Versions Compared

Old Version 5

changes.mady.by.user Ribbon Communications

Saved on

compared with

New Version 6

changes.mady.by.user Ribbon Communications

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Add_workflow_for_techpubs
AUTH2pmuthu
AUTH1ksatya
REV5ssekhar
REV6kvenkatraman
REV3sekumar
REV1pmotagi

Panel

In this section:

Table of Contents
maxLevel4

 

The Sonus Lawful Intercept (LI) solution supports the following:

  • Encrypts media transferred from Session Border Controller (SBC) to the collection device to avoid security issues.
  • Supports Internet Protocol Security (IPsec) encapsulation of Call Data interface (X3).
  • Enables IPsec encapsulation on the Call Content (media) interface for LI security.
  • Associates IPsec to the IP interface group configured in the CDC.
  • Manages IPsec at the application level.

 

Creating IKE Protection Profile

  • Log on to EMS as admin user. 

  • Under Network Mgmnt, click Cluster / VNF Management. The Cluster/VNF Management window is displayed. 

  • Create cluster. For more information on creating a cluster from the EMS, refer to the "Creating an SBC SWe Cluster" in the EMS documentation.

  • Click Configurations tab.

  • Click New Configuration. The New Configuration pane is displayed.

    Caption
    0Figure
    1New Configuration

    Image Removed

  • Click Master Configurator tab.

  • Select the version of the configuration from the Version drop-down menu.

  • Select an SBC Configurator instance from the Master Configurator drop-down menu.
    This node is used to create the configuration. The SBC Configurator nodes are displayed based on the version selected. Only unlocked SBC Configurator nodes are listed.

  • Enter a name for the configuration in the Configuration Name field. The SBC configuration name can contain letters, numbers, dashes (-), apostrophes ('), underscores (_), colons (:) and spaces.

    Info
    titleNote

    The cluster ID is set as the default name for the first configuration. Subsequent configurations are named with a combination of cluster name and some unique identifying information. The default name varies based on how the configuration is created. If you modify the name, ensure it is unique.

  • Click Create. A circular progress bar is displayed against the Master Configurator node. It requires minimum of six minutes to load the master configuration.

    Caption
    0Figure
    1Configurator Loading

    Image Removed

     

    When the Master Configurator node is loaded, the Open Editor button is displayed next to the Master Configurator node.

    Caption
    0Figure
    1Open Editor

    Image Removed

    • This page describes how to configure IPsec support.

    Access the SBC Configuration Manager

    Excerpt Include
    Configuring an SBC SWe Cluster using the EMS
    Configuring an SBC SWe Cluster using the EMS
    nopaneltrue

    Creating an IKE Protection Profile

    Click Open Editor. The SBC Configuration Manager window is displayed.

    In the SBC Configuration Manager window:

       

    1. Click Configuration > Profile Management.
    2. On the navigation pane, choose Security Profiles as the Category.

    3. Click IKE Protection Profile > New IKE Protection Profile.

      Caption
      0Figure
      1+New IKE Protection Profile

      Image Removed

      The Create New IKE Protection Profile Protection Profile window is displayed.Type the profile Name, SA Lifetime Time, and DPD Interval. Choose the appropriate option in PFS Required.

      Click Save.
       
      Caption
      0Figure
      1Creating New IKE Protection Profile

    4. Use the following table to configure the profile and click Save.

     

    Caption
    0Table
    1IKE Protection Profile Parameters

    Parameter

    Description

    Name

    Specifies the name of the IKE Protection Profile.

    SA Lifetime
    Time

    The maximum interval seconds that any one

    Security Association

    security association is maintained before possible re-keying. This parameter is applied to the IKE SA when it appears in the IKE Protection Profile and to the IPsec SA when it appears in the IPsec Protection Profile.

    Default value: 8 hours (28,800 seconds)

    Value range: 1200-1000000

    DPD Interval

    Specifies the IKE Protection Profile Dead Peer Detection test interval period in seconds.

    The value '0' corresponds to DPD disabled.

    Default value is 30.

    PFS
    PfS Required

    Enable flag to require PFS use during IPsec SA negotiation.

    • Disabled (default)
    • Enabled

    To View and Edit Algorithm

    Configuring the Algorithm for the Profile

    In the SBC Configuration Manager window:  

    1. Click Configuration > Profile Management.
    2. On the navigation pane, choose Security Profiles as Category.

    3. Click IKE Protection Profile > New IKE Protection Profile > Algorithms.In IKE Protection Profile drop-down menu, choose the desired profile to view its respective Algorithm parameters. The Algorithms window is displayed.

