20.20.188/24
Signaling/service IP address
of the eNodeB
33.33.33.188/32
31.31.31.188/32
l 31.31.31.188/32
l 45.45.45.45/32
l 20.20.20.188/24
IPsec data planning is similar to that described in Data Preparation in section 10.6.1 Deploying
IPsec on an eGBTS, NodeB, or eNodeB.
PKI data planning is the same as that described in section "Data Preparation" in PKI Feature
Parameter Description.
Issue 02 (2013-07-30)
115
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
The eNodeB meets the hardware requirements described in section 10.3.2 Hardware
Planning.
The licenses for the IPsec and PKI features have been activated on the base station.
The eNodeB is preconfigured with a Huawei-issued device certificate and the Huawei root
certificate.
Step 2 On the Application Center tab page, double-click the CME icon to start the CME.
Step 3 On the CME, choose CM Express > Planned Area, and click
script.
Step 4 In the Export Incremental Scripts dialog box, choose a specific base station to which the script
is exported, specify Output Path and Script Executor Operation, and click OK.
Step 5 On the displayed Script Executor page, observe the export progress.
Step 6 After the export is complete, restart the base station to make the script take effect.
----End
Activation Observation
Step 1 Run the DSP IKESA command to check the SA status.
As shown in the following figure, all SAs are successfully established when the command output
indicates both of the following:
Issue 02 (2013-07-30)
116
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
l The status of SAs in the first and second phases is Ready StayAlive.
l The number of SAs in the second phase is the same as the number of ACL rules whose
ACTION is set to PERMIT.
Step 2 Run the DSP IPSECSA command to check the IPsec SA status.
The following is an example of the command output:
----End
Issue 02 (2013-07-30)
117
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Figure 10-18 Example of reconstructing an insecure network into a PSK-based secure network
for an eNodeB
Before the reconstruction, the eNodeB must meet the hardware requirements described in section
10.3.2 Hardware Planning.
General Procedure
The general procedure for IPsec configuration modification is as follows:
Issue 02 (2013-07-30)
118
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
The operator deploys an SeGW on the network. The SeGW is configured with an operatorissued device certificate, an operator's root certificate, and security-related parameters.
2.
Engineering personnel collect information about the SeGW. For details, see section 10.2
Required Information.
Data Planning
Reconstructing an insecure network to a PSK-based secure network requires special IP address
planning, as described in Table 10-32.
Issue 02 (2013-07-30)
119
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Table 10-32 Special IP address planning for reconstructing an insecure network into a PSKbased secure network
Item
Example
Remarks
20.20.20.188/24
Signaling/service IP address
of the eNodeB
33.33.33.188/32
31.31.31.188/32
IPsec data planning is similar to that described in Data Preparation in section 10.6.1 Deploying
IPsec on an eGBTS, NodeB, or eNodeB.The following describes only the differences in IPsec
data planning between a reconstructed PSK-based secure and a newly deployed PKI-based
secure network:
l
Parameter Name
Parameter ID
Setting Notes
Data Source
Authentication
Method
AUTHMETH
l Network plan
l Negotiation
with the IKE
peer
Parameter ID
Setting Notes
Data Source
Local ID
Type
IDTYPE
l Network
plan
Remote
Name
Issue 02 (2013-07-30)
REMOTENA
ME
l Negotiatio
n with the
IKE peer
120
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Paramete
r Name
Parameter ID
Setting Notes
Data Source
Pre-shared
Key
PKEY
Parameter ID
Setting Notes
Data Source
Local Name
IKELNM
Network plan
The eNodeB meets the hardware requirements described in section 10.3.2 Hardware
Planning.
The license for the IPsec feature has been activated on the eNodeB.
121
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Activation Observation
For details about how to observe IPsec, see Activation Observation of section 10.8.1
Reconstruction from an Insecure Network to a PKI-based Secure Network.
General Procedure
The general procedure for IPsec and PKI configuration modification is as follows:
Issue 02 (2013-07-30)
122
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
The operator deploys a PKI system on the network and preconfigures the Huawei root
certificate on a CA in the system.
2.
3.
Engineering personnel collect information about the CA, including the CA name, URL of
the CA, and signature algorithm used by the CA.
Data Planning
Reconstructing a PSK-based secure network to a PKI-based secure network requires special IP
address planning, as described in Table 10-36 .Special IP address planning for reconstructing a
PSK-based secure network into a PKI-based secure network.
Issue 02 (2013-07-30)
123
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
Example
Remarks
l 31.31.31.188/32
l 45.45.45.45/32
l 20.20.20.188/24
REMOTENAME in the IKEPEER MO must be set to be consistent with the value of the
subjectaltname field in the device certificate used by the SeGW.
NOTE
PKI data planning is the same as that described in section "Data Preparation" in PKI Feature
Parameter Description.
Issue 02 (2013-07-30)
The eNodeB meets the hardware requirements described in section 10.3.2 Hardware
Planning.
Huawei Proprietary and Confidential
Copyright Huawei Technologies Co., Ltd.
124
SingleRAN
IPsec Feature Parameter Description
10 Engineering Guidelines
The license for the PKI feature has been activated on the eNodeB.
The eNodeB is preconfigured with a Huawei-issued device certificate and the Huawei root
certificate.
Activation Observation
For details, see Activation Observation in section 10.8.1 Reconstruction from an Insecure
Network to a PKI-based Secure Network.
10.11 Troubleshooting
After the IPsec feature is activated, the base station may report the following alarms:
l
ALM-25950 Base Station Being Attacked with "Specific Problem" set to IPsec Replay
For details about how to clear these alarms for each type of base station, see the following sections
in 3900 Series Base Station Alarm Reference:
l
Issue 02 (2013-07-30)
125
SingleRAN
IPsec Feature Parameter Description
11 Parameters
11
Parameters
NE
MML
Command
Feature ID
Feature Name
Description
SPGN
BTS3900
ADD
IPSECPOLICY
LOFD-003009 /
TDLOFD-0030
09
IPsec
DSP
IPSECPOLICY
LST
IPSECPOLICY
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
MOD
IPSECPOLICY
RMV
IPSECPOLICY
GUI Value
Range:1~15
characters
Unit:None
Actual Value
Range:1~15
characters
Default
Value:None
Issue 02 (2013-07-30)
126
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
SPSN
BTS3900
ADD
IPSECPOLICY
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD
IPSECPOLICY
Meaning:Indicates the
sequence No. of
the IPSec policy
group. The
smaller the
number, the
higher the
priority.
RMV
IPSECPOLICY
GUI Value
Range:1~10000
DSP
IPSECPOLICY
LST
IPSECPOLICY
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
Unit:None
Actual Value
Range:1~10000
Default
Value:None
Issue 02 (2013-07-30)
127
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
LTCFG
BTS3900
ADD
IPSECPOLICY
LOFD-003009 /
TDLOFD-0030
09
IPsec
Meaning:Indicates the
configuration
mode of the
IPSec SA life
cycle. If this
parameter is set
to GLOBAL, the
default SA life
cycle is used. In
this case, LTS
and LTKB are
set to the default
values 3600 and
69120000,
respectively. If
this parameter is
set to LOCAL,
the SA life cycle
is configurable.
