You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 5
Next »
The Sonus Lawful Intercept (LI) solution supports the following:
- Encrypts media transferred from Session Border Controller (SBC) to the collection device to avoid security issues.
- Supports Internet Protocol Security (IPsec) encapsulation of Call Data interface (X3).
- Enables IPsec encapsulation on the Call Content (media) interface for LI security.
- Associates IPsec to the IP interface group configured in the CDC.
- Manages IPsec at the application level.
Creating IKE Protection Profile
- Log on to EMS as
admin
user. Under Network Mgmnt, click Cluster / VNF Management. The Cluster/VNF Management window is displayed.
Create cluster. For more information, see Creating an SBC SWe Cluster.
Click Configurations tab.
Click New Configuration. The New Configuration pane is displayed.
- Click Master Configurator tab.
Select the version of the configuration from the Version drop-down menu.
Select an SBC Configurator instance from the Master Configurator drop-down menu.
This node is used to create the configuration. The SBC Configurator nodes are displayed based on the version selected. Only unlocked SBC Configurator nodes are listed.
Enter a name for the configuration in the Configuration Name field. The SBC configuration name can contain only letters, numbers, dashes (-), apostrophes ('), underscores (_), colons (:) and spaces.
The cluster ID is set as the default name for the first configuration. You can modify the name. The name must be unique.
The subsequent configurations are named with a combination of cluster name and some unique identifying information. The default name varies based on how the configuration is created.
Click Create. A circular progress bar is displayed against the Master Configurator node. It requires minimum of six minutes to load the master configuration.
When the Master Configurator node is loaded, the Open Editor button is displayed next to the Master Configurator node.
Click Open Editor. The SBC Configuration Manager window is displayed.
- Click Configuration > Profile Management.
- On the navigation pane, choose Security Profiles as Category.
Click IKE Protection Profile > New IKE Protection Profile.
+New IKE Protection Profile
The Create New IKE Protection Profile window is displayed.
Type the profile Name, SA Lifetime Time, and DPD Interval. Choose the appropriate option in PFS Required.
Click Save.
Creating New IKE Protection Profile
IKE Protection Profile Parameters
Parameter | Description |
---|
Name | Specifies the name of the IKE Protection Profile. |
SA Lifetime Time | The maximum interval seconds that any one Security Association is maintained before possible re-keying. This parameter is applied to the IKE SA when it appears in the IKE Protection Profile and to the IPsec SA when it appears in the IPsec Protection Profile. Default value: 8 hours (28,800 seconds) Value range: 1200-1000000 |
DPD Interval | Specifies the IKE Protection Profile Dead Peer Detection test interval period in seconds. The value '0' corresponds to DPD disabled. Default value is 30. |
PFS Required | Enable flag to require PFS use during IPsec SA negotiation. - Disabled (default)
- Enabled
|
To View and Edit Algorithm
- Click Configuration > Profile Management.
- On the navigation pane, choose Security Profiles as Category.
Click IKE Protection Profile > New IKE Protection Profile > Algorithms.
In IKE Protection Profile drop-down menu, choose the desired profile to view its respective Algorithm parameters. The Algorithms window is displayed.
Choose the relevant parameters, and click Save.
New IKE Protection Profile - Algorithms
New IKE Protection Profile - Algorithms Parameters
Parameter | Description |
---|
Encryption | The IKE Protection Profile Encryption Cipher. You can select multiple encryptions. Options are: - _3DesCbc
- aesCbc128 (default)
|
Integrity | The IKE Protection Profile integrity Cipher. You can select multiple parameters. Options are: - hmacMd5 (default)
- hmacSha1
- hmacsha256
|
Dh Group | Specifies the DH group(s) supported in IKE exchange. The options are: - modp768
- modp1024 (default)
- modp1536
- modp2048
|
IPsec - Peer
The object specifies the name of the Internet Key Exchange (IKE) peer database entry that identifies an entry in the IKE Peer Database (IPD). The IPD is a list of remote devices that may become IPsec peers. The IPD establishes the authentication and other phase 1 criteria for the peer-to-peer negotiation to eventually reach an IKE Security Association (SA) between this specific peer and the SBC.
