Feature Description
Internet Protocol Security (IPSec) is a suite of protocols that interact with one another to provide secure private communication across IP networks. These protocols allow the system to establish and maintain secure tunnels with peer security gateways. IPSec provides confidentiality, data integrity, access control, and data source authentication to IP datagrams.
In Cisco Cloud Native 5G, the IPSec functionality is available in Tunnel mode both on Session Management Function (SMF) and User Plane Function (UPF). The IPSec crypto-maps are associated under the appropriate interface on respective nodes. The IPSec tunnel is created between each SMF or UPF pair explicitly. This feature supports the IPv4 and IPv6 tunneling mode. There is no change on the N4/Sx service configuration.
The IPSec tunnel mode encapsulates the entire IP packet to provide a virtual secure hop between two gateways. It forms VPN kind of functionality, where entire IP packets are encapsulated inside another and delivered to the destination. It encapsulates the full IP header as well as the payload.

When N4/Sx over IPSec is enabled on UPF NF running VPP, then the following parameter must be used under "VPP Param" for the N4/Sx Over IPSec feature to work.
VPP_DPDK_DATA_SIZE=5120
The VPP Param is stored in the staros_para.cfg file on a CD-ROM and this configuration is read and applied to VPP by UPF during its boot.
Note | This parameter is supported until VPP version 19.08. This parameter introduces a memory overhead of about 800 MB. You must consider this condition before using the feature. If the UPF has less RAM, then VM must be allocated with extra 1 GB of RAM memory for the feature to work properly. |
For more information on IPSec support, see the StarOS IPSec Reference.
IKEv2 Keep-Alive Messages (Dead Peer Detection)
IPSec for N4/Sx interface supports IKEv2 keep-alive messages, also known as Dead Peer Detection (DPD), originating from both ends of an IPSec tunnel. As per RFC 3706, DPD is used to simplify the messaging required to verify communication between peers and tunnel availability.
IPSec DPD is an optional configuration. If its disabled, the IPSec node does not initiate DPD request. However, the node always responds to DPD availability messages initiated by peer node regardless of its DPD configuration.
The following method can be used to calculate the keep-alive interval value when N4/Sx over IPSec feature is configured:
((max-retransmissions + 1) * retransmission-timeout-ms) * 2
The keep-alive interval value specifies the time that the IPSec tunnel will remain up till DPD is triggered.
Example:
sx-service sx
instance-type userplane
bind ipv4-address 192.168.1.1 ipv6-address bbbb:abcd::11
sxa max-retransmissions 4
sxa retransmission-timeout-ms 5000
Here, the value of max-retransmissions is 4 and retransmission-timeout-ms is 5000. Therefore, the keep-alive interval value will be 50:
((max-retransmissions + 1) * retransmission-timeout-ms) * 2 = Keep-alive interval
((4+1) * 5000) * 2 = 50
IKESA Rekey
UPF supports both IKESA Rekey and IPSec Rekey.
For IKESA Rekey, the lifetime interval CLI must be configured under ikev2-ikesa transform-set transform_set . You must also configure ikev2-ikesa rekey under crypto map configuration. Following is a configuration example:
ikev2-ikesa transform-set ikesa-foo
encryption aes-cbc-256
group 14
hmac sha2-256-128
lifetime 28800
prf sha2-256
...
...
...
crypto map foo0 ikev2-ipv4
match address foo0
authentication local pre-shared-key encrypted key secret_key
authentication remote pre-shared-key encrypted key secret_key
ikev2-ikesa max-retransmission 3
ikev2-ikesa retransmission-timeout 15000
ikev2-ikesa transform-set list ikesa-foo
ikev2-ikesa rekey
keepalive interval 50
control-dont-fragment clear-bit
payload foo-sa0 match ipv4
ipsec transform-set list A-foo
lifetime 600
rekey keepalive
#exit
peer 172.19.222.2
ikev2-ikesa policy error-notification