In this section:

Related articles:

 The Ribbon Lawful Intercept (LI) solution

  • encrypts media that transferred from the SBC to the collection device to avoid security issues,
  • supports Internet Protocol Security (IPsec) encapsulation of the Call Data interface (X3),
  • enables IPsec encapsulation on the Call Content (media) interface for LI security,
  • associates IPsec to the IP interface group configured in the CDC, and
  • manages IPsec at the application level.

This section describes how to configure the IPsec support.

Access the SBC Configuration Manager

  1. Log into the EMS.

  2. Select Network > Cluster Management.

  3. Click Manage VNFs. The Cluster Management / Manage VNFs window lists the SBC clusters created on the EMS.

    Cluster Management / Manage VNFs window

  4. Click the radio button adjacent to the name of the cluster you want to configure. The Details tab for the selected cluster opens.

  5. Click the Configurations tab.

    Configurations Tab

  6. Click Edit Configuration. The SBC Configuration Manager opens in a separate window against the cluster's active OAM node. Refer to the EMA User Guide for information on using the GUI to configure the SBC.

    SBC Configuration Manager Window

Creating an IKE Protection Profile

This section outlines how to create an Internet Key Exchange (IKE) protection profile and then configure the algorithms of that protection profile.

To Create an IKE Protection Profile

Use the following procedure to create an IKE protection profile. 

  1. In the SBC Configuration Manager window, select Configuration > Profile Management.
  2. Select Security Profiles from the Category drop-down menu.

  3. Click IKE Protection Profile.

  4. Click New IKE Protection Profile. The SBC Configuration Manager displays the Create New IKE Protection Profile panel.

  5. Use the following table to configure the Create New IKE Protection Profile panel. For descriptions of the parameters in this table, refer to Security Profiles - Ike Protection Profile.

    Create new IKE Protection Profile Parameters

    Parameter

    Configuration

    Name

    Enter the name of the IKE protection profile.

    SA Lifetime
    Time

    Enter the maximum amount of interval seconds that the SBC maintains any one security association before a possible rekeying.

    This parameter applies to the IKE SA.

    Dpd Interval

    Enter the IKE Protection Profile Dead Peer Detection test interval period in seconds.

    Pfs Required

    Select Enabled.

    See the following screen capture for an example configuration.

    Create new IKE Protection Profile

  6. Click Save.
  7. Click Ok.

To Configure the Algorithm for the Profile

Use the following procedure to configure the algorithms for the IKE protection profile.

  1. In the SBC Configuration Manager window, select Configuration > Profile Management.

  2. Select Security Profiles from the Category drop-down menu.

  3. Click IKE Protection Profile.

  4. Click Algorithms.

  5. Select the name of your IKE protection profile from the IKE Protection Profile drop-down menu.

  6. Use the following table to configure the Edit Algorithms panel. For descriptions of the parameters in this table, refer to Ike Protection Profile - Algorithm.

    Algorithms - IKE Protection Profile Parameters

    Parameter

    Configuration

    Encryption

    Select the algorithms relevant to the encryption cipher of your IKE protection profile.

    Select aesCbc128.

    Integrity

    Select the algorithms relevant to the integrity cipher of your IKE protection profile.

    Select hmacSha1.

    Dh Group

    Select the DH group(s) supported in the IKE exchange.

    Select modp1024.

    See the following screen capture for an example configuration.

    Algorithms - IKE Protection Profile

  7. Click Save.
  8. Click Ok.

Creating an IPsec Peer

The IPsec peer creates an entry in the IKE Peer Database (IPD). The IPD is a list of remote devices that may become IPsec peers. The IPD establishes the authentication and other phase one criteria for the peer-to-peer negotiation to eventually reach an IKE Security Association (SA) between this specific peer and the SBC.

To Create an IPsec Peer

Use the following procedure to create an IPsec peer.

  1. In the SBC Configuration Manager window, select All > Address Context > IPsec.

  2. Click Peer.

  3. From the Address Context drop-down menu, select the address context where you want to add the peer.

  4. Click New Peer. The SBC Configuration Manager displays the Create New Peer panel.

  5. Use the following table to configure the Create New Peer panel. For descriptions of the parameters in this table, refer to Ipsec - Peer.

