HTTPS://WWW.LINKEDIN.

COM/IN/CHINMAY-MARATHE-9A26195A/

CHINMAY MARATHE CWNE#390 | CCIE#60584

 MENU

VoWiFi in EPC End to End Call Flow with IPsec-Part2

featured by chinmay marathe, posted in lte-wifi call flows

In my previous blog,We have seen how user gets connected to WiFi hotspot in EPC. Once UE establishes data
connection.It can proceed with VoWiFi connection procedure. Just to give you brief here,VoWiFi call can be
established over un-trusted or trusted non-3GPP. i.e when user connected on WiFi hotspot which is under
control of same network operator,who is providing LTE services. Un-trusted non-3GPP means the WiFi
connection will be provided by local ISP and VoWiFi call will be traversed through internet to reach the network
operators core i.e ePDG.

Secret sauce of VoWiFi is IPSEC & ePDG. UE creates IPsec with network operator ePDG over the internet in both
trusted and un-trusted 3GPP. Only difference is,In case of trusted 3GPP,PGW & ePDG are deployed in network
operators core network and the latency will be much less when call is coming from un-trusted 3GPP over the
internet.UE must have support of VoWiFi feature.As far as i know iPhone and Samsung devices supports this
feature.I have not tested everyone of them.We will briefly talk about the IP sec in our call flow as it will be
required for understanding the message exchange between the device and core network elements.

Here is node to node message flow.Follow the subsequent packet captures and brief explanation with message
mentioned in below diagram.

Advertisements

Message Exchanges between all network elements. UE already has internet connectivity and attempting for VoWIFI IMS
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
Close and accept
To find out more, including how to control cookies, see here: Cookie Policy attach
REPORT THIS AD
 When user is successfully authenticated over WiFi and has internet connectivity.For trusted non 3GPP check
previous blog( https://wifiwiki.wordpress.com/2019/11/29/wifi-attach-in-epc-end-to-end-call-flow-part1/ &
for untrusted UE has internet connectivity over home wifi router via local ISP.UE has to resolve the ePDG
FQDN,which can be static (provisioned in UE devices) or UE will generate it dynamically using its MCC & MNC
information which is stored in SIM card.Once this request is received by network operator DNS, it provides with
ePDG ip address.This ePDG ip address will be used as IP sec endpoint.

IPsec (IP security): Its a framework which is implemented to protect IP traffic over network layer.Its uses features
like confidentiality ,Integrity,authentication and anti reply to protect the traffic.

IKE (Internet Key Exchange): Its a network security protocol for dynamically exchanging encryption keys over a
security association created between two devices which are participating in IPSEC connection.

ISAKMP (Internet security association key management protocol): Its a framework which provides authentication
and key exchanges between two IPSEC endpoints or hosts. IPsec works in two phases:

1 & 2.a) ISAKMP tunnel or IKE phase 1 : The two end points will negotiate about the encryption ,authentication
,hashing and other important parameters for creating secure channel & security association.This tunnel is only
used for management traffic and keep alive. In over case it will be between UE & ePDG. UDP Port 500 for
communication with peer must be allowed on firewall.Keep eye on Source port and Destination port for
security association. Separate security association will be created for each direction.

1.UE to ePDG(IKE_SA_INIT)

2. ePDG to UE (IKE_SA_INIT)

3.b) IPsec tunnel or IKE phase 2 : IKE phase 1 secure channel will be used to create the IKE phase 2 tunnel for
sending user data.But tunnel itself doesn’t provide encryption, authentication & integrity.For providing
mentioned services two protocols were used ESP(Encapsulating security Payload) which provides encryption,
authentication,integrity and AH(Authentication Header) doesn’t provide encryption.Along with this two modes
operation can be implemented Transport Mode & Tunnel Mode.Port 4500 for NAT-T & protocol number (50 for
ESP & 51 for AH) must be allowed on firewall.
Advertisements

This message flow contains the APN name & in NAI “0” in the start of IMSI denotes that authentication type will
be EAP-AKA.For
Privacy & Cookies: This site uses cookies. By continuing all IKE_AUTH
to use this website, you agree tobetween
their use. UE &ePDG it will be encrypted inside IPsec ESP.
To find out more, including how to control cookies, see here: Cookie Policy

REPORT THIS AD
 3.UE to ePDG(IKE_AUTH_REQ)

4. DER(Diameter EAP Request): ePDG communicates with 3GPP-AAA over SWm interface via diameter routing
agent.Always remember DRA keeps record of the entity which initiates message in this case ePDG &
destination host will be 3GPP-AAA.User identity with IMSI is sent in the NAI format captured in snap below.

