This feature applies to SBC 7000 only.
In this section:
Overview
An example set of CLI commands to configure the SBC for an IPsec tunnel that is used for media traffic is shown below:
Parameter | Value |
---|---|
Address Context | default |
IP Interface Group (LIF Group) | IP_INT_GR |
LIF Primary IP Address | 10.xxx.xx.x61 |
Alternate Media IP addresses | None |
Remote IPsec Peer IP | 10.xx.xx.8 |
Remote SBC Media IPs | 10.xxx.xx.x2 |
### IKE and IPsec protection profiles set profiles security ipsecProtectionProfile IPSEC_PROT_PROF saLifetimeTime 28800 set profiles security ipsecProtectionProfile IPSEC_PROT_PROF espAlgorithms integrity hmacSha1 set profiles security ipsecProtectionProfile IPSEC_PROT_PROF espAlgorithms encryption aesCbc256 set profiles security ikeProtectionProfile IKE_PROT_PROF saLifetimeTime 28800 set profiles security ikeProtectionProfile IKE_PROT_PROF algorithms encryption aesCbc128,3DesCbc set profiles security ikeProtectionProfile IKE_PROT_PROF algorithms integrity hmacSha1,hmacMd5 set profiles security ikeProtectionProfile IKE_PROT_PROF dpdInterval noDpd ### IKE peer set addressContext default ipsec peer PEER1 ipAddress 10.xx.xx.8 preSharedKey 00000000000000000000000000000000 localIdentity type ipV4Addr ipAddress 10.xxx.xx.x61 set addressContext default ipsec peer PEER1 remoteIdentity type ipV4Addr ipAddress 10.xx.xx.8 set addressContext default ipsec peer PEER1 protocol ikev1 protectionProfile IKE_PROT_PROF ### SPD rule for media traffic set addressContext default ipsec spd SPD1 state enabled precedence 1001 set addressContext default ipsec spd SPD1 localIpAddr 10.xxx.xx.x61 localIpPrefixLen 32 remoteIpAddr 10.xxx.xx.x2 remoteIpPrefixLen 32 set addressContext default ipsec spd SPD1 action protect set addressContext default ipsec spd SPD1 protocol 0 set addressContext default ipsec spd SPD1 protectionProfile IPSEC_PROT_PROF set addressContext default ipsec spd SPD1 peer PEER1 set addressContext default ipsec spd SPD1 media enable ### Enable IPsec for media on the IP interface group set addressContext default ipInterfaceGroup IP_INT_GR ipsec enabled ipsecForMedia enabled
Remote IPsec Peer Protocol/Algorithm Requirements
For the local Ribbon SBC to use IPsec for media traffic, configure the remote IPsec peer router/SBC to use, or negotiate to the following IPsec protocols/algorithms that is supported by the Ribbon SBC:
Protocol/Mode/Algorithm name | Type supported |
---|---|
Protocol/Mode | ESP Tunnel Mode |
Encryption Algorithm | AES-CBC (key sizes up to 256-bits) |
Authentication Algorithm | HMAC-SHA1 |
Key Exchange Protocol | IKEv1 |
Configuration Guidelines
Ensure to use the following configuration guidelines to configure the remote IPsec peer router and/or the SBC to work with the Ribbon SBC’s expected Media over IPsec use cases:
- Configure the remote IPsec to use or negotiate to IKEv1.
- Configure the remote IPsec peer to use the LIF Primary IP of the local SBC as its remote IPsec Peer IP address.
- Ensure the set of remote media IP addresses used for calls to the local SBC are contained within an IP/mask range that does not overlap with any other remote non-media IPs. This IP/prefix mask range is specified on the local Ribbon SBC’s IPsec SPD remote selector fields.
The SBC uses the parameter ipsecForMedia
to the ipInterfaceGroup CLI to support media over IPsec. The ipsecForMedia
parameter works in conjunction with the ipsec
state parameter already available in the same CLI. The ipsec
Admin State field enables or disables IPsec on the LIF Group as a whole. Prior to this release, the ipsec
parameter was only applicable to signaling and Lawful Intercept (LI) traffic - whichever the LIF Group was used for. Starting with the SBC 10.1.1, it also applies to media, but only if the ipsecForMedia
parameter is also enabled.
You must enable the existing
ipsec
parameter for any use of IPsec.You must also enable the
ipsecForMedia
parameter to support media over IPsec
To support media over IPsec, you must enable both the ipsec
and ipsecForMedia
parameters. Calls using this IP Interface Group will only succeed if the media packets match a media SPD entry. Media traffic not matching a Security Policy Database (SPD) entry is dropped.
IPsec for Media Restrictions
IP Interface Group Restrictions for IPsec Media
Ensure that the following conditions are met when using the IP Interface Group for IPsec Media:
- The IP Interface Group contains only one LIF (ipInterface).
- The primary IP address (ipAddress) of the LIF and all optional Alternate Media IP addresses (altMediaIpAddresses) configured on the IP Interface Group (together comprising all of the possible media IPs) are contained within an IP/prefix mask range that does not overlap with any possible non-media IPs, including the SIP signaling address. This IP/prefix mask range is specified in the IPsec SPD local selector fields.
- The SIP Signaling Address is different than the LIF Primary IP address (ipAddress).
IPsec SPD Configuration Restrictions for IPsec Media
Ensure that the following conditions are met:
The local selector (
localIpAddr
andlocalIpPrefixLen
) must encompass all possible local Media IPs, including the LIF Primary IP and all optional Alternate Media IPs. Also, it must not encompass any non-media IP’s used by the SBC, such as the SIP Signaling IP address.NoteThe SIP Signaling Address must be different than the LIF Primary IP address (ipAddress).
- The remote selector (remoteIpAddr and remoteIpPrefixLen) must encompass all possible Media IPs used by the remote SBC. Also, it must not encompass any non-media IPs used by the remote peer.
- The mode is set to
tunnel
. - The
media
flag is enabled. One Security Policy Database (SPD) entry is created for each IPsec tunnel. It is possible to create multiple IPsec tunnels that use the same IP Interface Group, that is, one for signaling traffic and one for media traffic.
IPsec Protection Profile Restrictions for IPsec Media
When using the IPsec Protection Profile for IPsec media, configure the following parameters, as specified.
- Set ESP encryption algorithm to either "aesCbc128" or "aesCbc256"
- Set the ESP integrity algorithm to "hmacSha1"