    Create new Peer Parameters

     ParameterConfiguration

    Name

    Enter the name of the peer.

    IP Address V4 or V6

    Enter either the IPv4 or IPv6 address of the peer.

    Protocol

    Select Ikev1.

    Pre Shared Key

    Enter the preshared secret between the SBC and the IKE peer. The mutual authentication for phase one negotiation uses this value to set up an IKE security association.

    Note: Ribbon recommends that you use unpredictable values. Use a unique value for each IKE peer.

    Protection
    Profile

    		Enter the name of the IKE protection profile that you want to apply to the Key management protocol exchange with the peer.
    Local Identity
    Type

    Select IP V4Addr.

    IP Address V4 or V6Enter either the IPv4 or IPv6 address of the local identity.

    See the following screen capture for an example configuration.

    Create new Peer

  6. Click Save.
  7. Click Ok.

Configuring the Peer Remote Identity

This section outlines how to configure the IKE peer remote identity that the SBC negotiates with during phase one negotiation.

To Configure the Peer Remote Identity

Use the following procedure to configure the peer remote identity.

  1. In the SBC Configuration Manager window, select All > Address Context > IPsec > Peer.

  2. Click Remote Identity.
  3. From the Address Context drop-down menu, select the address context where you want to add the peer.

  4. Select the peer you want to configure from the Peer drop-down menu. The SBC Configuration Manager displays the Edit Remote Identity panel.

    Note

    For descriptions of the parameters in the Edit Remote Identity panel, refer to Peer - Remote Identity.

  5. Select IP v4Addr from the Type drop-down menu. See the following screen capture for an example configuration.

    Edit Remote Identity

  6. Enter either the IPv4 or IPv6 address in the IP Address V4 or V6 field.

  7. Click Save.

Creating an IPsec SPD

The IPsec Security Policy Database (SPD) is an ordered list of entries (rules) that specify sets of packets and determine whether or not to permit, deny, or protect packets between the SBC and the peer that is referenced from the entry. If the packets require protection, this entry references information that specifies how to protect the packets. The SPD establishes the phase two criteria for the negotiation between the SBC and the IKE peer. The successful completion of this negotiation results in a Security Association (SA).

To Create an IPsec SPD

Use the following procedure to create an IPsec SPD.

  1. In the SBC Configuration Manager window, select All Address Context > IPsec.

  2. Click SPD.

  3. From the Address Context drop-down menu, select the address context where you want to add the SPD.

  4. Click New SPD. The SBC Configuration Manager displays the Create New SPD panel.

  5. Use the following table to configure the SPD. For descriptions of the parameters in this table, refer to Ipsec - Spd.

    Create new SPD Parameters

    Parameter

    Configuration

    Name

    Enter a name for the SPD entry.

    State

    Select Disabled.

    PrecedenceEnter the evaluation order of this entry.
    Local IP AddrEnter the local IPv4 or IPv6 address of the SPD traffic selector.
    Local IP Prefix LenEnter the local IP prefix length of the SPD traffic selector.
    Local PortEnter the local port of the SPD traffic selector.
    Remote IP AddrEnter the remote IPv4 or IPv6 address of the SPD traffic selector.
    Remote IP Prefix LenEnter the remote IP prefix length of the SPD traffic selector.
    Remote PortEnter the remote port of the SPD traffic selector.
    ProtocolEnter the IP protocol number of the SPD traffic selector.

    Action

    Select Protect.

    Mode

    Select Tunnel.

    Protection Profile

    Enter an encryption cipher, which is the maximum time period for maintaining a security association between these peers (the SA lifetime), and an anti-replay policy.

    Note: This option only appears when you set Action to Protect.

    Peer

    Enter the name of the IKE peer database entry.

    Note: This option only appears when you set Action to Protect.

    See the following screen capture for an example configuration.

    Create new SPD

  6. Click Save.