MOD
IPSECPOLICY
DSP
IPSECPOLICY
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
LST
IPSECPOLICY
GUI Value
Range:GLOBA
L(Global
Configuration),
LOCAL(Local
Configuration)
Unit:None
Actual Value
Range:GLOBA
L, LOCAL
Default
Value:LOCAL
(Local
Configuration)
Issue 02 (2013-07-30)
128
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
LTS
BTS3900
ADD
IPSECPOLICY
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD
IPSECPOLICY
DSP
IPSECPOLICY
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
LST
IPSECPOLICY
Issue 02 (2013-07-30)
129
SingleRAN
IPsec Feature Parameter Description
Parameter ID
NE
11 Parameters
MML
Command
Feature ID
Feature Name
Description
GUI Value
Range:
30~604800
Unit:s
Actual Value
Range:
30~604800
Default Value:
3600
Issue 02 (2013-07-30)
130
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
LTKB
BTS3900
ADD
IPSECPOLICY
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD
IPSECPOLICY
DSP
IPSECPOLICY
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
LST
IPSECPOLICY
GUI Value
Range:
0,1843200~429
4967295
Unit:KB
Actual Value
Range:
0,1843200~429
4967295
Default Value:
69120000
Issue 02 (2013-07-30)
131
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
REPLAYWND
BTS3900
ADD
IPSECPOLICY
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD
IPSECPOLICY
DSP
IPSECPOLICY
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
LST
IPSECPOLICY
GUI Value
Range:WND_D
ISABLE(0),
WND_32(32),
WND_64(64),
WND_128
(128),
WND_256
(256),
WND_512
Issue 02 (2013-07-30)
132
SingleRAN
IPsec Feature Parameter Description
Parameter ID
NE
11 Parameters
MML
Command
Feature ID
Feature Name
Description
(512),
WND_1024
(1024),
WND_2048
(2048),
WND_4096
(4096)
Unit:None
Actual Value
Range:WND_D
ISABLE,
WND_32,
WND_64,
WND_128,
WND_256,
WND_512,
WND_1024,
WND_2048,
WND_4096
Default
Value:WND_DI
SABLE(0)
Issue 02 (2013-07-30)
133
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
ACTION
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
LST ACLRULE
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:DENY
(Deny),
PERMIT
(Permit)
Unit:None
Actual Value
Range:DENY,
PERMIT
Issue 02 (2013-07-30)
134
SingleRAN
IPsec Feature Parameter Description
Parameter ID
NE
11 Parameters
MML
Command
Feature ID
Feature Name
Description
Default
Value:PERMIT
(Permit)
Issue 02 (2013-07-30)
135
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
ENCAPMODE
BTS3900
ADD
IPSECPROPOS
AL
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD
IPSECPROPOS
AL
GBFD-113524
Meaning:Indicates the
encapsulation
mode of an
IPSec proposal,
which can be set
to TUNNEL or
TRANSPORT.
In
TRANSPORT
mode, only data
is encrypted. In
TUNNEL mode,
the whole IP
packet is
protected, and a
new IP header is
added to the
original IP
packet. The
source IP
address and the
destination IP
address of the
new IP header
are the IP
addresses of two
ends of the
security tunnel.
Both the
TRANSPORT
mode and the
TUNNEL mode
are used for endto-end IPSec
protection. The
TUNNEL mode,
however, is also
applied to the
protection of a
certain segment.
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
DSP
IPSECPROPOS
AL
LST
IPSECPROPOS
AL
GUI Value
Range:TUNNE
L(Tunnel),
TRANSPORT
(Transport)
Unit:None
Issue 02 (2013-07-30)
136
SingleRAN
IPsec Feature Parameter Description
Parameter ID
NE
11 Parameters
MML
Command
Feature ID
Feature Name
Description
Actual Value
Range:TUNNE
L,
TRANSPORT
Default
Value:TUNNE
L(Tunnel)
Issue 02 (2013-07-30)
137
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
LOCALIP
BTS3900
ADD IKEPEER
LOFD-003009 /
TDLOFD-0030
09
IPsec
Meaning:Indicates the IP
address of the
local end, which
is used in IKE
negotiation.
This IP address
can be set to
0.0.0.0 or a
configured
interface IP
address at the
local end. If this
parameter is set
to 0.0.0.0, the
BS
automatically
uses the
interface IP
address to
negotiate with
the peer. If
multiple IP
addresses are
configured at the
port, it is
recommended
that you specify
one IP address
for the
negotiation. If
the local BS uses
the digital
certificate and
IP address for
authentication in
the negotiation,
ensure that the
IP address in the
certificate is the
same as the local
IP address of the
BS.
MOD IKEPEER
DSP IKEPEER
LST IKEPEER
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
GUI Value
Range:Valid IP
address
Unit:None
Issue 02 (2013-07-30)
138
SingleRAN
IPsec Feature Parameter Description
Parameter ID
NE
11 Parameters
MML
Command
Feature ID
Feature Name
Description
Actual Value
Range:Valid IP
address
Default Value:
0.0.0.0
REMOTEIP
BTS3900
ADD IKEPEER
MOD IKEPEER
DSP IKEPEER
LST IKEPEER
LOFD-003009 /
TDLOFD-0030
09
GBFD-113524
WRFD-140209
IPsec
BTS Integrated
Ipsec
NodeB
Integrated IPSec
Meaning:Indicates the IP
address of the
peer end.
GUI Value
Range:Valid IP
address
Unit:None
Actual Value
Range:Valid IP
address
Default
Value:None
IDTYPE
BTS3900
ADD IKEPEER
MOD IKEPEER
DSP IKEPEER
LST IKEPEER
LOFD-003009 /
TDLOFD-0030
09
GBFD-113524
WRFD-140209
IPsec
BTS Integrated
Ipsec
NodeB
Integrated IPSec
Issue 02 (2013-07-30)
139
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
IKEVERSION
BTS3900
ADD IKEPEER
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD IKEPEER
DSP IKEPEER
LST IKEPEER
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
GUI Value
Range:IKE_V1
(IKE V1),
IKE_V2(IKE
V2)
Unit:None
Actual Value
Range:IKE_V1,
IKE_V2
Default
Value:IKE_V2
(IKE V2)
Issue 02 (2013-07-30)
140
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
EXCHMODE
BTS3900
ADD IKEPEER
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD IKEPEER
DSP IKEPEER
LST IKEPEER
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
GUI Value
Range:MAIN
(Main Mode),
AGGRESSIVE
(Aggressive
Mode)
Unit:None
Actual Value
Range:MAIN,
AGGRESSIVE
Default
Value:MAIN
(Main Mode)
Issue 02 (2013-07-30)
141
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DHGRP
BTS3900
ADD
IKEPROPOSA
L
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD
IKEPROPOSA
L
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
DSP
IKEPROPOSA
L
LST
IKEPROPOSA
L
GUI Value
Range:DH_GR
OUP1(768-bit
Diffie-Hellman
Group),
DH_GROUP2
(1024-bit DiffieHellman
Group),
DH_GROUP14
(2048-bit DiffieHellman
Group),
DH_GROUP15
(3072-bit DiffieHellman Group)
Unit:None
Actual Value
Range:DH_GR
OUP1,
DH_GROUP2,
Issue 02 (2013-07-30)
142
SingleRAN
IPsec Feature Parameter Description
Parameter ID
NE
11 Parameters
MML
Command
Feature ID
Feature Name
Description
DH_GROUP14,
DH_GROUP15
Default
Value:DH_GR
OUP2(1024-bit
Diffie-Hellman
Group)
PRFALG
BTS3900
ADD
IKEPROPOSA
L
LOFD-003009 /
TDLOFD-0030
09
MOD
IKEPROPOSA
L
GBFD-113524
WRFD-140209
IPsec
BTS Integrated
Ipsec
NodeB
Integrated IPSec
DSP
IKEPROPOSA
L
LST
IKEPROPOSA
L
Meaning:Indicates the
Pseudo-random
Function (PRF)
algorithm used
in IKEv2. The
PRF algorithm
is used to
generate the
materials
required for IKE
authentication
and encryption.
For details about
how to generate
materials, see
RFC4306.
GUI Value
Range:HMAC_
MD5
(HMAC_MD5),
HMAC_SHA1
(HMAC_SHA1
),
AES128_XCBC
(AES128_XCB
C)
Unit:None
Actual Value
Range:HMAC_
MD5,
HMAC_SHA1,
AES128_XCBC
Default
Value:HMAC_
SHA1
(HMAC_SHA1
)
Issue 02 (2013-07-30)
143
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DURATION
BTS3900
ADD
IKEPROPOSA
L
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD
IKEPROPOSA
L
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
DSP
IKEPROPOSA
L
LST
IKEPROPOSA
L
Issue 02 (2013-07-30)
144
SingleRAN
IPsec Feature Parameter Description
Parameter ID
NE
11 Parameters
MML
Command
Feature ID
Feature Name
Description
its life cycle
elapses.
GUI Value
Range:
60~604800
Unit:s
Actual Value
Range:
60~604800
Default Value:
86400
DPD
BTS3900
ADD IKEPEER
MOD IKEPEER
DSP IKEPEER
LST IKEPEER
LOFD-003009 /
TDLOFD-0030
09
GBFD-113524
WRFD-140209
IPsec
BTS Integrated
Ipsec
NodeB
Integrated IPSec
Meaning:Indicates whether to
enable the dead
peer detection
(DPD) function.