    4. Choose the relevant parameters, and click Savename of your IKE protection profile in IKE Protection Profile.

      Caption
      0Figure
      1New IKE Protection Profile - Algorithms



    5. Use the following table to configure algorithm parameters for the profile and click Save.

      Caption
      0Table
      1New IKE Protection Profile - Algorithms Parameters

      Parameter

      Description

      Encryption

      The IKE Protection Profile Encryption Cipherprofile encryption cipher. You can select multiple encryptions.

      Options are:

      • _3DesCbc
      • aesCbc128 (default)

      Integrity

      The IKE Protection Profile profile integrity Ciphercipher. You can select multiple parameters.

      Options are:

      • hmacMd5  (default)
      • hmacSha1
      • hmacsha256
      Dh Group

      Specifies the DH group(s) supported in the IKE exchange. The options are:

      • modp768
      • modp1024  modp1024  (default)
      • modp1536
      • modp2048

    Creating an IPsec - Peer

    The object specifies the name of the Internet Key Exchange (IKE) peer database entry that identifies This object creates an entry in the IKE Peer Database (IPD). The IPD is a list of remote devices that may become IPsec peers. The IPD establishes the authentication and other phase 1 criteria for the peer-to-peer negotiation to eventually reach an IKE Security Association (SA) between this specific peer and the SBC.

    Creating a Peer

    In the SBC Configuration Manager window: 

    1. Click All > Address Context > IPsec > PeerThe Peer window opens and the Peer List is displayed.

    2. Choose an address context to which you want to add the peer from the Address Context list and click New Peer. The Create New Peer window opens.

      Caption
      0Figure
      1Create New Peer Window

      Image Added

    3. Use the following table to configure the peer and click Save

    4. On the SBC Configuration Manager page, click All.

    5. On the navigation pane, choose Address Context > IPsec > Peer. Click New Peer.

      The Create New Peer window is displayed.

    Caption
    0Table
    1Creating New Peer Parameters

     

     Parameter

    Description

    Name

    Specifies the name of the peer you are configuring.

    IP Address V4 or V6

    Specifies the 32-bit IP address of the

    Peer

    peer.

    Protocol

    The SPD traffic selector IP

    PROTOCOL

    protocol. Valid values for this parameter are:

    • Ikev1: Indicates the version of IKE protocol. Internet Key Exchange Version 1.
    • Ikev2: Indicates the enhanced version of IKE protocol. Internet Key Exchange Version 2.
    • Any: Indicates either IKEv1 is used or IKEv2 version is used.

    Pre Shared Key

    Specifies the Pre-shared secret with this peer. The Pre Shared Key can be one of the following:

    • A string ranging from 32 to 128 case-sensitive, alphanumeric characters. These characters may only be in the range 0-9, a-z, space, and A-Z
    • A hexadecimal value introduced by "0x" and followed by 16 to 64 hexadecimal digits (0-9, a-f, A-F)

    In either case the given value represents a pre-shared secret between the

    Spacevars
    0product

    SBC and the IKE peer. This value is used for mutual authentication for phase 1 negotiation to set up an IKE Security association.

    Info
    Sonus recommends using unpredictable (difficult to guess) values. Use a unique value for each IKE peer
    . This string is never displayed in plain text when using the show commands
    .

    Protection
    Profile

    		The name of the IKE protection profile to be applied to the Key management protocol exchange with the peer.
    Local Identity
    This object specifies

    Specifies the local identity

    type

    that SBC asserts to the peer during phase 1 authentication.

    Info
    titleNote

    The ipVxAddr attribute is not used at this time. If it is present, ignore it. 

    Select a Type of identifier in the drop-down list and then provide the specific value in the adjacent entry field. Option are:

    • IP v4Addr (default)
    • IP v4Addr
    • FQDN

    Note: The IP VxAddr option

    Viewing a Peer

    1. On the navigation pane, choose Address Context > IPsec > Peer.

    2. In Address Context drop-down menu, choose the Peer. The Peer List is displayed.

    Editing a Peer

    Click the radio button adjacent to Peer name.

    The Edit Selected Peer window is displayed.

  • Modify the relevant parameters, and click Save.

    • Copying a Peer

    Click the radio button adjacent to the Peer. Click Copy Peer.

