top of page
  • Writer's pictureVikas Shokeen

03 - VoWifi ePDG AAA and Architecture (New)

Updated: Nov 7, 2020

  • VoWifi Nodes

  • Role of ePDG , AAA & UE

  • Role of PGW , HSS , IMS , PCRF for VoWifi

  • KPI & Performance of VoWifi

  • Measure User Experience of VoWifi

03 - ePDG AAA and Architecture (PDF Word
Download • 3.55MB
03 - ePDG , AAA & Nodes (PDF PPT)
Download PDF • 944KB

Nodes Required for VoWifi Untrusted WLAN

We are going take deep dive on Untrusted Wireless LAN Architecture where we will review function of various nodes used to Offer VoWifi Service to users. Since traffic is coming via Internet in this Model, there is utmost need to protect & safeguard traffic from security point of view. We need to implement security with help of IPSec tunnel between the UE device and the Mobile Packet Core. The ePDG plays here vital role as this IPSEC tunnel coming from UE via Internet terminate on ePDG. This ePDG further pass this traffic to PGW via s2b Interface

There is new APN used by the name of IMS which ensures that Internet traffic is not mixing with VoWifi Traffic. Let’s summarize the list of Nodes play critical role in VoWifi Architecture.

New Nodes

  • ePDG

  • 3GPP AAA

  • VoWifi & IPSEC capable UE

Re-Use Existing Nodes

  • PGW with s2b Support

  • HSS with SWx Support

  • Re-use existing PCRF with VoWifi Support (NPLI etc.)

  • IMS Core infrastructure with support for Wifi Access type

  • TAS with support for Wifi Access type

Section # 1, Role of UE

Welcome to Section-1 of this Module. Here We will go in depth of all the VoWifi Components & will understand their function. We will understand function of UE here

Role of User Equipment ( UE - Mobile Handset )

1. Have Operator 4G Supporting SIM: UE must have active 4G VoLTE Supporting SIM of Operator which is USIM or ISIM – Here 2G / 3G Old SIM will not work, Both USIM or ISIM should work based of Operator to Operator approach for VoLTE Adaptation

2. Hardware & Software Support for 4G, VoLTE & VoWifi Services: The handset must support 4G, VoLTE & VoWifi from both hardware & Software point of View. In many cases, Handset manufacturer releases new handsets & they keep the same hardware across the Globe which technically supports all of these. Based on SIM inserted, they detect the Operator and accordingly enable or disable services using Handset software binary. For example, Same handset may support VoWifi on Operator and may not support VoWifi on another Operator SIM. Technically speaking this Software Binary contains SWu IMS Client which is responsible for Maintaining VoWifi UE Connection and performs traffic steering/routing . There are few things are mandated as part of UE User Interface as per GSMA IR.51 such as.

  • Default setting for “VoWiFi calling” should be “ON” (Which means users’ needs not enable VoWifi once they purchase new handset)

  • VoWiFi Registration logo will be visible as “HD or VoWiFi or Operator Wifi” on Screen

  • There has to be VoWiFi toggle switch in handset to enable or disable VoWifi manually

3. Last one is support of Support of Profile based features, Authentication & Security used by Operator which usually comes with Software binary in Handset. These Includes: -

  • URI and FQDN addressing format as specified by Operator

  • APNs Configuration as specified by Operator

  • ePDG & IMS Security Configuration as specified by Operator

  • LTE/WiFi Radio Features

  • Media and SIP Settings

  • Network, Mobility, Handovers & Roaming Conditions as specified by Operator

Key Technical responsibilities of UE / Mobile Handset

  1. Latching to Wifi Network & Ready to communicate to Internet

  2. Discovering the ePDG using DNS Lookup methods (using static or dynamic FQDN of ePDG)

  3. Establishing of IPSEC tunnel to ePDG (using IKEv2)

  4. Get P-CSCF Details from Network

  5. Performing SIP registration with SBC/PCSCF

  6. Makes or receiving call via IMS/TAS

Decisions taken by UE / Mobile Handset

There is profile in UE in Compliance with respect to GSMA IR.51. Here, we will review, what all decisions UE needs to take. UE is pre-configured with operator profile/carrier bundle which defines a set of policies: -

- Default Preferred mode : VoWiFi Preferred ( Y / N )

- VoLTE to VoWiFi Handover Support and Vice versa : Y / N

- Criteria for RAT selection - These are whole set of decisions are taken by UE in order to provide best optimum experience to uses. In case there is problem with Wifi, UE can take call to Switchover call or Shift to VoLTE 4G Network. Few of these decisions are based on RSSI, RSSI, RTT, Jitter, etc..) and packet loss :-

  • RSSI thresholds for failover to VoLTE-4G Network

  • Jitter thresholds for failover to VoLTE-4G Network

  • Packet loss for failover to VoLTE-4G Network ~ >1 or 2%

  • Packet delay for failover to VoLTE-4G Network ~ Ideal Latency is less 75 MS with Tolerance upto 100 ms

  • Guard Timer xx Sec to avoid Ping pong between VoWifi and VoLTE ~ 2 Min

  • Data Speed for Voice call ~ 50 to 60 kbps using Wide Band Codecs. Further small signaling overheads will be there

- Carrier Bundle also specifies other Information to be used by UE while using VoWifi Service such as Encryption Algorithm & Key Life time, APN Details, ePDG Address etc.