4.ePDG to 3GPP-AAA via DRA

5. MAR(Multi Auth Req): 3GPP-AAA sends IMSI as username information received in EAP request to HSS. It
requires subscription information and authentication vectors from HSS for authenticating UE. Two messages
captured in snap below indicates that packet flow from 3GPP-AAA to DRA to HSS. This can be validated from
e2e(end to end) identifier which will be same for each flow,Although h2h(Hop to Hop) will changes on every
hop. DRA keeps track of network elements from which messages has been initiated and traversed in route
record,

5.3GPP-AAA to HSS via DRA

6. MAA(Multi Auth Answer):In multi auth round HSS runs EAP-AKA algorithm and generates
authentication/encryption keys and sent all the information for that particular user IMSI to 3GPP-AAA over DRA
on SWx interface.

Advertisements

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
6.HSS to 3GPP-AAA via DRA
REPORT THIS AD
 7. DEA(Diameter EAP Answer):3GPP-AAA responds in diameter EAP challenge with the authentication vectors
it received from HSS to ePDG. See the result code diameter_multi_round_auth along with keys below.All
communication betwwen ePDG and 3GPP-AAA happens over SWm.

7. 3GPP-AAA to ePDG via DRA

8. IKE_AUTH_RESPONSE: ePDG sends the auth key vectors in IPsec tunnel to UE via AP in trusted non-3GPP
and over WiFi router in case of un-trusted non-3GPP.Kindly node that ESP is used as protocol here for
encryption,authentication and integrity.

8. ePDG to UE

9. IKE_AUTH_Request:UE runs EAP-AKA algorithm ,generate keys & sends back to ePDG over IPsec tunnel.

10. DER(Diameter EAP Request):ePDG sends the key it receives from UE to 3GPP-AAA along with RAT-Type as
WLAN.

10. ePDG to 3GPP-AAA via DRA

11. SAR(Server Assignment Request): AAA validates the keys received from HSS and UE via ePDG,If keys
matched and user is authenticated.Then 3GPP-AAA initiates registration request for UE to HSS.

Advertisements

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy 11. 3GPP-AAA to HSS via DRA
REPORT THIS AD
 12. SAA(Server Assignment Answer):HSS shares all the subscription related information for the authenticated
user with 3GPP-AAA along with non-3GPP access details.It also shares the MIP6-home-agent-address i.e PGW
address

12. HSS to 3GPP-AAA via DRA

13. DEA(Diameter EAP Answer):Subscription data is received from 3GPP-AAA along with other information
required to create the session with PGW. EAP master session key is also received which will be used later in
consequent messages during IPsec session.

13. 3GPP-AAA to ePDG via DRA

14.EAP-Success:ePDG send EAP success message to UE saying that UE is authenticated in EAP message IKEv2
EAP payload code success.

14. ePDG to UE

15. IKE_AUTH_REQUEST: To authenticate 1st IKE_SA_INIT auth parameters are generated by UE from the MSK
it already have,which generated as bi- product of EAP-AKA authentication.We have already seen same MSK is
already received by ePDG from 3GPP-AAA.

Advertisements 15. UE to ePDG

16. Create session Request(S2b): ePDG initiates create session request towards PGW over GTP-C for APN it
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
received
To find out more, including how to control cookies, from
see here: HSS.APCO
Cookie Policy along with other information is sent in this message to PGW.
REPORT THIS AD
 16.ePDG to PGW

17. CCR (Credit Control Request): PGW sends indication of new IP CAN session establishment to PCRF(Policy
Charging & ruling function) to check for the policy which will be enforced on user session over Gx and Its also
sends CCR to OCS(Online charging system) over for online quota information for the PDN session ,Only if
implemented in network.