GUI Value
Range:DISABL
E(Disable),
PERIODIC
(Periodic)
Unit:None
Actual Value
Range:DISABL
E, PERIODIC
Default
Value:PERIODI
C(Periodic)
Issue 02 (2013-07-30)
145
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DPDIDLETIM
E
BTS3900
ADD IKEPEER
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD IKEPEER
DSP IKEPEER
LST IKEPEER
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
GUI Value
Range:10~3600
Unit:s
Actual Value
Range:10~3600
Default Value:
10
DPDRETRN
BTS3900
ADD IKEPEER
MOD IKEPEER
DSP IKEPEER
LST IKEPEER
LOFD-003009 /
TDLOFD-0030
09
GBFD-113524
WRFD-140209
IPsec
BTS Integrated
Ipsec
NodeB
Integrated IPSec
Issue 02 (2013-07-30)
146
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DPDRETRI
BTS3900
ADD IKEPEER
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD IKEPEER
DSP IKEPEER
LST IKEPEER
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
GUI Value
Range:3~30
Unit:s
Actual Value
Range:3~30
Default Value:5
PWD
BTS3900
SET
IPSECBYPASS
CFG
None
None
DSP
IPSECBYPASS
CFG
LST
IPSECBYPASS
CFG
Meaning:Indicates the
password used
for switching the
base station
between an
IPSec network
and a non-IPSec
network.
GUI Value
Range:1~19
characters
Unit:None
Actual Value
Range:1~19
characters
Default
Value:None
Issue 02 (2013-07-30)
147
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
MSPGN
BTS3900
ADD
IPSECDTNL
LOFD-003019/
TDLOFD-0030
19
IPsec Tunnel
Backup
MOD
IPSECDTNL
DSP
IPSECDTNL
GBFD-113524
WRFD-140209
LST
IPSECDTNL
BTS Integrated
Ipsec
NodeB
Integrated IPSec
GUI Value
Range:1~15
characters
Unit:None
Actual Value
Range:1~15
characters
Default
Value:None
MSPSN
BTS3900
ADD
IPSECDTNL
MOD
IPSECDTNL
DSP
IPSECDTNL
LST
IPSECDTNL
LOFD-003019/
TDLOFD-0030
19
GBFD-113524
WRFD-140209
IPsec Tunnel
Backup
BTS Integrated
Ipsec
NodeB
Integrated IPSec
Meaning:Indicates the ID of
the primary
IPSec policy.
The primary
IPSec tunnel
uses the primary
IPSec policy,
which is
identified by this
parameter and
the MSPGN
parameter
together.
GUI Value
Range:1~10000
Unit:None
Actual Value
Range:1~10000
Default
Value:None
Issue 02 (2013-07-30)
148
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
SSPGN
BTS3900
ADD
IPSECDTNL
LOFD-003019/
TDLOFD-0030
19
IPsec Tunnel
Backup
MOD
IPSECDTNL
DSP
IPSECDTNL
GBFD-113524
WRFD-140209
LST
IPSECDTNL
BTS Integrated
Ipsec
NodeB
Integrated IPSec
GUI Value
Range:1~15
characters
Unit:None
Actual Value
Range:1~15
characters
Default
Value:None
SSPSN
BTS3900
ADD
IPSECDTNL
MOD
IPSECDTNL
DSP
IPSECDTNL
LST
IPSECDTNL
LOFD-003019/
TDLOFD-0030
19
GBFD-113524
WRFD-140209
IPsec Tunnel
Backup
BTS Integrated
Ipsec
NodeB
Integrated IPSec
Meaning:Indicates the ID of
the secondary
IPSec policy.
The secondary
IPSec tunnel
uses the
secondary IPSec
policy, which is
identified by this
parameter and
the SSPGN
parameter
together.
GUI Value
Range:1~10000
Unit:None
Actual Value
Range:1~10000
Default
Value:None
Issue 02 (2013-07-30)
149
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
ACLID
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
Meaning:Indicates the ID of
the Access
Control List
(ACL) to which
the ACL rule
belongs.
GBFD-118601
BTS Integrated
Ipsec
LST ACLRULE
MOD
ACLRULE
RMV
ACLRULE
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:
3000~4999
Unit:None
Actual Value
Range:
3000~4999
Default
Value:None
PROPID
BTS3900
ADD
IKEPROPOSA
L
LOFD-003009 /
TDLOFD-0030
09
DSP
IKEPROPOSA
L
GBFD-113524
WRFD-140209
IPsec
BTS Integrated
Ipsec
Meaning:Indicates the ID of
the IKE
proposal.
NodeB
Integrated IPSec
GUI Value
Range:1~99
LST
IKEPROPOSA
L
Unit:None
MOD
IKEPROPOSA
L
Default
Value:None
Actual Value
Range:1~99
RMV
IKEPROPOSA
L
Issue 02 (2013-07-30)
150
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
ACLID
BTS3900
ADD ACL
WRFD-050402
LST ACL
WRFD-140209
MOD ACL
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
Meaning:Indicates the ID of
the Access
Control List
(ACL) to which
the access
control rule
belongs. ACL
ID in the range
from 3000 to
3999 identifies
high-level rules
based on the
layer 3 and layer
4 information.
ACL ID in the
range from 4000
to 4999
identifies access
control rules
based on the
MAC layer
information.
RMV ACL
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:
3000~4999
Unit:None
Actual Value
Range:
3000~4999
Default
Value:None
PEERNAME
BTS3900
ADD IKEPEER
DSP IKEPEER
LST IKEPEER
LOFD-003009 /
TDLOFD-0030
09
MOD IKEPEER
GBFD-113524
RMV IKEPEER
WRFD-140209
IPsec
BTS Integrated
Ipsec
NodeB
Integrated IPSec
Issue 02 (2013-07-30)
151
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
PROPNAME
BTS3900
ADD
IPSECPROPOS
AL
LOFD-003009 /
TDLOFD-0030
09
IPsec
DSP
IPSECPROPOS
AL
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
LST
IPSECPROPOS
AL
Unit:None
Actual Value
Range:1~15
characters
MOD
IPSECPROPOS
AL
Default
Value:None
RMV
IPSECPROPOS
AL
IKELNM
BTS3900
SET IKECFG
DSP IKECFG
LST IKECFG
GUI Value
Range:1~15
characters
LOFD-003009 /
TDLOFD-0030
09
GBFD-113524
WRFD-140209
IPsec
BTS Integrated
Ipsec
NodeB
Integrated IPSec
RULEID
BTS3900
ADD
ACLRULE
LST ACLRULE
MOD
ACLRULE
RMV
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
Meaning:Indicates the ID of
the ACL rule.
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
GUI Value
Range:1~65535
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
Unit:None
Access Control
List (ACL)
Actual Value
Range:1~65535
Abis over IP
GBFD-118601
Default
Value:None
BTS Integrated
Ipsec
GBFD-113524
Issue 02 (2013-07-30)
152
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
SIP
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
MOD
ACLRULE
LST ACLRULE
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:Valid IP
address
Unit:None
Actual Value
Range:Valid IP
address
Default
Value:None
Issue 02 (2013-07-30)
153
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
SWC
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
Meaning:Indicates the
wildcard of the
source IP
address. The
wildcard is used
to determine
which bits can
be neglected
when IP address
matching is
being
performed.
Generally, it can
be considered as
the inverse of the
corresponding
subnet mask.
MOD
ACLRULE
LST ACLRULE
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:Valid
wildcard of the
IP address
Unit:None
Actual Value
Range:Valid
wildcard of the
IP address
Default
Value:None
Issue 02 (2013-07-30)
154
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DIP
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
Meaning:Indicates the
destination IP
address of data
to which the
ACL rule is
applied. To add
an ACL rule that
is applicable to
data of all
destination IP
addresses, set
this parameter to
0.0.0.0.
MOD
ACLRULE
LST ACLRULE
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:Valid IP
address
Unit:None
Actual Value
Range:Valid IP
address
Default
Value:None
Issue 02 (2013-07-30)
155
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DWC
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
Meaning:Indicates the
wildcard of the
destination IP
address. The
wildcard is used
to determine
which bits can
be neglected
when IP address
matching is
being
performed.
