GPRS Private Access Point

Corporate customers have a possibility to receive an individual GPRS access point using which they may organize heightened security connections for data transmission with GPRS.

Technical requirements for using the access point

Forwarding of information

Connection in-between computer network of the Corporate customer and access point is ensured through the Internet.

Data transmission from access point to the computer network of the Corporate customer is carried out through IP over IP or GRE protocol (IP protocol number 47).

Deciphering

Data which are transmitted in-between computer network of the Corporate customer and access point are deciphered by using IPSec protocol (IP protocol number 50) in the protocol ESP (Encapsulation Security Payload) regime. Automatic exchange of IPSec parameters and keys will be performed based on IKE (ISAKMP/OAKLEY) protocol. Initially UDP protocol traffic addressed to 50oth port and IPSec protocol traffic is allowed. When implementing technical solution, this condition may be changed in case of need.

Initial IKE parameters.

• IKE 1^st phase (ISAKMP SA):
  • LMT pregenerated PRESHARED SECRET;
  • cypher 3DES CBC;
  • hash function MD5;
  • MODP group 2 or 5;
  • SA lifetime 4 hours.
• IKE 2^nd phase (IPSec SA):
  • use ESP mode;
  • cypher 3DES CBC;
  • hash function MD5;
  • do not use PFS;
  • do not use Aggressive Mode;
  • SA lifetime 1 hour.

The above parameters can be changed if such changes are accepted by LMT in writing.

User authentication

User authentication is performed by the Corporate customer. Authentication information is transmitted through RADIUS (RFC 2865) protocol. Corporate customer RADIUS server shall be with a public IPv4 address or IPv4 address of the computer network of the Corporate customer, having the possibility to change the address. LMT creates a key for authorization of RADIUS server.

RADIUS server implementations recommended by LMT are:

• xtradius 1.2.1;
• radiusd-cistron 1.6.6.