我前几天刚成功做方案和数据配置， 给大家分享一下。

小站用IPSec传输， 这个方案为了减少成本， 但是信息安全和传输质量不能保证。

各位大神对这种传输的信息安全， 传输质量有什么看法？

1. In Small Cell Project, the FTTH transmission is use to connect Small Cell BTS3902E to RNC.
2. Mechanism:
- Deploy IPSec between NodeB and SeGW to ensure network security
- Each small cell need one public IP address and gateway. The IP address and gateway can be fixed or dynamic.
- SeGW need one fixed public IP address and Gateway, ensure enough bandwidth for all Small Cell connections.

Can not guaratee in public network:
- QoS: The internet service is best effort mode, and the QoS level is 0 in operator network, so we can not ensure the good traffic when congestion happen. So some requirements (Delay, packet lost, jitter) can not be ensured.
- Reliabitity & stability: The operator will not ensure the service stability for us, it is like one normal internet user, we can lost traffic anytime for some hours even one day cause some reasons from provider (cable broken, traffic jam…). When problem happen, provider will make higher priority to handle other service kind (3G, IPTV, Leased Line,.. )

 

1.      Network topology

In Small Cell Project, the FTTH transmission is use to connect Small Cell BTS3902E to RNC.

Network topology as below:

 

 

 

 

 

1.1 License requirement

NodeB integrated IPSec(Per NodeB)

1.2 Data Planning

NE	Destination IP Address/Mask	Next-Hop IP Address		Remarks
RNC	10.12.190.197/29 Interface IP of NodeB1	10.12.73.18 Port IP address connecting the router to the RNC		A route from the RNC to the interface IP of NodeB1
U2000	10.12.190.196/29 OM IP of NodeB1	10.12.1.0 Port IP address connecting the router to the U2000		A route from the U2000 to the OM IP of NodeB1
IPCLK	10.12.190.197/29 Interface IP of NodeB1	10.12.1.130 Port IP address connecting the router to the IPCLK		A route from the IPCLK to the interface IP of NodeB1
NodeB1	10.12.73.137/32 Interface IP of the RNC	10.12.190.193 Port IP address connecting the router to NodeB1		A route from NodeB1 to the RNC
	10.12.1.1./25 Interface IP of the U2000	10.12.190.193 Port IP address connecting the router to NodeB1		A route from NodeB1 to the U2000
	10.12.1.132/32 Interface IP of the IPCLK	10.12.190.193 Port IP address connecting the router to NodeB1		A route from NodeB1 to the IPCLK
	10.12.1.133/32 Interface IP of the IPCLK		10.12.190.193 Port IP address connecting the router to NodeB1		A route from NodeB1 to the IPCLK
SeW

1.3 Data configuration

Script on RNC same with normal site.

 

Script on nodeB side: Need to add more script for IPSec:

 

 

//Configure security data in secure networking scenarios. IPSec

 

ADD ACL: ACLID=3000;

ADD ACLRULE: ACLID=3000, RULEID=1, PT=IP, SIP="10.12.190.197", SWC="0.0.0.255", DIP="10.12.73.137", DWC="0.0.0.255", MDSCP=NO; Rule for RNC

ADD ACLRULE: ACLID=3000, RULEID=2, PT=IP, SIP="10.12.190.196", SWC="0.0.0.0", DIP="10.12.1.1", DWC="0.0.0.255", MDSCP=NO; Rule for M2000 server

ADD ACLRULE: ACLID=3000, RULEID=3, PT=IP, SIP="10.12.190.197", SWC="0.0.0.255", DIP="10.12.1.132", DWC="0.0.0.0", MDSCP=NO; Rule for IPCLK server 1

ADD ACLRULE: ACLID=3000, RULEID=4, PT=IP, SIP="10.12.190.197", SWC="0.0.0.255", DIP="10.12.1.133", DWC="0.0.0.0", MDSCP=NO; Rule for IPCLK server 2

 

SET IKECFG: IKELNM="vmsadmin";

ADD IKEPROPOSAL:  PROPID=1, ENCALG=DES, AUTHALG=SHA1, AUTHMETH=PRE_SHARED_KEY, DHGRP=DH_GROUP2;

//ADD IKEPEER: PEERNAME="1",PROPID=1,IKEVERSION=IKE_V2,IDTYPE=IP,REMOTEIP="101.99.17.114",REMOTENAME="segw",PKEY="vmsadmin",DPD=PERIODIC,REDUNDANCYFLAG=NONE,IPSECPREFRGSW=OFF;

// Configure with NAT

ADD IKEPEER:  PEERNAME="1",PROPID=1,IKEVERSION=IKE_V2,IDTYPE=FQDN,REMOTEIP="101.99.17.114",REMOTENAME="SeGW",PKEY="vmsadmin",DPD=PERIODIC,NATTRAV=ENABLE,REDUNDANCYFLAG=NONE,IPSECPREFRGSW=OFF;

 

ADD IPSECPROPOSAL:  PROPNAME="1",TRANMODE=ESP,ESPAUTHALG=MD5,ESPENCALG=DES;

ADD IPSECPOLICY: SPGN="1",SPSN=1,ACLID=3000,PROPNAME="1",PEERNAME="1",LTCFG=LOCAL;

ADD IPSECBIND:  PT=ETH,PN=1,SPGN="1";

 

useful document, thanks