SecGW TLS Support
Assumptions and Limitations
-
Only TLS/TCP data can be IP/UDP encapsulated and forwarded to local ePDG service
-
It is possible that UE can send the IKE/ESP over SSL as application data
-
IKE protocol is UDP encapsulated. But for this feature the IKE/ESP should be part for SSL data which is TCP based connection
-
Ports supported for TLS/TCP connection is configurable in wsg-service
-
TLS/TPC should be used as a fallback only when UDP is blocked in the firewall
-
From SecGW point of view, network side is ePDG
-
The SecGW supports both IKEv2/IPSec based as well SSL based connections simultaneously
-
SecGW can be authenticated by UE based on a X.509 certificate. This is optional in TLS
-
SSL should be used to provide data security between UE and SecGW
-
SSL and TCP protocol stacks has been implemented at SecGW to support the authentication and connection security requirements