In this section:

 

The Ribbon Lawful Intercept (LI) solution supports the following:

  • Encrypts media transferred from Session Border Controller (SBC) to the collection device to avoid security issues.
  • Supports Internet Protocol Security (IPsec) encapsulation of Call Data interface (X3).
  • Enables IPsec encapsulation on the Call Content (media) interface for LI security.
  • Associates IPsec to the IP interface group configured in the CDC.
  • Manages IPsec at the application level.

This page describes how to configure IPsec support.

Access the SBC Configuration Manager

  1. Log on to the EMS.
  2. Click Network > Cluster Management. The Cluster Management / Manage VNFs window opens listing the SBC clusters created on the EMS.

    Cluster Management / Manage VNFs window

  3. Click the radio button adjacent to the name of the cluster you want to configure. The Details tab for the selected cluster opens. 
  4. Click the Configurations tab. 

    Configurations Tab

  5. Click Edit Configuration. The SBC Configuration Manager opens in a separate window against the cluster's active OAM node. See the EMA User Guide for information on using the GUI to configure the SBC.

    SBC Configuration Manager Window

 

 

Creating an IKE Protection Profile

In the SBC Configuration Manager window:   

  1. Click Configuration > Profile Management.
  2. On the navigation pane, choose Security Profiles as the Category.
  3. Click IKE Protection Profile > New IKE Protection Profile. The Create New IKE Protection Profile window is displayed.

    Creating New IKE Protection Profile

  4. Use the following table to configure the profile and click Save.

 

IKE Protection Profile Parameters

Parameter

Description

Name

Specifies the name of the IKE Protection Profile.

SA Lifetime
Time

The maximum interval seconds that any one security association is maintained before possible re-keying. This parameter is applied to the IKE SA when it appears in the IKE Protection Profile and to the IPsec SA when it appears in the IPsec Protection Profile.

Default value: 8 hours (28,800 seconds)

Value range: 1200-1000000

DPD Interval

Specifies the IKE Protection Profile Dead Peer Detection test interval period in seconds.

The value '0' corresponds to DPD disabled.

Default value is 30.

PfS Required

Enable flag to require PFS use during IPsec SA negotiation.

  • Disabled (default)
  • Enabled

Configuring the Algorithm for the Profile

In the SBC Configuration Manager window:  

  1. Click Configuration > Profile Management.
  2. On the navigation pane, choose Security Profiles as Category.
  3. Click IKE Protection Profile > New IKE Protection Profile > Algorithms. The Algorithms window is displayed.

  4. Choose the name of your IKE protection profile in IKE Protection Profile.

    New IKE Protection Profile - Algorithms



  5. Use the following table to configure algorithm parameters for the profile and click Save.

    New IKE Protection Profile - Algorithms Parameters

    Parameter

    Description

    Encryption

    The IKE Protection profile encryption cipher. You can select multiple encryptions.

    Options are:

    • _3DesCbc
    • aesCbc128 (default)

    Integrity

    The IKE Protection profile integrity cipher. You can select multiple parameters.

    Options are:

    • hmacMd5  (default)
    • hmacSha1
    • hmacsha256
    Dh Group

    Specifies the DH group(s) supported in the IKE exchange. The options are:

    • modp768
    • modp1024  (default)
    • modp1536
    • modp2048

Creating an IPsec - Peer

This object creates an entry in the IKE Peer Database (IPD). The IPD is a list of remote devices that may become IPsec peers. The IPD establishes the authentication and other phase 1 criteria for the peer-to-peer negotiation to eventually reach an IKE Security Association (SA) between this specific peer and the SBC.

In the SBC Configuration Manager window: 

  1. Click All > Address Context > IPsec > PeerThe Peer window opens and the Peer List is displayed.
  2. Choose an address context to which you want to add the peer from the Address Context list and click New Peer. The Create New Peer window opens.

    Create New Peer Window

  3. Use the following table to configure the peer and click Save.

Creating New Peer Parameters

 Parameter

Description

Name

Specifies the name of the peer you are configuring.

IP Address V4 or V6

Specifies the 32-bit IP address of the peer.

Protocol

The SPD traffic selector IP protocol. Valid values for this parameter are:

  • Ikev1: Indicates the version of IKE protocol. Internet Key Exchange Version 1.
  • Ikev2: Indicates the enhanced version of IKE protocol. Internet Key Exchange Version 2.
  • Any: Indicates either IKEv1 is used or IKEv2 version is used.

