Professional Documents
Culture Documents
This section describes the applications of IPSec in the LTE and the IPSec configuration in the
networking where hot standby devices are deployed in off-line mode.
This document is based on Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-X V500R005C00
and can be used as a reference for Eudemon200E-N&Eudemon1000E-N&Eudemon8000E-X
V500R005C00, Eudemon200E-G&Eudemon1000E-G V600R006C00, and later versions. Document
content may vary according to version.
Solution Overview
Introduction to LTE
Long Term Evolution (LTE) is a project initiated by Third Generation Partnership Project (3GPP) in
December 2004 for the long term evolution of the Universal Mobile Telecommunications System
(UMTS). The objective of the project is to increase the data rate of mobile communications systems,
reduce network nodes and the system complexity, and therefore cut down the CapEx and OpEx of
networks. Since the analog technology was adopted in the 1G system, mobile communications
networks have been through the revolution of 2G and 3G technologies and stepped into the 4G era.
LTE has become a major 4G standard. Strictly, LTE does not meet the 4G definition of the ITU. It is
only a quasi-4G technology. This, however, does not hold carriers back from setting LTE as the
mainstream 4G standard.
Networking Requirements
On a 3G network, access authentication and data encryption mechanisms are available on the
control and user planes from the UE to the RNC, and therefore, data transmission is secured. On an
LTE network, although access authentication and data encryption mechanisms still work from the
UE to the EPC, S1-U, on the user plane, has only authentication mechanisms but no encryption
mechanisms. Therefore, compared with the 3G network, the LTE network requires additional
security devices to eliminate security risks.
In the LTE IPSec solution, an IPSec tunnel is set up between the eNodeB and the security gateway
(the FW, also referred to as the SeMG in LTE) to encrypt S1 data streams, preventing user data
from being intruded on the IP-RAN and thereby ensuring the security of the LTE network. Generally,
the FW is attached to both sides of a router in the EPC in off-path mode and serves as the IPSec
gateway for the eNodeB to access the MME and S-GW. Two FWs are deployed in hot standby
mode to improve the network stability. Figure 1-2 shows the network topology.
Figure 1-2 Network topology for off-path deployment of the FW