Generally, it can
be considered as
the inverse of the
corresponding
subnet mask.
MOD
ACLRULE
LST ACLRULE
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:Valid
wildcard of the
IP address
Unit:None
Actual Value
Range:Valid
wildcard of the
IP address
Default
Value:None
Issue 02 (2013-07-30)
156
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
ENCALG
BTS3900
ADD
IKEPROPOSA
L
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD
IKEPROPOSA
L
GBFD-113524
Meaning:Indicates the
encryption
algorithm used
in the IKE
proposal. The
Data Encryption
Standard (DES)
is an
internationally
used data
encryption
algorithm,
which uses a 56bit key. The
3DES is also an
internationally
used encryption
algorithm,
which uses a
168-bit key. The
Advanced
Encryption
Standard (AES)
is an advanced
encryption
algorithm,
which provides
three types of
key of different
lengths: 128,
192, and 256
bits. Thus,
different
protection levels
are available.
For details, see
RFC2401.
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
DSP
IKEPROPOSA
L
LST
IKEPROPOSA
L
GUI Value
Range:DES
(DES), 3DES
(3DES),
AES128
(AES128),
AES192
(AES192),
Issue 02 (2013-07-30)
157
SingleRAN
IPsec Feature Parameter Description
Parameter ID
NE
11 Parameters
MML
Command
Feature ID
Feature Name
Description
AES256
(AES256)
Unit:None
Actual Value
Range:DES,
3DES, AES128,
AES192,
AES256
Default
Value:AES128
(AES128)
Issue 02 (2013-07-30)
158
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
AUTHALG
BTS3900
ADD
IKEPROPOSA
L
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD
IKEPROPOSA
L
GBFD-113524
Meaning:Indicates the
authentication
algorithm used
in the IKE
proposal. IKE
uses hashed
message
authentication
code (HMAC)
or cipher block
chaining (CBC)
for identity
authentication
and data
integrity check.
For details about
HMAC, see
RFC4306.
HMAC
currently
supports two
hash functions:
message digest
algorithm 5
(MD5) and
secure hash
algorithm 1
(SHA1). For
details about the
hash functions,
see RFC2409.
MD5 and SHA1
verify data by
means of
integrity
protection.
SHA1 provides
higher security
level than MD5.
CBC currently
supports AESXCBC- 96,
which is an
enhancement to
CBC and applies
only to IKEv2.
For details about
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
DSP
IKEPROPOSA
L
LST
IKEPROPOSA
L
Issue 02 (2013-07-30)
159
SingleRAN
IPsec Feature Parameter Description
Parameter ID
NE
11 Parameters
MML
Command
Feature ID
Feature Name
Description
AES-XCBC-96,
see RFC3566.
GUI Value
Range:MD5
(MD5), SHA1
(SHA1),
AES_XCBC_96
(AES_XCBC_9
6)
Unit:None
Actual Value
Range:MD5,
SHA1,
AES_XCBC_96
Default
Value:SHA1
(SHA1)
AUTHMETH
BTS3900
ADD
IKEPROPOSA
L
LOFD-003009 /
TDLOFD-0030
09
MOD
IKEPROPOSA
L
GBFD-113524
WRFD-140209
IPsec
BTS Integrated
Ipsec
NodeB
Integrated IPSec
DSP
IKEPROPOSA
L
LST
IKEPROPOSA
L
Meaning:Indicates the
authentication
mode used in the
IKE proposal.
For details, see
RFC2409.
GUI Value
Range:PRE_SH
ARED_KEY
(Pre-shared
Key),
IKE_RSA_SIG
(RSA Digital
Certificate
Signature)
Unit:None
Actual Value
Range:PRE_SH
ARED_KEY,
IKE_RSA_SIG
Default
Value:PRE_SH
ARED_KEY
(Pre-shared
Key)
Issue 02 (2013-07-30)
160
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
PROPID
BTS3900
ADD IKEPEER
LOFD-003009 /
TDLOFD-0030
09
IPsec
BTS Integrated
Ipsec
Meaning:Indicates the ID of
the IKE
proposal in use.
NodeB
Integrated IPSec
GUI Value
Range:1~99
MOD IKEPEER
DSP IKEPEER
LST IKEPEER
GBFD-113524
WRFD-140209
Unit:None
Actual Value
Range:1~99
Default
Value:None
REMOTENAM
E
BTS3900
ADD IKEPEER
MOD IKEPEER
DSP IKEPEER
LST IKEPEER
LOFD-003009 /
TDLOFD-0030
09
GBFD-113524
WRFD-140209
IPsec
BTS Integrated
Ipsec
NodeB
Integrated IPSec
Issue 02 (2013-07-30)
161
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
PKEY
BTS3900
ADD IKEPEER
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD IKEPEER
DSP IKEPEER
LST IKEPEER
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
GUI Value
Range:0~127
characters
Unit:None
Actual Value
Range:0~127
characters
Default
Value:None
ACLDESC
BTS3900
ADD ACL
WRFD-050402
MOD ACL
WRFD-140209
LST ACL
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
GBFD-113524
Issue 02 (2013-07-30)
Access Control
List (ACL)
Abis over IP
162
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
PT
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
Meaning:Indicates the
protocol type of
the data to which
the ACL rule is
applied.
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
LST ACLRULE
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:IP(IP),
ICMP(ICMP),
TCP(TCP),
UDP(UDP),
SCTP(SCTP)
Unit:None
Actual Value
Range:IP,
ICMP, TCP,
UDP, SCTP
Default
Value:None
SMPT
BTS3900
ADD
ACLRULE
LST ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
GBFD-113524
Access Control
List (ACL)
Abis over IP
Meaning:Indicates whether to
check the source
port number of
each data stream
before applying
the ACL rule.
GUI Value
Range:NO(No),
YES(Yes)
Unit:None
Actual Value
Range:NO, YES
Default
Value:None
Issue 02 (2013-07-30)
163
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
MFRG
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
Meaning:Indicates whether to
match the
fragment
message. The
ACL rules for
matching
fragment
messages apply
to only packet
filtering and
does not apply to
the IPSec
function.
LST ACLRULE
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:NO(No),
YES(Yes)
Unit:None
Actual Value
Range:NO, YES
Default
Value:NO(No)
Issue 02 (2013-07-30)
164
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
SOP
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
Meaning:Indicates the
filtering
condition for the
source port. If
this parameter is
set to OP_LT,
the ACL rule is
applied to the
data stream
whose source
port number is
smaller than or
equal to the
configured port
number. If this
parameter is set
to OP_GT, the
ACL rule is
applied to the
data stream
whose source
port number is
larger than or
equal to the
configured port
number. If this
parameter is set
to OP_EQ, the
ACL rule is
applied to the
data stream
whose source
port number is
equal to the
configured port
number. If this
parameter is set
to OP_NEQ, the
ACL rule is
applied to the
data stream
whose source
port number is
not equal to the
configured port
number. If this
parameter is set
LST ACLRULE
GBFD-113524
Issue 02 (2013-07-30)
Access Control
List (ACL)
Abis over IP
165
SingleRAN
IPsec Feature Parameter Description
Parameter ID
NE
11 Parameters
MML
Command
Feature ID
Feature Name
Description
to OP_RANGE,
the ACL rule is
applied to the
data stream
whose
destination port
number is within
the configured
range.OP_NEQ
is available only
on the
LMPT,UMPT,
UTRPc and
SMPT.
GUI Value
Range:OP_LT
(Less or Equal),
OP_GT(Greater
or Equal),
OP_EQ
(Equivalent),
OP_NEQ(Not
Equivalent),
OP_RANGE
(Range)
Unit:None
Actual Value
Range:OP_LT,
OP_GT,
OP_EQ,
OP_NEQ,
OP_RANGE
Default
Value:None
Issue 02 (2013-07-30)
166
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
SPT1
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
LST ACLRULE
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:0~65535
Unit:None
Actual Value
Range:0~65535
Default
Value:None
Issue 02 (2013-07-30)
167
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
SPT2
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
LST ACLRULE
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:0~65535
Unit:None
Actual Value
Range:0~65535
Default
Value:None
DMPT
BTS3900
ADD
ACLRULE
LST ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
GBFD-113524
Access Control
List (ACL)
Abis over IP
Meaning:Indicates whether to
check the
destination port
number of each
data stream
before applying
the ACL rule.