    The Copy Selected Peer window is displayed.

    Type the relevant parameters, and click Save.

    Info
    titleNote
    The ipVxAddr attribute

    is not used at this time.

    If it is present, ignore it.

    Configuring the Peer Remote Identity

    This object specifies the remote IKE identity that is authorized to be negotiated with during phase I negotiation.

    In the SBC Configuration Manager window: 

    1. Click All > Address Context > IPsec > Peer > Remote Identity. The Remote Identity window opens.
    2. In the drop-down lists, select the Address Context and Peer names for the peer you are configuring. 

    3. Select a Type of identifier in the drop-down list and then provide the specific value in the adjacent entry field. Option are:

      • IP v4Addr (default)
      • IP v4Addr
      • FQDN
     

    Deleting a Peer

    1. Click the radio button adjacent to the Peer. Click Delete.

    2. A delete confirmation message appears. Click Yes.

    Peer - Local Identity

    The object specifies the local identity type  that 

    Spacevars
    0product
    asserts to the peer during phase 1 authentication.

    Viewing and Editing Local Identity

    1. On the SBC Configuration Manager page, click All.

    2. On the navigation pane, choose Address Context > IPsec > Peer > Local Identity. The Local Identity window is displayed.

      Caption
      0Figure
      1Editing Local Identity

      Image Removed

    3. In Address Context drop-down menu, choose the Local Identity.

    4. IN Peer drop-down menu, choose the Peer.

    5. In Type drop-down menu, choose the IP V6Addr.
    6. In IP Address Var, type the IP V6 address.

    7. Click Save.

    Caption
    0
    Table
    Figure
    1Editing
    Local
    Remote Identity
    Parameters

    Parameter

     Description

     ipV6Addr <ipAddress> This parameter specifies that the local identity will be presented in IPv6 address hexadecimal/colon format, taking as its value the IP address of the 
    Spacevars
    0product
    specified by the next argument (example: 1280:1276:3350:2224:2222:3333:8888:1245 or fd00:21:445:128::7880).
    Info
    titleNote

    The ipVxAddr attribute is not used at this time. If it is present, ignore it. 

    Image Added

    Creating an IPsec - SPD

    This object is an IPsec Security Policy Database (SPD) entry. The IPsec SPD is an ordered list of entries ("rules") that specify sets of packets and determine whether or not to permit, deny, or protect packets between the SBC and the peer that is referenced from the entry. If the packets are to be protected, this entry references information that specifies how to protect them. The

    Peer - Remote Identity

    The object specifies the remote Identity that 

    Spacevars
    0product
    asserts to the PEER during phase 1 authentication.

    Viewing and Editing Remote Identity

  • On the SBC Configuration Manager page, click All.

  • On the navigation pane, choose Address Context > IPsec > Peer > Remote Identity. The Remote Identity window is displayed.

    Caption
    0Figure
    1Editing Remote Identity

    Image Removed

  • In Address Context drop-down menu, choose the Remote Identity.

  • IN Peer drop-down menu, choose the Peer.

  • In Type drop-down menu, choose IP V6Addr.
  • In IP Address V4 or V6, type the IP address.
    • Click Save.
    Caption
    0Table
    1Editing Remote Identity Parameters

    Parameter

     Description

    ipV4Addr <ipAddress>This parameter specifies that the remote identity will be presented in IPv4 address dotted decimal format, taking as its value the IP address of the SBC specified by the next argument (example: 128.127.50.224).
    ipV6Addr <ipAddress>This parameter specifies that the remote identity will be presented in IPv6 address hexadecimal/colon format, taking as its value the IP address of the SBC specified by the next argument (example: 1280:1276:3350:2224:2222:3333:8888:1245 or fd00:21:445:128::7880).

    IPsec - SPD

    The object is used to configure SPD for the SBC. The SPD establishes the phase 2 criteria for the negotiation between the SBC and the IKE peer. The successful completion of this negotiation results in a Security Association (SA).

    Creating an SPD

    In the SBC Configuration Manager window: 

    1. Click AllOn the navigation pane, choose Address Context > IPsec > SPD. The SPD window is displayed.Type relevant parameters, and click Save

    2. Choose an address context to which you want to add the SPD from the Address Context list. The Create New SPD window opens.