Pre Shared Key

Specifies the Pre-shared secret with this peer. The Pre Shared Key can be one of the following:

  • A string ranging from 32 to 128 case-sensitive, alphanumeric characters. These characters may only be in the range 0-9, a-z, space, and A-Z
  • A hexadecimal value introduced by "0x" and followed by 16 to 64 hexadecimal digits (0-9, a-f, A-F)

In either case the given value represents a pre-shared secret between the SBC and the IKE peer. This value is used for mutual authentication for phase 1 negotiation to set up an IKE Security association.

Note: Ribbon recommends using unpredictable (difficult to guess) values. Use a unique value for each IKE peer.

Protection
Profile

The name of the IKE protection profile to be applied to the Key management protocol exchange with the peer.
Local Identity

Specifies the local identity that SBC asserts to the peer during phase 1 authentication. Select a Type of identifier in the drop-down list and then provide the specific value in the adjacent entry field. Option are:

  • IP v4Addr (default)
  • IP v4Addr
  • FQDN

Note: The IP VxAddr option is not used at this time.

Configuring the Peer Remote Identity

This object specifies the remote IKE identity that is authorized to be negotiated with during phase I negotiation.

In the SBC Configuration Manager window: 

  1. Click All > Address Context > IPsec > Peer > Remote Identity. The Remote Identity window opens.
  2. In the drop-down lists, select the Address Context and Peer names for the peer you are configuring. 
  3. Select a Type of identifier in the drop-down list and then provide the specific value in the adjacent entry field. Option are:

    • IP v4Addr (default)
    • IP v4Addr
    • FQDN
  4. Click Save.

Editing Remote Identity

Creating an IPsec - SPD

This object is an IPsec Security Policy Database (SPD) entry. The IPsec SPD is an ordered list of entries ("rules") that specify sets of packets and determine whether or not to permit, deny, or protect packets between the SBC and the peer that is referenced from the entry. If the packets are to be protected, this entry references information that specifies how to protect them. The SPD establishes the phase 2 criteria for the negotiation between the SBC and the IKE peer. The successful completion of this negotiation results in a Security Association (SA).

In the SBC Configuration Manager window: 

  1. Click AllAddress Context > IPsec > SPD. The SPD window is displayed.

  2. Choose an address context to which you want to add the SPD from the Address Context list. The Create New SPD window opens.

    Creating New SPD

  3. Use the following table to configure the SPD and click Save.

 

Creating New SPD Parameters

Parameter

Description

Name

Specifies the name for the SPD entry. You can configure up to 4,096 SPD entries.

State

Administrative state of the SPD entry. Options are:

  • Disabled (default)
  • Enabled
PrecedenceEvaluation order of this entry. Zero indicates wildcard.
Local IP AddrSpecifies the local IPv4 or IPv6 address of the SPD traffic selector. Zero indicates wildcard.
Local IP Prefix LenSpecifies the local IP prefix length of the SPD traffic selector. Default value is 0.
Local PortSpecifies the local port of the SPD traffic selector. Zero indicates wildcard. Default value is 0.
Remote IP AddrSpecifies the remote IPv4 or IPv6 address of the SPD traffic selector. Zero indicates wildcard.
Remote IP Prefix LenSpecifies the remote IP prefix length of the SPD traffic selector. Zero indicates wildcard. Default value is 0.
Remote PortSpecifies the remote port of the SPD traffic selector. Zero indicates wildcard. Default value is 0.
ProtocolSpecifies the IP protocol number of the SPD traffic selector. This parameter uses IANA protocol number assignment, that is, protocol number 6 represents TCP, protocol number 17 represents UDP. Zero indicates wildcard. Default value is 0.

Action

Action applied when packets processed by IPsec are found matching the selectors of this SPD rule.

Discard – Specifies that the packets are dropped.

Bypass – Specifies that the packets are bypassed as clear text.

Protect – Specifies that the packets are protected by IPsec based on the protection parameters specified in the configured IPsec protection profile.

Mode

IPsec mode:

  • Tunnel (default) – Use this mode to encrypt and authenticate the entire IP packet (both header and payload). This encrypted packet is encapsulated in a new packet containing a new IP header.
  • Transport - Use this mode to encrypt and authenticate the IP payload only.
Protection Profile

Specifies an encryption cipher, a maximum time period for maintaining a security association between these peers (the SA "lifetime"), and an anti-replay policy.

Note: This option only appears when you specify Protect as the Action.

Peer

Specifies the the name of the Internet Key Exchange (IKE) peer database entry.

Note: This option only appears when you specify Protect as the Action.

Saving and Activating the Configuration in the Cluster

Once you have completed making configuration changes, click Apply Saved Changes and Close at the top-right of the SBC Configuration Manager window. When prompted, confirm that you want to save and activate your configuration changes. The SBC Configuration Manager window closes. The OAM node notifies the SBC nodes in the cluster of the configuration changes and stores a record of the updated configuration back to the EMS.