GUI Value
Range:NO(No),
YES(Yes)
Unit:None
Actual Value
Range:NO, YES
Default
Value:None
Issue 02 (2013-07-30)
168
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DOP
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
Meaning:Indicates the
filtering
condition for the
destination port.
This parameter
is valid only
when DMPT is
set to YES. If
this parameter is
set to OP_LT,
the ACL rule is
applied to the
data stream
whose
destination port
number is
smaller than or
equal to the
configured port
number. If this
parameter is set
to OP_GT, the
ACL rule is
applied to the
data stream
whose
destination port
number is larger
than or equal to
the configured
port number. If
this parameter is
set to OP_EQ,
the ACL rule is
applied to the
data stream
whose
destination port
number is equal
to the
configured port
number. If this
parameter is set
to OP_NEQ, the
ACL rule is
applied to the
data stream
LST ACLRULE
GBFD-113524
Issue 02 (2013-07-30)
Access Control
List (ACL)
Abis over IP
169
SingleRAN
IPsec Feature Parameter Description
Parameter ID
NE
11 Parameters
MML
Command
Feature ID
Feature Name
Description
whose
destination port
number is not
equal to the
configured port
number. If this
parameter is set
to OP_RANGE,
the ACL rule is
applied to the
data stream
whose
destination port
number is within
the configured
range.OP_NEQ
is available only
on the
LMPT,UMPT,
UTRPc and
SMPT.
GUI Value
Range:OP_LT
(Less or Equal),
OP_GT(Greater
or Equal),
OP_EQ
(Equivalent),
OP_NEQ(Not
Equivalent),
OP_RANGE
(Range)
Unit:None
Actual Value
Range:OP_LT,
OP_GT,
OP_EQ,
OP_NEQ,
OP_RANGE
Default
Value:None
Issue 02 (2013-07-30)
170
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DPT1
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
Meaning:Indicates the
destination port
number used
when DMPT is
set to YES. If
DOP is set to
OP_RANGE,
this parameter
indicates the
smallest
destination port
number. If DOP
is not set to
OP_RANGE,
this parameter
indicates a
specific
destination port
number.
LST ACLRULE
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:0~65535
Unit:None
Actual Value
Range:0~65535
Default
Value:None
Issue 02 (2013-07-30)
171
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DPT2
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
Meaning:Indicates the
destination port
number used
when DMPT is
set to YES. If
DOP is set to
OP_RANGE,
this parameter
indicates the
largest
destination port
number. This
parameter is
valid only when
DOP is set to
OP_RANGE.
LST ACLRULE
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:0~65535
Unit:None
Actual Value
Range:0~65535
Default
Value:None
MDSCP
BTS3900
ADD
ACLRULE
LST ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
GBFD-113524
Access Control
List (ACL)
Abis over IP
Meaning:Indicates whether to
check the DSCP
of each data
stream before
applying the
ACL rule.
GUI Value
Range:NO(No),
YES(Yes)
Unit:None
Actual Value
Range:NO, YES
Default
Value:NO(No)
Issue 02 (2013-07-30)
172
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DSCP
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
Meaning:Indicates the
Differentiated
Services Code
Point (DSCP).
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GUI Value
Range:0~63
Access Control
List (ACL)
Unit:None
Abis over IP
Actual Value
Range:0~63
GBFD-118601
BTS Integrated
Ipsec
Default
Value:None
LST ACLRULE
GBFD-113524
Issue 02 (2013-07-30)
173
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
VLANIDOP
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
MOD
ACLRULE
LST ACLRULE
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:OP_EQ
(Equivalent),
OP_RANGE
(Range),
OP_NOVLAN
(No Vlan)
Unit:None
Actual Value
Range:OP_EQ,
OP_RANGE,
OP_NOVLAN
Default
Value:None
Issue 02 (2013-07-30)
174
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
VLANID1
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
Meaning:Indicates the ID of a
VLAN to which
service data
belongs. When
Source Port
Operate is set to
OP_EQ, this
parameter
specifies the ID
of the matching
VLAN. When
Source Port
Operate is set to
OP_RANGE,
this parameter
specifies the
minimum ID of
the matching
VLANs.
MOD
ACLRULE
LST ACLRULE
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:1~4094
Unit:None
Actual Value
Range:1~4094
Default
Value:None
Issue 02 (2013-07-30)
175
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
VLANID2
BTS3900
ADD
ACLRULE
WRFD-050402
WRFD-140209
IP Transmission
Introduction on
Iub Interface
LOFD-003009 /
TDLOFD-0030
09
NodeB
integrated IPSec
LOFD-0030140
1/
TDLOFD-0030
1401
IPsec
GBFD-118601
BTS Integrated
Ipsec
Meaning:Indicates the ID of a
VLAN to which
service data
belongs. When
Source Port
Operate is set to
OP_RANGE,
this parameter
specifies the
maximum ID of
the matching
VLANs. This
parameter is
valid only when
Source Port
Operate is set to
OP_RANGE.
MOD
ACLRULE
LST ACLRULE
GBFD-113524
Access Control
List (ACL)
Abis over IP
GUI Value
Range:1~4094
Unit:None
Actual Value
Range:1~4094
Default
Value:None
Issue 02 (2013-07-30)
176
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
TRANMODE
BTS3900
ADD
IPSECPROPOS
AL
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD
IPSECPROPOS
AL
GBFD-113524
Meaning:Indicates the
security
protocol used in
an IPSec
proposal. The
value AH
indicates the
Authentication
Header (AH)
protocol
specified in
RFC2402. The
value ESP
indicates the
Encapsulating
Security
Payload (ESP)
protocol
specified in
RFC2406. The
value AH_ESP
indicates that the
ESP protocol is
preferentially
used to protect
packets, but not
the AH protocol.
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
DSP
IPSECPROPOS
AL
LST
IPSECPROPOS
AL
GUI Value
Range:AH(AH
Protocol), ESP
(ESP Protocol),
AH_ESP(AH/
ESP Protocol)
Unit:None
Actual Value
Range:AH,
ESP, AH_ESP
Default
Value:ESP(ESP
Protocol)
Issue 02 (2013-07-30)
177
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
AHAUTHALG
BTS3900
ADD
IPSECPROPOS
AL
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD
IPSECPROPOS
AL
GBFD-113524
Meaning:Indicates the AH
authentication
algorithm used
by an IPSec
proposal. IPSec
can use hashed
message
authentication
code (HMAC)
or cipher block
chainingmessage
authentication
code (CBCMAC) for
identity
authentication
and data
integrity check.
For details about
HMAC, see
RFC4306.
HMAC
currently
supports three
hash functions:
message digest
algorithm 5
(MD5), secure
hash algorithm 1
(SHA1), and
secure hash
algorithm 256
(SHA256). The
three hash
functions verify
data by means of
integrity
protection.
Among them,
SHA256
provides the
highest security
level and MD5
provides the
lowest security
level. For details
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
DSP
IPSECPROPOS
AL
LST
IPSECPROPOS
AL
Issue 02 (2013-07-30)
178
SingleRAN
IPsec Feature Parameter Description
Parameter ID
NE
11 Parameters
MML
Command
Feature ID
Feature Name
Description
about the hash
functions, see
RFC2409. CBCMAC currently
supports AESXCBCMAC-96, which
is an
enhancement to
CBC-MAC. For
details about
AES-XCBCMAC-96, see
RFC3566.