17. PGW to PCRF

18.CCA (Credit Control Answer): PCRF replies with policy and charging rules for the IP CAN session.

18. PCRF to PGW

19(a).AAR(Authentication Authorization Request): For updating the PGW ip address information which is
currently serving the UE over WLAN, PGW initiates AAR request towards 3GPP-AAA over S6b interface.This
message is also used to authorize the subscriber for IMS service selection.

Advertisements

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

REPORT THIS AD
 19. PGW to 3GPP-AAA via DRA

20(a). SAR(Server Assignment Request): Information received from PGW is updated to HSS by AAA over SWx
interface.This will be required to have HSS database up to date with MIP6-Home-Agent-Address and other
info.Server assignement type is PGW-Update.

20. 3GPP-AAA to HSS via DRA

20(b). SAA(Server Assignment Answer): HSS updates its database with the information received from 3GPP-
AAA and sends result-code diameter success.

20. HSS to 3GPP-AAA via DRA

19(b). AAA(Authentication Authorization Answer): 3GPP-AAA replies with diameter success with all relevant
AVPs mentioned below.

19 .3GPP-AAA to PGW via DRA

21. Create Session Response(S6b): PGW replies to ePDG with UE ip address,DNS information,APCO,AMBR,F-
TEID for GTP-C (port 2123)and F-TEID for GTP-U(port 2152) along with other information which is required to
Advertisements
setup a user session.

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

REPORT THIS AD
 21. PGW to ePDG

22. IKE-AUTH_INIT_RESPONSE(ePDG to UE):The ePDG sends the assigned IPv4/IPv6 address in the
configuration payload which is received from PGW in create session response.Calculated Authentication
parameters are sent to UE with security associations which also authenticates the second IKE_SA_INIT
message.RA is sent by ePDG for IPv6 which has the prefix/IP information for the UE.

23. SIP Register on default bearer: Once UE gets the IP address,it initiates SIP registration flow. During this
flow IMS again authenticates the UE with HSS P-CSCF,I-CSCF & S-CSCF on bearer which is created in above.

24. UE re-authentication : UE is re-authenticated by IMS with HSS.

25. SIP Invite SDP offer on default bearer:Once registration process is completed SIP invite is initiated by UE on
default bearer.

26,27,28. Creation of dedicated bearer for voice/video: During SIP invite IMS triggers the AAR to PCRF,which in
turns initiates RAR towards PGW. Then PGW initiates create bearer request towards ePDG & ePDG responds to
PGW with create bearer response.Which in turn triggers RAA & AAR towards PCRF & IMS respectively.

29. Voice & Video traffic on dedicated bearer: Once dedicated bearer is created UE can make and receive voice
/video calls through RTP protocol.

tagged 3gpp, data offload, diameter, gtp, ipsec, non 3gpp, untrusted wifi, vowifi, wifi

PREVIOUS POST
WiFi Attach in EPC End to End Call Flow – Part1

NEXT POST
WIFI Roaming : Part 2 (FT)

3 THOUGHTS ON “VOWIFI IN EPC END TO END CALL FLOW WITH IPSEC-

PART2”

Advertisements

Rohan Gaonkar
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree
december 17, to their
2019 atuse.
3:25 pm
To find out more, including how to control cookies, see here: Cookie Policy

REPORT THIS AD
 Great to see such a simplified doc of Vowifi Call flow. Nice reading experience.
Kudos!! Keep it up .
Thanks.
Rohan

 Like
Reply

Nitin Jain
december 18, 2019 at 6:13 am

Nice presentation

 Like
Reply

Murali Krishna
december 7, 2020 at 6:37 pm

Hi,

UE has to resolve the ePDG FQDN,which can be static (provisioned in UE devices).

How can we do this ??

 Like
Reply

LEAVE A REPLY

Website Built with WordPress.com.

Advertisements

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

REPORT THIS AD