Creating a Peer
- On the SBC Configuration Manager page, click All.
On the navigation pane, choose Address Context > IPsec > Peer. Click New Peer.
The Create New Peer window is displayed.
Creating New Peer Parameters
Parameter | Description |
---|
Name
| Specifies the name of the peer you are configuring. |
IP Address V4 or V6
| Specifies the 32-bit IP address of the Peer. |
Protocol
| The SPD traffic selector IP PROTOCOL. Valid values for this parameter are: Ikev1: Indicates the version of IKE protocol. Internet Key Exchange Version 1.
Ikev2: Indicates the enhanced version of IKE protocol. Internet Key Exchange Version 2.
Any : Indicates either IKEv1 is used or IKEv2 version is used.
|
Pre Shared Key
| Specifies the Pre-shared secret with this peer. The Pre Shared Key can be one of the following: - A string ranging from 32 to 128 case-sensitive, alphanumeric characters. These characters may only be in the range 0-9, a-z, space, and A-Z
- A hexadecimal value introduced by "0x" and followed by 16 to 64 hexadecimal digits (0-9, a-f, A-F)
In either case the given value represents a pre-shared secret between the Unable to show "metadata-from": No such page "_space_variables" and the IKE peer. This value is used for mutual authentication for phase 1 negotiation to set up an IKE Security association. |
Protection
Profile
| The name of the IKE protection profile to be applied to the Key management protocol exchange with the peer. |
Local Identity | This object specifies the local identity type that SBC asserts to the peer during phase 1 authentication. |
The ipVxAddr
attribute is not used at this time. If it is present, ignore it.
Viewing a Peer
- On the navigation pane, choose Address Context > IPsec > Peer.
In Address Context drop-down menu, choose the Peer. The Peer List is displayed.
Editing a Peer
Click the radio button adjacent to Peer name.
The Edit Selected Peer window is displayed.
Modify the relevant parameters, and click Save.
Copying a Peer
Click the radio button adjacent to the Peer. Click Copy Peer.
The Copy Selected Peer window is displayed.
Type the relevant parameters, and click Save.
The ipVxAddr
attribute is not used at this time. If it is present, ignore it.
Deleting a Peer
Click the radio button adjacent to the Peer. Click Delete.
A delete confirmation message appears. Click Yes.
Peer - Local Identity
The object specifies the local identity type that
Unable to show "metadata-from": No such page "_space_variables"
asserts to the
peer during phase 1 authentication.
Viewing and Editing Local Identity
- On the SBC Configuration Manager page, click All.
On the navigation pane, choose Address Context > IPsec > Peer > Local Identity. The Local Identity window is displayed.
In Address Context drop-down menu, choose the Local Identity.
IN Peer drop-down menu, choose the Peer.
- In Type drop-down menu, choose the IP V6Addr.
- In IP Address Var, type the IP V6 address.
Click Save.
Editing Local Identity Parameters
Parameter | Description |
---|
ipV6Addr <ipAddress> | This parameter specifies that the local identity will be presented in IPv6 address hexadecimal/colon format, taking as its value the IP address of the Unable to show "metadata-from": No such page "_space_variables" specified by the next argument (example: 1280:1276:3350:2224:2222:3333:8888:1245 or fd00:21:445:128::7880). |
The ipVxAddr
attribute is not used at this time. If it is present, ignore it.
Peer - Remote Identity
The object specifies the remote Identity that
Unable to show "metadata-from": No such page "_space_variables"
asserts to the PEER during phase 1 authentication.
Viewing and Editing Remote Identity
- On the SBC Configuration Manager page, click All.
On the navigation pane, choose Address Context > IPsec > Peer > Remote Identity. The Remote Identity window is displayed.
In Address Context drop-down menu, choose the Remote Identity.
IN Peer drop-down menu, choose the Peer.
- In Type drop-down menu, choose IP V6Addr.
- In IP Address V4 or V6, type the IP address.