GUI Value
Range:MD5
(MD5), SHA1
(SHA1), AESXCBCMAC-96(AESXCBCMAC-96),
SHA256
(SHA256)
Unit:None
Actual Value
Range:MD5,
SHA1, AESXCBCMAC-96,
SHA256
Default
Value:SHA1
(SHA1)
Issue 02 (2013-07-30)
179
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
ESPAUTHALG
BTS3900
ADD
IPSECPROPOS
AL
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD
IPSECPROPOS
AL
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
DSP
IPSECPROPOS
AL
LST
IPSECPROPOS
AL
GUI Value
Range:NULL
(NULL), MD5
(MD5), SHA1
(SHA1), AESXCBCMAC-96(AESXCBCMAC-96),
SHA256
(SHA256)
Unit:None
Actual Value
Range:NULL,
MD5, SHA1,
AES-XCBCMAC-96,
SHA256
Default
Value:SHA1
(SHA1)
Issue 02 (2013-07-30)
180
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
ESPENCALG
BTS3900
ADD
IPSECPROPOS
AL
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD
IPSECPROPOS
AL
GBFD-113524
Meaning:Indicates the
encryption
algorithm used
in ESP. The
Data Encryption
Standard (DES)
is an
internationally
used data
encryption
algorithm,
which uses a 56bit key. The
3DES is also an
internationally
used encryption
algorithm,
which uses a
168-bit key. The
Advanced
Encryption
Standard (AES)
is an advanced
encryption
algorithm,
which can use
three types of
keys of different
lengths: 128,
192, and 256
bits. Therefore,
different
protection levels
are available.
For details, see
RFC2401.
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
DSP
IPSECPROPOS
AL
LST
IPSECPROPOS
AL
GUI Value
Range:NULL
(NULL), DES
(DES), 3DES
(3DES),
AES128
(AES128),
AES192
(AES192),
Issue 02 (2013-07-30)
181
SingleRAN
IPsec Feature Parameter Description
Parameter ID
NE
11 Parameters
MML
Command
Feature ID
Feature Name
Description
AES256
(AES256)
Unit:None
Actual Value
Range:NULL,
DES, 3DES,
AES128,
AES192,
AES256
Default
Value:AES128
(AES128)
ACLID
BTS3900
ADD
IPSECPOLICY
MOD
IPSECPOLICY
DSP
IPSECPOLICY
LOFD-003009 /
TDLOFD-0030
09
GBFD-113524
WRFD-140209
IPsec
BTS Integrated
Ipsec
NodeB
Integrated IPSec
LST
IPSECPOLICY
Meaning:Indicates the ID of
the access
control list.
GUI Value
Range:
3000~3999
Unit:None
Actual Value
Range:
3000~3999
Default
Value:None
PROPNAME
BTS3900
ADD
IPSECPOLICY
MOD
IPSECPOLICY
DSP
IPSECPOLICY
LOFD-003009 /
TDLOFD-0030
09
GBFD-113524
WRFD-140209
IPsec
BTS Integrated
Ipsec
NodeB
Integrated IPSec
LST
IPSECPOLICY
Issue 02 (2013-07-30)
182
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
PEERNAME
BTS3900
ADD
IPSECPOLICY
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD
IPSECPOLICY
DSP
IPSECPOLICY
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
LST
IPSECPOLICY
GUI Value
Range:1~15
characters
Unit:None
Actual Value
Range:1~15
characters
Default
Value:None
Issue 02 (2013-07-30)
183
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
PFS
BTS3900
ADD
IPSECPOLICY
LOFD-003009 /
TDLOFD-0030
09
IPsec
MOD
IPSECPOLICY
DSP
IPSECPOLICY
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
LST
IPSECPOLICY
Issue 02 (2013-07-30)
184
SingleRAN
IPsec Feature Parameter Description
Parameter ID
NE
11 Parameters
MML
Command
Feature ID
Feature Name
Description
negotiation fails.
The security
level of the
1024-bit DiffieHellman group
(Dh-group2) is
higher than that
of the 768-bit
Diffie-Hellman
group (Dhgroup1).
However, a
longer
processing time
is required by
the Dh-group2.
GUI Value
Range:DISABL
E(Disable),
PFS_GROUP1
(768-bit DiffieHellman
Group),
PFS_GROUP2
(1024-bit DiffieHellman Group)
Unit:None
Actual Value
Range:DISABL
E,
PFS_GROUP1,
PFS_GROUP2
Default
Value:DISABL
E(Disable)
Issue 02 (2013-07-30)
185
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
CN
BTS3900
ADD
IPSECBIND
None
None
MOD
IPSECBIND
RMV
IPSECBIND
GUI Value
Range:0~7
LST
IPSECBIND
Unit:None
Actual Value
Range:0~7
Default Value:0
SRN
BTS3900
ADD
IPSECBIND
None
None
RMV
IPSECBIND
Meaning:Indicates the
subrack number
of the port to
which the IPSec
policy group is
bound.
LST
IPSECBIND
GUI Value
Range:0~1
MOD
IPSECBIND
Unit:None
Actual Value
Range:0~1
Default Value:0
SN
BTS3900
ADD
IPSECBIND
None
None
MOD
IPSECBIND
RMV
IPSECBIND
LST
IPSECBIND
Issue 02 (2013-07-30)
186
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
SBT
BTS3900
ADD
IPSECBIND
None
None
MOD
IPSECBIND
RMV
IPSECBIND
LST
IPSECBIND
GUI Value
Range:BASE_B
OARD(Base
Board),
ETH_COVERB
OARD(Ethernet
Cover Board)
Unit:None
Actual Value
Range:BASE_B
OARD,
ETH_COVERB
OARD
Default
Value:None
PT
BTS3900
ADD
IPSECBIND
MOD
IPSECBIND
RMV
IPSECBIND
LOFD-003009
IPsec
GBFD-113524
BTS Integrated
Ipsec
WRFD-140209
NodeB
Integrated IPSec
LST
IPSECBIND
Issue 02 (2013-07-30)
187
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
PN
BTS3900
ADD
IPSECBIND
LOFD-003009
IPsec
GBFD-113524
BTS Integrated
Ipsec
MOD
IPSECBIND
WRFD-140209
NodeB
Integrated IPSec
RMV
IPSECBIND
GUI Value
Range:0~5
LST
IPSECBIND
Unit:None
Actual Value
Range:0~5
Default
Value:None
SPGN
BTS3900
ADD
IPSECBIND
LST
IPSECBIND
LOFD-003009
Ipsec
GBFD-113524
BTS Integrated
Ipsec
WRFD-140209
NodeB
Integrated IPSec
Issue 02 (2013-07-30)
188
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
IKEKLI
BTS3900
SET IKECFG
LOFD-003009 /
TDLOFD-0030
09
IPsec
DSP IKECFG
LST IKECFG
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
GUI Value
Range:
0,20~28800
Unit:s
Actual Value
Range:
0,20~28800
Default Value:0
IKEKLT
BTS3900
SET IKECFG
DSP IKECFG
LST IKECFG
LOFD-003009 /
TDLOFD-0030
09
GBFD-113524
WRFD-140209
IPsec
BTS Integrated
Ipsec
NodeB
Integrated IPSec
Issue 02 (2013-07-30)
189
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DSCP
BTS3900
SET IKECFG
LOFD-003009 /
TDLOFD-0030
09
IPsec
DSP IKECFG
LST IKECFG
GBFD-113524
WRFD-140209
BTS Integrated
Ipsec
NodeB
Integrated IPSec
GUI Value
Range:0~63
Unit:None
Actual Value
Range:0~63
Default Value:
48
IPSECREPLAY
CHKSW
BTS3900
SET IPGUARD
LST IPGUARD
LOFD-003014 /
TDLOFD-0030
14
Integrated
Firewall
Meaning:Indicates whether to
report IPSec
packet replay
alarm.
GUI Value
Range:DISABL
E(Disable),
ENABLE
(Enable)
Unit:None
Actual Value
Range:DISABL
E, ENABLE
Default
Value:DISABL
E(Disable)
IPSECREPLAYALMTH
D
BTS3900
SET IPGUARD
LST IPGUARD
LOFD-003014 /
TDLOFD-0030
14
Integrated
Firewall
Issue 02 (2013-07-30)
190
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
CN
BTS3900
ADD
BFDSESSION
None
None
DSP
BFDSESSION
MOD
BFDSESSION
GUI Value
Range:0~7
RMV
BFDSESSION
Unit:None
Actual Value
Range:0~7
LST
BFDSESSION
Default Value:0
SRN
BTS3900
ADD
BFDSESSION
None
None
DSP
BFDSESSION
MOD
BFDSESSION
Meaning:Indicates the
subrack No. to
which a BFD
session belongs.
