This feature applies to SBC 7000 only.
In this section:
An example set of CLI commands to configure the SBC for an IPsec tunnel that is used for media traffic is shown below:
Parameter | Value |
---|---|
Address Context | default |
IP Interface Group (LIF Group) | IP_INT_GR |
LIF Primary IP Address | 10.xxx.xx.x61 |
Alternate Media IP addresses | None |
Remote IPsec Peer IP | 10.xx.xx.8 |
Remote SBC Media IPs | 10.xxx.xx.x2 |
### IKE and IPsec protection profiles set profiles security ipsecProtectionProfile IPSEC_PROT_PROF saLifetimeTime 28800 set profiles security ipsecProtectionProfile IPSEC_PROT_PROF espAlgorithms integrity hmacSha1 set profiles security ipsecProtectionProfile IPSEC_PROT_PROF espAlgorithms encryption aesCbc256 set profiles security ikeProtectionProfile IKE_PROT_PROF saLifetimeTime 28800 set profiles security ikeProtectionProfile IKE_PROT_PROF algorithms encryption aesCbc128,3DesCbc set profiles security ikeProtectionProfile IKE_PROT_PROF algorithms integrity hmacSha1,hmacMd5 set profiles security ikeProtectionProfile IKE_PROT_PROF dpdInterval noDpd ### IKE peer set addressContext default ipsec peer PEER1 ipAddress 10.xx.xx.8 preSharedKey 00000000000000000000000000000000 localIdentity type ipV4Addr ipAddress 10.xxx.xx.x61 set addressContext default ipsec peer PEER1 remoteIdentity type ipV4Addr ipAddress 10.xx.xx.8 set addressContext default ipsec peer PEER1 protocol ikev1 protectionProfile IKE_PROT_PROF ### SPD rule for media traffic set addressContext default ipsec spd SPD1 state enabled precedence 1001 set addressContext default ipsec spd SPD1 localIpAddr 10.xxx.xx.x61 localIpPrefixLen 32 remoteIpAddr 10.xxx.xx.x2 remoteIpPrefixLen 32 set addressContext default ipsec spd SPD1 action protect set addressContext default ipsec spd SPD1 protocol 0 set addressContext default ipsec spd SPD1 protectionProfile IPSEC_PROT_PROF set addressContext default ipsec spd SPD1 peer PEER1 set addressContext default ipsec spd SPD1 media enable ### Enable IPsec for media on the IP interface group set addressContext default ipInterfaceGroup IP_INT_GR ipsec enabled ipsecForMedia enabled
For the local Ribbon SBC to use IPsec for media traffic, configure the remote IPsec peer router/SBC to use, or negotiate to the following IPsec protocols/algorithms that is supported by the Ribbon SBC:
Protocol/Mode/Algorithm name | Type supported |
---|---|
Protocol/Mode | ESP Tunnel Mode |
Encryption Algorithm | AES-CBC (key sizes up to 256-bits) |
Authentication Algorithm | HMAC-SHA1 |
Key Exchange Protocol | IKEv1 |
Ensure to use the following configuration guidelines to configure the remote IPsec peer router and/or the SBC to work with the Ribbon SBC’s expected Media over IPsec use cases:
The SBC uses the parameter ipsecForMedia
to the ipInterfaceGroup CLI to support media over IPsec. The ipsecForMedia
parameter works in conjunction with the ipsec
state parameter already available in the same CLI. The ipsec
Admin State field enables or disables IPsec on the LIF Group as a whole. Prior to this release, the ipsec
parameter was only applicable to signaling and Lawful Intercept (LI) traffic - whichever the LIF Group was used for. Starting with the SBC 10.1.1, it also applies to media, but only if the ipsecForMedia
parameter is also enabled.
You must enable the existing ipsec
parameter for any use of IPsec.
You must also enable the ipsecForMedia
parameter to support media over IPsec
To support media over IPsec, you must enable both the ipsec
and ipsecForMedia
parameters. Calls using this IP Interface Group will only succeed if the media packets match a media SPD entry. Media traffic not matching a Security Policy Database (SPD) entry is dropped.
Ensure that the following conditions are met when using the IP Interface Group for IPsec Media:
Ensure that the following conditions are met:
The local selector (localIpAddr
and localIpPrefixLen
) must encompass all possible local Media IPs, including the LIF Primary IP and all optional Alternate Media IPs. Also, it must not encompass any non-media IP’s used by the SBC, such as the SIP Signaling IP address.
The SIP Signaling Address must be different than the LIF Primary IP address (ipAddress).
tunnel
.media
flag is enabled.One Security Policy Database (SPD) entry is created for each IPsec tunnel. It is possible to create multiple IPsec tunnels that use the same IP Interface Group, that is, one for signaling traffic and one for media traffic.
When using the IPsec Protection Profile for IPsec media, configure the following parameters, as specified.