ntroduction

This section describes the applications of IPSec in the LTE and the IPSec configuration in the
networking where hot standby devices are deployed in off-line mode.
This document is based on Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-X V500R005C00
and can be used as a reference for Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-X
V500R005C00, Eudemon200E-G&Eudemon1000E-G V600R006C00, and later versions. Document
content may vary according to version.

Solution Overview

Introduction to LTE
Long Term Evolution (LTE) is a project initiated by Third Generation Partnership Project (3GPP) in
December 2004 for the long term evolution of the Universal Mobile Telecommunications System
(UMTS). The objective of the project is to increase the data rate of mobile communications systems,
reduce network nodes and the system complexity, and therefore cut down the CapEx and OpEx of
networks. Since the analog technology was adopted in the 1G system, mobile communications
networks have been through the revolution of 2G and 3G technologies and stepped into the 4G era.
LTE has become a major 4G standard. Strictly, LTE does not meet the 4G definition of the ITU. It is
only a quasi-4G technology. This, however, does not hold carriers back from setting LTE as the
mainstream 4G standard.

Network Architecture of LTE

The network architecture of LTE is flatter and more IP-based than that of 3G networks, as shown
in Figure 1-1.
Figure 1-1 Network architecture of LTE

An LTE network consists of the following parts:

 User Equipment (UE): the general term for mobile terminals, such as mobile phones, smart
phones, and multimedia devices, used on the LTE network
 Evolved NodeB (eNodeB): wireless base station that provides wireless access services for users
 IP-Radio Access Network (RAN): IP-based wireless access network. It is the access network of
the entire LTE network.
 Evolved Packet Core (EPC): the core network of LTE
 Mobility Management Entity (MME): responsible for the control function of the core network.
Traffic from the eNodeB to the EPC includes signaling flows and service flows, and the MME
processes signaling traffic.
 Serving Gateway (S-GW): processes the service traffic from the eNodeB to the EPC.
 Operation and Maintenance Center (OMC): includes the M2000, CME, and LMT. The
administrator manages the NEs on the LTE network in a centralized manner through the
OMC. For the ease of management, some certificate servers, such as the CA server and RA
server, are also deployed in the OMC area.

Interfaces of the eNodeB

The eNodeB provides two interfaces, S1 and X2:
 S1 interface
The S1 interface is between the MME/S-GW and the eNodeB. Based on the service plane, the
S1 interface is further split to the S1 user plane interface and the S1 control plane interface.
 S1 user plane interface (S1-U)
The S1-U interface is between the eNodeB and the S-GW. It carries user data, also called
service data, between the eNodeB and the S-GW. The S1-U works on the simple GTP over
UDP/IP transport protocol. This protocol encapsulates user data. There is no mechanism for
traffic control, error control, or other data transfer assurance on the S1-U interface.
 S1 control plane interface (S1-C)
The S1-C interface is between the eNodeB and the MME for controlling the signaling
interaction between the eNodeB and the MME. For reliable transfer of signaling messages, the
S1-C works on SCTP above the IP layer.
 X2 interface
The X2 interface is an interface for communication between eNodeBs. The X2 is a new interface
defined by LTE. It is a mesh interface and enables inter-eNodeB packet forwarding when the
terminal moves. This helps to reduce the packet loss rate.
 X2 user plane interface (X2-U)
The X2-U interface carries user data between eNodeBs. It is used for data forwarding only
when a terminal moves from one eNodeB to another. The X2-U also works on GTP over
UDP/IP.
 X2 control plane interface (X2-C)
The X2-C is a signaling interface between eNodeBs. It enables signaling interaction between
the eNodeBs. The X2-C is related to user movement. It transfers the user context between
eNodeBs. Like the S1-C, the X2-C also uses SCTP to ensure transmission.
Solution Design

Networking Requirements
On a 3G network, access authentication and data encryption mechanisms are available on the
control and user planes from the UE to the RNC, and therefore, data transmission is secured. On an
LTE network, although access authentication and data encryption mechanisms still work from the
UE to the EPC, S1-U, on the user plane, has only authentication mechanisms but no encryption
mechanisms. Therefore, compared with the 3G network, the LTE network requires additional
security devices to eliminate security risks.
In the LTE IPSec solution, an IPSec tunnel is set up between the eNodeB and the security gateway
(the FW, also referred to as the SeMG in LTE) to encrypt S1 data streams, preventing user data
from being intruded on the IP-RAN and thereby ensuring the security of the LTE network. Generally,
the FW is attached to both sides of a router in the EPC in off-path mode and serves as the IPSec
gateway for the eNodeB to access the MME and S-GW. Two FWs are deployed in hot standby
mode to improve the network stability. Figure 1-2 shows the network topology.
Figure 1-2 Network topology for off-path deployment of the FW