GUI Value
Range:0~1
RMV
BFDSESSION
Unit:None
Actual Value
Range:0~1
LST
BFDSESSION
Default Value:0
SN
BTS3900
ADD
BFDSESSION
None
None
DSP
BFDSESSION
MOD
BFDSESSION
GUI Value
Range:0~7
RMV
BFDSESSION
Unit:None
LST
BFDSESSION
Issue 02 (2013-07-30)
Actual Value
Range:0~7
Default
Value:None
191
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
BFDSN
BTS3900
ADD
BFDSESSION
WRFD-050403
Hybrid Iub IP
Transmission
Meaning:Indicates the ID of a
BFD session.
The session ID
plus 1 is the local
discriminator of
the BFD session.
The local
discriminator
must be
consistent with
the
configuration at
the peer side.
DSP
BFDSESSION
LOFD-003007 /
TDLOFD-0030
07
MOD
BFDSESSION
GBFD-118601
RMV
BFDSESSION
Bidirectional
Forwarding
Detection
Abis over IP
LST
BFDSESSION
GUI Value
Range:0~95
Unit:None
Actual Value
Range:0~95
Default
Value:None
Issue 02 (2013-07-30)
192
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
SRCIP
BTS3900
ADD
BFDSESSION
WRFD-050403
Hybrid Iub IP
Transmission
MOD
BFDSESSION
LOFD-003007 /
TDLOFD-0030
07
DSP
BFDSESSION
GBFD-118601
LST
BFDSESSION
Bidirectional
Forwarding
Detection
Abis over IP
GUI Value
Range:Valid IP
address
Unit:None
Actual Value
Range:Valid IP
address
Issue 02 (2013-07-30)
193
SingleRAN
IPsec Feature Parameter Description
Parameter ID
NE
11 Parameters
MML
Command
Feature ID
Feature Name
Description
Default
Value:None
DSTIP
BTS3900
ADD
BFDSESSION
WRFD-050403
MOD
BFDSESSION
LOFD-003007 /
TDLOFD-0030
07
DSP
BFDSESSION
GBFD-118601
LST
BFDSESSION
Hybrid Iub IP
Transmission
Bidirectional
Forwarding
Detection
Abis over IP
Meaning:Indicates the
destination IP
address of a
BFD session.
The destination
IP address must
be a valid IP
address, and
cannot be set to
0.0.0.0 or any
existing IP
addresses in the
system. If
Virtual Router
Redundancy
Protocol
(VRRP) is used
in the network,
two BFD
sessions must be
configured with
the destination
IP addresses set
to the active and
standby physical
IP addresses of
the virtual
router,
respectively.
GUI Value
Range:Valid IP
address
Unit:None
Actual Value
Range:Valid IP
address
Default
Value:None
Issue 02 (2013-07-30)
194
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
HT
BTS3900
ADD
BFDSESSION
WRFD-050403
Hybrid Iub IP
Transmission
MOD
BFDSESSION
LOFD-003007 /
TDLOFD-0030
07
DSP
BFDSESSION
GBFD-118601
LST
BFDSESSION
Bidirectional
Forwarding
Detection
Abis over IP
GUI Value
Range:SINGLE
_HOP(Single
Hop),
MULTI_HOP
(Multiple Hops)
Unit:None
Actual Value
Range:SINGLE
_HOP,
MULTI_HOP
Default
Value:None
Issue 02 (2013-07-30)
195
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
MINTI
BTS3900
ADD
BFDSESSION
WRFD-050403
Hybrid Iub IP
Transmission
Meaning:Indicates the
minimum
interval at which
the BFD session
transmits
control packets.
MOD
BFDSESSION
LOFD-003007 /
TDLOFD-0030
07
DSP
BFDSESSION
GBFD-118601
Bidirectional
Forwarding
Detection
Abis over IP
LST
BFDSESSION
GUI Value
Range:10~1000
Unit:ms
Actual Value
Range:10~1000
Default Value:
100
MINRI
BTS3900
ADD
BFDSESSION
WRFD-050403
MOD
BFDSESSION
LOFD-003007 /
TDLOFD-0030
07
DSP
BFDSESSION
GBFD-118601
Hybrid Iub IP
Transmission
Bidirectional
Forwarding
Detection
Abis over IP
LST
BFDSESSION
Meaning:Indicates the
minimum
interval at which
the BFD session
receives control
packets.
GUI Value
Range:10~1000
Unit:ms
Actual Value
Range:10~1000
Default Value:
100
DM
BTS3900
ADD
BFDSESSION
WRFD-050403
MOD
BFDSESSION
LOFD-003007 /
TDLOFD-0030
07
DSP
BFDSESSION
GBFD-118601
LST
BFDSESSION
Hybrid Iub IP
Transmission
Bidirectional
Forwarding
Detection
Abis over IP
Meaning:Indicates the
detection
multiplier of a
BFD session.
GUI Value
Range:3~10
Unit:None
Actual Value
Range:3~10
Default Value:3
Issue 02 (2013-07-30)
196
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
CATLOG
BTS3900
ADD
BFDSESSION
WRFD-050403
Hybrid Iub IP
Transmission
MOD
BFDSESSION
LOFD-003007 /
TDLOFD-0030
07
DSP
BFDSESSION
GBFD-118601
LST
BFDSESSION
Bidirectional
Forwarding
Detection
Abis over IP
GUI Value
Range:MAINT
ENANCE
(Maintenance),
RELIABILITY
(Reliability)
Unit:None
Actual Value
Range:MAINT
ENANCE,
RELIABILITY
Default
Value:RELIABI
LITY
(Reliability)
Issue 02 (2013-07-30)
197
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DSCP
BTS3900
ADD
BFDSESSION
WRFD-050403
Hybrid Iub IP
Transmission
Meaning:Indicates the
Differentiated
Services Code
Point (DSCP).
The priority has
a positive
correlation with
the value of this
parameter.
LST
BFDSESSION
LOFD-003007 /
TDLOFD-0030
07
GBFD-118601
Bidirectional
Forwarding
Detection
Abis over IP
GUI Value
Range:0~63
Unit:None
Actual Value
Range:0~63
Default Value:
48
VER
BTS3900
ADD
BFDSESSION
WRFD-050403
MOD
BFDSESSION
LOFD-003007 /
TDLOFD-0030
07
LST
BFDSESSION
GBFD-118601
Hybrid Iub IP
Transmission
Bidirectional
Forwarding
Detection
Abis over IP
Meaning:Indicates the
protocol version
of a BFD
session.
GUI Value
Range:DRAFT4
(DRAFT4),
STANDARD
(STANDARD)
Unit:None
Actual Value
Range:DRAFT4
, STANDARD
Default
Value:DRAFT4
(DRAFT4)
Issue 02 (2013-07-30)
198
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
DUALID
BTS3900
ADD
IPSECDTNL
LOFD-003019/
TDLOFD-0030
19
IPsec Tunnel
Backup
Meaning:Indicates the ID of
the IPSec tunnel
pair. It uniquely
identifies a pair
of primary and
secondary IPSec
tunnels.
DSP
IPSECDTNL
LST
IPSECDTNL
GBFD-113524
WRFD-140209
MOD
IPSECDTNL
BTS Integrated
Ipsec
NodeB
Integrated IPSec
GUI Value
Range:0~49
RMV
IPSECDTNL
Unit:None
Actual Value
Range:0~49
Default
Value:None
MBFDSN
BTS3900
ADD
IPSECDTNL
MOD
IPSECDTNL
DSP
IPSECDTNL
LOFD-003019/
TDLOFD-0030
19
GBFD-113524
WRFD-140209
LST
IPSECDTNL
IPsec Tunnel
Backup
BTS Integrated
Ipsec
NodeB
Integrated IPSec
Meaning:Indicates the ID of
the BFD session
referenced by
the primary
IPSec tunnel.
GUI Value
Range:0~95
Unit:None
Actual Value
Range:0~95
Default
Value:None
SBFDSN
BTS3900
ADD
IPSECDTNL
MOD
IPSECDTNL
DSP
IPSECDTNL
LST
IPSECDTNL
LOFD-003019/
TDLOFD-0030
19
GBFD-113524
WRFD-140209
IPsec Tunnel
Backup
BTS Integrated
Ipsec
NodeB
Integrated IPSec
Meaning:Indicates the ID of
the BFD session
referenced by
the secondary
IPSec tunnel.