Click Save.
Editing Remote Identity Parameters
Parameter | Description |
---|
ipV4Addr <ipAddress> | This parameter specifies that the remote identity will be presented in IPv4 address dotted decimal format, taking as its value the IP address of the SBC specified by the next argument (example: 128.127.50.224). |
ipV6Addr <ipAddress> | This parameter specifies that the remote identity will be presented in IPv6 address hexadecimal/colon format, taking as its value the IP address of the SBC specified by the next argument (example: 1280:1276:3350:2224:2222:3333:8888:1245 or fd00:21:445:128::7880). |
IPsec - SPD
The object is used to configure SPD for the SBC. The SPD establishes the phase 2 criteria for the negotiation between the SBC and the IKE peer. The successful completion of this negotiation results in a Security Association (SA).
Creating an SPD
On the navigation pane, choose Address Context > IPsec > SPD. The SPD window is displayed.
Type relevant parameters, and click Save.
Creating New SPD Parameters
Parameter | Length/Range | Description |
---|
Name
| 1-23 | Specifies the name of an IPsec Security Policy Database (SPD) entry. The IPsec SPD is an ordered list of entries ("rules") that specify sets of packets and determine whether or not to permit, deny, or protect packets between the Unable to show "metadata-from": No such page "_space_variables" and the peer that is referenced from the entry. If the packets are to be protected, this entry references information that specifies how to protect them.You may create and configure up to 4,096 SPD entries. |
State | N/A | Administrative state to disable or enable a SPD entry. Zero indicates wildcard. |
Precedence | 0-65535 | Evaluation order of this entry. Zero indicates wildcard. |
Local Ip Prefix Len | 0-128 | Specifies the local IP prefix length of the SPD traffic selector. Default value is 0. |
Local Port | 0-65535 | Specifies the local port of the SPD traffic selector. Zero indicates wildcard. Default value is 0. |
Remote Ip Addr | N/A | Specifies the remote IPv4 or IPv6 address of the SPD traffic selector. Zero indicates wildcard. |
Remote Ip Prefix Len | 0-128 | Specifies the remote IP prefix length of the SPD traffic selector. Zero indicates wildcard. Default value is 0. |
Remote Port | 0-65535 | Specifies the remote port of the SPD traffic selector. Zero indicates wildcard. Default value is 0. |
Protocol | 0-255 | Specifies the IP protocol number of the SPD traffic selector. This parameter uses IANA protocol number assignment, that is, protocol number 6 represents TCP, protocol number 17 represents UDP. Zero indicates wildcard. Default value is 0. |
Action
| N/A | Action applied when packets processed by IPsec found matching the selectors of this SPD rule. Discard – Specifies that the packets are dropped.Bypass – Specifies that the packets are bypassed as clear text.Protect – Specifies that the packets are protected by IPsec based on the protection parameters specified in the configured IPsec protection profile.
|
Mode | N/A | |
Protection Profile | N/A | Specifies an encryption cipher, a maximum time period for maintaining a security association between these peers (the SA "lifetime"), and an antireplay policy. |
Peer | N/A | Specifies the the name of the Internet Key Exchange (IKE) peer database entry. |
Local Ip Addr Var
| N/A | Specifies the local IPv4 or IPv6 address of the SPD traffic selector. |
Viewing an SPD
- On the SBC Configuration Manager page, click All.
On the navigation pane, choose Address Context > IPsec > SPD. The SPD window is displayed.
In Address Context drop-down menu, choose the appropriate address context to view the SPD.
Editing an SPD
Click the radio button adjacent to SPD name.
The Edit Selected SPD window is displayed.
Modify the relevant parameters, and click Save.
Editing Selected SPD Parameters
Copying an SPD
Click the radio button adjacent to SPD name. Click Copy SDP.
The Copy Selected SPD window is displayed.
Type the relevant parameters, and click Save.
Copying Selected SPD Parameters
Deleting an SPD
Click the radio button adjacent to the SPD. Click Delete.
A delete confirmation message appears. Click Yes.