Note

This feature applies to SBC 7000 only.

Overview

An example set of CLI commands to configure the SBC for an IPsec tunnel that is used for media traffic is shown below:

ParameterValue
Address Contextdefault
IP Interface Group (LIF Group)IP_INT_GR
LIF Primary IP Address10.xxx.xx.x61
Alternate Media IP addressesNone
Remote IPsec Peer IP10.xx.xx.8
Remote SBC Media IPs10.xxx.xx.x2


Sample SBC configuration for IPsec tunnel used for media traffic
### IKE and IPsec protection profiles
set profiles security ipsecProtectionProfile IPSEC_PROT_PROF saLifetimeTime 28800
set profiles security ipsecProtectionProfile IPSEC_PROT_PROF espAlgorithms integrity hmacSha1
set profiles security ipsecProtectionProfile IPSEC_PROT_PROF espAlgorithms encryption aesCbc256

set profiles security ikeProtectionProfile IKE_PROT_PROF saLifetimeTime 28800
set profiles security ikeProtectionProfile IKE_PROT_PROF algorithms encryption aesCbc128,3DesCbc
set profiles security ikeProtectionProfile IKE_PROT_PROF algorithms integrity hmacSha1,hmacMd5
set profiles security ikeProtectionProfile IKE_PROT_PROF dpdInterval noDpd
   
### IKE peer
set addressContext default ipsec peer PEER1 ipAddress 10.xx.xx.8 preSharedKey 00000000000000000000000000000000 localIdentity type ipV4Addr ipAddress 10.xxx.xx.x61
set addressContext default ipsec peer PEER1 remoteIdentity type ipV4Addr ipAddress 10.xx.xx.8
set addressContext default ipsec peer PEER1 protocol ikev1 protectionProfile IKE_PROT_PROF
   
### SPD rule for media traffic
set addressContext default ipsec spd SPD1 state enabled precedence 1001
set addressContext default ipsec spd SPD1 localIpAddr 10.xxx.xx.x61 localIpPrefixLen 32 remoteIpAddr 10.xxx.xx.x2 remoteIpPrefixLen 32
set addressContext default ipsec spd SPD1 action protect
set addressContext default ipsec spd SPD1 protocol 0
set addressContext default ipsec spd SPD1 protectionProfile IPSEC_PROT_PROF
set addressContext default ipsec spd SPD1 peer PEER1
set addressContext default ipsec spd SPD1 media enable
   
### Enable IPsec for media on the IP interface group
set addressContext default ipInterfaceGroup IP_INT_GR ipsec enabled ipsecForMedia enabled

Remote IPsec Peer Protocol/Algorithm Requirements

For the local Ribbon SBC to use IPsec for media traffic, configure the remote IPsec peer router/SBC to use, or negotiate to the following IPsec protocols/algorithms that is supported by the Ribbon SBC:

Protocol/Mode/Algorithm nameType supported
Protocol/ModeESP Tunnel Mode
Encryption AlgorithmAES-CBC (key sizes up to 256-bits)
Authentication AlgorithmHMAC-SHA1
Key Exchange ProtocolIKEv1

Configuration Guidelines

Ensure to use the following configuration guidelines to configure the remote IPsec peer router and/or the SBC to work with the Ribbon SBC’s expected Media over IPsec use cases:

  • Configure the remote IPsec to use or negotiate to IKEv1.
  • Configure the remote IPsec peer to use the LIF Primary IP of the local SBC as its remote IPsec Peer IP address.
  • Ensure the set of remote media IP addresses used for calls to the local SBC are contained within an IP/mask range that does not overlap with any other remote non-media IPs. This IP/prefix mask range is specified on the local Ribbon SBC’s IPsec SPD remote selector fields.

The SBC uses the parameter ipsecForMedia to the ipInterfaceGroup CLI to support media over IPsec. The ipsecForMedia parameter works in conjunction with the ipsec state parameter already available in the same CLI. The ipsec Admin State field enables or disables IPsec on the LIF Group as a whole. Prior to this release, the ipsec parameter was only applicable to signaling and Lawful Intercept (LI) traffic - whichever the LIF Group was used for. Starting with the SBC 10.1.1, it also applies to media, but only if the ipsecForMedia parameter is also enabled.

  • You must enable the existing ipsec parameter for any use of IPsec.

  • You must also enable the ipsecForMedia parameter to support media over IPsec

Note

To support media over IPsec, you must enable both the ipsec and ipsecForMedia parameters. Calls using this IP Interface Group will only succeed if the media packets match a media SPD entry. Media traffic not matching a Security Policy Database (SPD) entry is dropped.


IPsec for Media Restrictions

IP Interface Group Restrictions for IPsec Media

Ensure that the following conditions are met when using the IP Interface Group for IPsec Media:

  • The IP Interface Group contains only one LIF (ipInterface).
  • The primary IP address (ipAddress) of the LIF and all optional Alternate Media IP addresses (altMediaIpAddresses) configured on the IP Interface Group (together comprising all of the possible media IPs) are contained within an IP/prefix mask range that does not overlap with any possible non-media IPs, including the SIP signaling address. This IP/prefix mask range is specified in the IPsec SPD local selector fields.
  • The SIP Signaling Address is different than the LIF Primary IP address (ipAddress).

IPsec SPD Configuration Restrictions for IPsec Media

Ensure that the following conditions are met:

  1. The local selector (localIpAddr and localIpPrefixLen) must encompass all possible local Media IPs, including the LIF Primary IP and all optional Alternate Media IPs. Also, it must not encompass any non-media IP’s used by the SBC, such as the SIP Signaling IP address.

    Note

    The SIP Signaling Address must be different than the LIF Primary IP address (ipAddress).

  2. The remote selector (remoteIpAddr and remoteIpPrefixLen) must encompass all possible Media IPs used by the remote SBC. Also, it must not encompass any non-media IPs used by the remote peer.
  3. The mode is set to tunnel.
  4. The media flag is enabled.
  5. One Security Policy Database (SPD) entry is created for each IPsec tunnel. It is possible to create multiple IPsec tunnels that use the same IP Interface Group, that is, one for signaling traffic and one for media traffic.

IPsec Protection Profile Restrictions for IPsec Media

When using the IPsec Protection Profile for IPsec media, configure the following parameters, as specified.

  • Set ESP encryption algorithm to either "aesCbc128" or "aesCbc256"
  • Set the ESP integrity algorithm to "hmacSha1"