These settings will vary from Handset to Handset and are configured by Handset Manufacturer in accordance with Operator. So, It’s Quite possible that Apple will have different experience than Samsung in VoWifi due to these decisions and variance in thresholds

Section # 2 , Role of ePDG

Welcome to Section-2 of this Module. Here We will go in depth of all the ePDG and understand it’s working. ePDG is key to VoWifi & it is one of most important nodes. Let’s understand its functions

ePDG Overview & 3GPP Specs

Well, Going by Specs, ePDG is defined in 3GPP Specs @ TS 23.402. This is VoWifi Reference architecture as per 3GPP Specs. Don’t worry looking at this diagram, we are going to simplify this

ePDG Provides a secure WLAN access to UE connecting to P-GW. It plays vital role in PDN connection from UE to EPC network. This Node is also responsible for connecting PGW & AAA for Authentication, Authorization and Accounting (AAA) purpose. ePDG is acting as gateway and is responsible for interconnecting the EPC with non-3GPP trusted networks such as WiFi. One of main task done by ePDG is to provide secure EPC access. Here the ePDG terminates IPSec tunnels which were established and initiated by UE. These tunnels are important for securing user traffic as User is sitting in untrusted WiFi network

ePDG Tasks - PGW Side

Now, Let’s understand main functions of ePDG

  1. As you can see on Diagram, SWu link coming from Wifi UE is terminating on ePDG.

  2. Here ePDG is landing point for all traffic coming from Internet. It has to facilitate support for the IPSec/IKEv2-based security & encryption

  3. ePDG is responsible for Routing of packets between Wifi UE and the Mobile Core PGW

  4. A Network will have many PGWs, here ePDG will help UE to reach appropriate PGW

  5. ePDG also pass IPv4/IPv6 address allocated by P-GW for IMS APN to UE. As you know, Every UE needs a IMS Network Reachable IP to communicate to IMS Network such as SBC or P-CSCF. Pls Note: This IP is separate from Wifi Network IP Allocated to user

  6. Net-Net, ePDG also map the bearers coming from PGW to IPSEC Tunnels towards UE

  7. ePDG also does QoS mapping (DSCP Marking)

  8. It is also used for Lawful Interception

ePDG Tasks - AAA Side

Now, Let’s see AAA related Tasks done by ePDG

  1. ePDG is also required to talk to AAA for Authentication & Authorization of user

  2. Handle handovers between WiFi and LTE by communicating with AAA and HSS to fetch PGW IP. We will discuss this concept in coming Videos where ePDG Retrieves PGW address from AAA during inter system Handover

ePDG Considerations

ePDG is the Bridge or Gateway between the Unsecure internet and the mobile core EPC Network. It takes care of many key functions such as Security, Authentication, Used for Roaming support, Handles Handovers and mobility

1. Security & Privacy: - Since ePDG is bringing in traffic from un-Secure Internet to Core EPC Network, Security becomes critical aspect for all Mobile Operators. There are various ways ePDG implement security by enabling Firewall functionality & Implementing Access List to ensure all Non-Legitimate access is blocked. ePDG is also capable of handling overloads and amplification-based attacks coming from Internet. ePDG also protects user privacy & ensure relevant security and encryption is in place so that no middle man can see your call or SMS exchanged over VoWifi

2. Service Parity: ePDG ensure that all services available on VoLTE are extended to VoWifi as well. For end user, there should not be any difference in End experience or ways and means to avail any feature functionality

3. Scalability & Capacity: Since ePDG is going to handle Millions of calls, it should be able to scale to that level & should provide Carrier Grade traffic handling at that Volume of Calls

4. Network Integration & Deployment: As per Traffic & Latency requirements, ePDG can co-exist with existing PGW or MME. Operators can dedicate some portion of MME or PGW hardware and create separate or virtualized ePDG instance. This will save Operator Cost and ePDG deployment time

ePDG Basics – Performance & KPIs

All the Mobile Operators must closely observe the performance & KPIs of ePDG to ensure quality of service offered to End Users. We will cover few basic KPIs which should be monitored closely: -

Session & Bearer Related KPIs: This includes all performance metrics related to Session & Bearer success rates. It needs to be monitor to detect any failure happening between ePDG to PGW which impact user for Calls & registration :-

• Initial Attach Sessions Success Rate

• Create Bearer Request Success Rate

• Delete Bearer Request Success Rate

• Delete Session Request Success Rate

Authentication & Authorization KPIs: ePDG should monitor Authentication & Authorization requests. Any deterioration in these KPIs will hint problem with AAA or HSS or Authentication Procedures with Handset / SIM. In case these KPIs are showing failures, Customer are finding it difficult to Register for VoWifi Service, they will stay on VoLTE :-