      Caption
      0Figure
      1Creating New SPD

      Image Modified

    3. Use the following table to configure the SPD and click Save.

     

    Caption
    0Table
    1Creating New SPD Parameters

    Parameter

    Length/Range

    Description

    Name

    1-23

    Specifies the name

    of an IPsec Security Policy Database (SPD) entry. The IPsec SPD is an ordered list of entries ("rules") that specify sets of packets and determine whether or not to permit, deny, or protect packets between the 
    Spacevars
    0product
    and the peer that is referenced from the entry. If the packets are to be protected, this entry references information that specifies how to protect them.You may create and

    for the SPD entry. You can configure up to 4,096 SPD entries.

    State
    N/A

    Administrative state

    to disable or enable a

    of the SPD entry.

    Zero indicates wildcard.

    Options are:

    • Disabled (default)
    • Enabled
    Precedence
    0-65535
    Evaluation order of this entry. Zero indicates wildcard.
    Local
    Ip Prefix Len
    IP AddrSpecifies the local IPv4 or IPv6 address of the SPD traffic selector. Zero indicates wildcard.
    Local IP Prefix Len
    0-128
    Specifies the local IP prefix length of the SPD traffic selector. Default value is 0.
    Local Port
    0-65535
    Specifies the local port of the SPD traffic selector. Zero indicates wildcard. Default value is 0.
    Remote
    Ip
    IP Addr
    N/A
    Specifies the remote IPv4 or IPv6 address of the SPD traffic selector. Zero indicates wildcard.
    Remote
    Ip
    IP Prefix Len
    0-128
    Specifies the remote IP prefix length of the SPD traffic selector. Zero indicates wildcard. Default value is 0.
    Remote Port
    0-65535
    Specifies the remote port of the SPD traffic selector. Zero indicates wildcard. Default value is 0.
    Protocol
    0-255
    Specifies the IP protocol number of the SPD traffic selector. This parameter uses IANA protocol number assignment, that is, protocol number 6 represents TCP, protocol number 17 represents UDP. Zero indicates wildcard. Default value is 0.

    Action

    N/A

    Action applied when packets processed by IPsec are found matching the selectors of this SPD rule.

    Discard – Specifies that the packets are dropped.

    Bypass – Specifies that the packets are bypassed as clear text.

    Protect – Specifies that the packets are protected by IPsec based on the protection parameters specified in the configured IPsec protection profile.

    Mode
    N/A
    • Tunnel
    • Transport
    Protection Profile

    IPsec mode:

    • Tunnel (default) – Use this mode to encrypt and authenticate the entire IP packet (both header and payload). This encrypted packet is encapsulated in a new packet containing a new IP header.
    • Transport - Use this mode to encrypt and authenticate the IP payload only.
    Protection Profile
    N/A

    Specifies an encryption cipher, a maximum time period for maintaining a security association between these peers (the SA "lifetime"), and an

    antireplay policy

    anti-replay policy.

    Note: This option only appears when you specify Protect as the Action.

    Peer
    N/A

    Specifies the the name of the Internet Key Exchange (IKE) peer database entry.

    Local Ip Addr Var

    N/A

    Specifies the local IPv4 or IPv6 address of the SPD traffic selector.

    Viewing an SPD

    1. On the SBC Configuration Manager page, click All.

    2. On the navigation pane, choose Address Context > IPsec > SPD. The SPD window is displayed.

      Caption
      0Figure
      1Viewing an SPD

      Image Removed

    3. In Address Context drop-down menu, choose the appropriate address context to view the SPD.

    Editing an SPD

    1. Click the radio button adjacent to SPD name.

      Caption
      0Figure
      1Editing an SPD

      Image Removed

      The Edit Selected SPD window is displayed.

    2. Modify the relevant parameters, and click Save.

      Caption
      0Figure
      1Editing Selected SPD Parameters

      Image Removed

    Copying an SPD

    Click the radio button adjacent to SPD name. Click Copy SDP.

    Caption
    0Figure
    1Copying an SPD

     Image Removed

    The Copy Selected SPD window is displayed.

    Note: This option only appears when you specify Protect as the Action.

     

  • Type the relevant parameters, and click Save.

    Caption
    0Figure
    1Copying Selected SPD Parameters

    Image Removed

    • Deleting an SPD

  • Click the radio button adjacent to the SPD. Click Delete.

    Caption
    0Figure
    1Deleting an SPD

    Image Removed

    • A delete confirmation message appears. Click Yes.

    Caption
    0Figure
    1Deleting SPD Prompt
    Image Removed



    Pagebreak