GUI Value
Range:0~95
Unit:None
Actual Value
Range:0~95
Default
Value:None
Issue 02 (2013-07-30)
199
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
IKEVERSION
BTS3900
ADD
SECURITYTE
MPLATE
WRFD-050402
IP Transmission
Introduction on
Iub Interface
MOD
SECURITYTE
MPLATE
GBFD-118601
LST
SECURITYTE
MPLATE
WRFD-140209
GBFD-113524
LOFD-002004 /
TDLOFD-0020
04
LOFD-003009 /
TDLOFD-0030
09
NodeB
Integrated IPSec
Abis over IP
BTS Integrated
Ipsec
Selfconfiguration
Ipsec
GUI Value
Range:IKE_V1
(IKE V1),
IKE_V2(IKE
V2)
Unit:None
Actual Value
Range:IKE_V1,
IKE_V2
Default
Value:IKE_V2
(IKE V2)
Issue 02 (2013-07-30)
200
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
EXCHMODE
BTS3900
ADD
SECURITYTE
MPLATE
WRFD-050402
IP Transmission
Introduction on
Iub Interface
MOD
SECURITYTE
MPLATE
GBFD-118601
LST
SECURITYTE
MPLATE
WRFD-140209
GBFD-113524
LOFD-002004 /
TDLOFD-0020
04
LOFD-003009 /
TDLOFD-0030
09
NodeB
Integrated IPSec
Abis over IP
BTS Integrated
Ipsec
Selfconfiguration
Ipsec
GUI Value
Range:MAIN
(Main Mode),
AGGRESSIVE
(Aggressive
Mode)
Unit:None
Actual Value
Range:MAIN,
AGGRESSIVE
Default
Value:MAIN
(Main Mode)
Issue 02 (2013-07-30)
201
SingleRAN
IPsec Feature Parameter Description
11 Parameters
Parameter ID
NE
MML
Command
Feature ID
Feature Name
Description
BYPASSSWIT
CH
BTS3900
SET
IPSECBYPASS
CFG
None
None
Meaning:Indicates whether to
enable the
switchover of
IPSec Bypass. If
this parameter is
set to
DISABLE, the
base station
cannot switch
between an
IPSec network
and a non-IPSec
network.
DSP
IPSECBYPASS
CFG
LST
IPSECBYPASS
CFG
GUI Value
Range:DISABL
E(Disable),
ENABLE
(Enable)
Unit:None
Actual Value
Range:DISABL
E, ENABLE
Default
Value:DISABL
E(Disable)
Issue 02 (2013-07-30)
202
SingleRAN
IPsec Feature Parameter Description
12 Counters
12
Counters
Counter Name
Counter
Description
NE
Feature ID
Feature Name
1542460340
VS.IKE.RxPackets
Number of IKE
packets received
NodeB
Multi-mode:
None
BTS Integrated
IPsec
GSM:
GBFD-113524
NodeB
Integrated IPsec
UMTS:
WRFD-140209
IPsec
IPsec
LTE:
LOFD-003009
TDLOFD-0030
09
1542460341
VS.IKE.TxPackets
Number of IKE
packets transmitted
NodeB
Multi-mode:
None
BTS Integrated
IPsec
GSM:
GBFD-113524
NodeB
Integrated IPsec
UMTS:
WRFD-140209
IPsec
IPsec
LTE:
LOFD-003009
TDLOFD-0030
09
Issue 02 (2013-07-30)
203
SingleRAN
IPsec Feature Parameter Description
12 Counters
Counter ID
Counter Name
Counter
Description
NE
Feature ID
Feature Name
1542460342
VS.IKE.SubSAReke
y.Times
NodeB
Multi-mode:
None
BTS Integrated
IPsec
GSM:
GBFD-113524
NodeB
Integrated IPsec
UMTS:
WRFD-140209
IPsec
IPsec
LTE:
LOFD-003009
TDLOFD-0030
09
1542460343
VS.IKE.DPDSession
Fail.Times
Times of DPD
session fail
NodeB
Multi-mode:
None
BTS Integrated
IPsec
GSM:
GBFD-113524
NodeB
Integrated IPsec
UMTS:
WRFD-140209
IPsec
IPsec
LTE:
LOFD-003009
TDLOFD-0030
09
1542460344
VS.IPSec.RxCheckReplayFailDropPkts
Number of
discarded packets
received due to
replay checking fail
NodeB
Multi-mode:
None
BTS Integrated
IPsec
GSM:
GBFD-113524
NodeB
Integrated IPsec
UMTS:
WRFD-140209
IPsec
IPsec
LTE:
LOFD-003009
TDLOFD-0030
09
1542460345
VS.IPSec.RxAHCheckFailDropPkts
Number of
discarded packets
received due to AH
checking fail
NodeB
Multi-mode:
None
BTS Integrated
IPsec
GSM:
GBFD-113524
NodeB
Integrated IPsec
UMTS:
WRFD-140209
IPsec
IPsec
LTE:
LOFD-003009
TDLOFD-0030
09
Issue 02 (2013-07-30)
204
SingleRAN
IPsec Feature Parameter Description
12 Counters
Counter ID
Counter Name
Counter
Description
NE
1542460346
VS.IPSec.RxESPFailDropPkts
Number of
NodeB
discarded packets
received due to ESP
fail
Feature ID
Feature Name
Multi-mode:
None
BTS Integrated
IPsec
GSM:
GBFD-113524
NodeB
Integrated IPsec
UMTS:
WRFD-140209
IPsec
IPsec
LTE:
LOFD-003009
TDLOFD-0030
09
1542460347
VS.IPSec.RxDecryptACLFailDropPkts
Number of
discarded packets
received due to
decrypt ACL fail
NodeB
Multi-mode:
None
BTS Integrated
IPsec
GSM:
GBFD-113524
NodeB
Integrated IPsec
UMTS:
WRFD-140209
IPsec
IPsec
LTE:
LOFD-003009
TDLOFD-0030
09
1542460348
VS.IPSec.RxDecryptSuccessPkts
Number of decrypt
success packets
received
NodeB
Multi-mode:
None
BTS Integrated
IPsec
GSM:
GBFD-113524
NodeB
Integrated IPsec
UMTS:
WRFD-140209
IPsec
IPsec
LTE:
LOFD-003009
TDLOFD-0030
09
1542460349
VS.IPSec.TxOutboundSAMissDropPkts
Number of
discarded packets
transmitted due to
outbound SA miss
NodeB
Multi-mode:
None
BTS Integrated
IPsec
GSM:
GBFD-113524
NodeB
Integrated IPsec
UMTS:
WRFD-140209
IPsec
IPsec
LTE:
LOFD-003009
TDLOFD-0030
09
Issue 02 (2013-07-30)
205
SingleRAN
IPsec Feature Parameter Description
12 Counters
Counter ID
Counter Name
Counter
Description
NE
Feature ID
Feature Name
1542460350
VS.IPSec.TxAntiReplaySnWrappedDropPkts
Number of
discarded packets
transmitted due to
sequence number
overflow
NodeB
Multi-mode:
None
BTS Integrated
IPsec
GSM:
GBFD-113524
NodeB
Integrated IPsec
UMTS:
WRFD-140209
IPsec
IPsec
LTE:
LOFD-003009
TDLOFD-0030
09
1542460351
VS.IPSec.TxEncryptSuccessPkts
Number of encrypt
success packets
transmitted
NodeB
Multi-mode:
None
BTS Integrated
IPsec
GSM:
GBFD-113524
NodeB
Integrated IPsec
UMTS:
WRFD-140209
IPsec
IPsec
LTE:
LOFD-003009
TDLOFD-0030
09
Issue 02 (2013-07-30)
206
SingleRAN
IPsec Feature Parameter Description
13 Glossary
13
Glossary
Issue 02 (2013-07-30)
207
SingleRAN
IPsec Feature Parameter Description
14 Reference Documents
14
Reference Documents
1.
2.
3.
4.
5.
6.
IP Transport Architecture Feature Parameter Description for GSM BSS and WCDMA
RAN
7.
8.
9.
Issue 02 (2013-07-30)
208