• ePDG EAP Success Rate

• Diameter ASR Success Rate

• Diameter EAP AKA Challenge Success Rate

• Diameter STR Success Rate

IPSEC Related KPIs: Within IPSEC. Version 2 of the Internet Key Exchange (IKEv2) Protocol dynamically creates and preserves a mutual state between the IP datagram endpoints. IKEv2 carries out two-party mutual authentication and creates the IKEv2 Security Association (SA). Any deterioration here specific that customers are facing issues in building IPSEC tunnels which restrict them to communicate with ePDG. These KPIs includes: -

• Internet Key Exchange IKEv2: Auth Request Success Rate

• Internet Key Exchange IKEv2: Init Request Success Rate

Service Continuity KPIs: This will tell if Handovers are happening seamlessly or not

• Handoff Sessions Success Rate

Volumetric KPIs: These KPI include.

• Peak Session Count

• Peak Simultaneous Attach User

• Total Session Count

• Total User Count

You must keep watch on Trending for these Volumetric KPIs, Any traffic or user dip points to problem. Finally, we should also monitor hardware and software utilization & capacity of ePDG to ensure its always have enough capacity to handle traffic

Section # 3, Role of AAA

Welcome to Section-3 of this Module. Here We will go in depth of all the AAA and understand its working

AAA Basics – Main Functions

Now, Let’s understand main functions of AAA

Well AAA is all about Authentication and Authorizing user. We need Authentication in order to ensure that Only Valid & Legitimate customer get VoWifi Service. AAA Speaks to HSS & get details of Subscriber Database which is further used for allowing service to user. AAA is part of Core Network which is vital for authenticating users in Non-3GPP domains. AAA uses USIM authentication along with HSS for a seamless authentication experience

Tasks of AAA

  1. Authentication of User using EAP-AKA & Retrieves authentication information from HSS. Basically, EPC access authentication and authorization on SWm & SWx Interfaces

  2. Retrieves Subscriber profile from HSS

  3. Updating & Retrieval of P-GW IP Address in HSS using S6b and SWx (Required for VoLTE & VoWifi Handovers)

  4. Communicate Authentication information back to ePDG

  5. In case Customer profile gets modified in HSS, The HSS Communicates same to AAA & further it is enforced to UE by ePDG

  6. Register itself in HSS for every authenticated and authorized user

  7. Purge the User if Required as per Lifecycle or Profile changes

AAA have below interfaces with Other Network Elements, these interfaces are defined in 3GPP TS 29.273

  1. SWx interface between AAA and HSS

  2. SWm interfaces between AAA and ePDG

  3. S6b interface between AAA and P-GW

AAA Basics – KPI & Performance

Now, Let’s understand, what all KPIs we should monitor in AAA to keep tap on health of VoWifi Service

Authentication & Authorization performance: As you know, AAA is all about Authentication & Authorization. We should monitor Diameter protocol success rates towards SWm, SWx & S6b interfaces.

• AAR Success Rate

• EAP request Success Rate

• MAR Success Rate

• RAR Success Rate

• STR Success Rate

Volumetric KPIs: - This includes KPIs like: -

• Failed Vs Authenticated Users

• Concurrent Session


We should keep tap on Trending of traffic & usage. Basically, pattern needs to be tracked here to see what’s happening out there. Any dip tells us some issue

Section # 4, Role of PGW / HSS / IMS / PCRF

Welcome to Section-4 of this Module. Here We will understand role of other Ecosystem nodes which have adapted for VoWifi. Well, these are existing nodes which were deployed long back for 4G & VoLTE use, now they are re-used for VoWifi Service

Role of PGW for VoWifi

PGW is anchoring point for all VoLTE & VoWifi Traffic. It is used for both Payload and Signaling. Here PGW is performing many critical tasks such as: -

  1. Allocating IMS IP Address to user

  2. Works with ePDG for creating Bearers for SIP Signaling & VoWifi Call

  3. It is responsible for P-CSCF server address discovery where UE is told IP Address of P-CSCF or SBC for Registration

  4. PGW is also responsible for seamless handover of Voice or Video calls between VoLTE to VoWifi and vice versa

  5. It can also be used to generate CDRs for QCI-5 (SIP Signaling) & QCI-1/2 (Voice and Video Calls), But these are data equivalent CDR which doesn’t contain A Party or B Party details, well few Operator uses PGW CDRs for analytics, Performance & Regulatory purpose. For Charging, we use TAS CDRs generated in IMS Network

  6. Legal Interception purposes

VoWifi Interface terminating in PGW

  1. S2b interface between ePDG and P-GW

  2. S6b interface between AAA and P-GW

Role of HSS for VoWifi

Let’s quickly understand role of HSS as far as VoWifi is concerned

HSS is key component of the LTE and IMS networks. HSS Stands for Home Subscriber Server, this is master user database to store all customer related subscription details. User must be allowed for VoWifi facility in HSS for availing this service

Let’s Quickly understand role of HSS in VoWifi Architecture

  1. HSS Should support VoLTE Features, i.e. Sh, Cx Interface, IMS 3th Party registration & Authentication, TADS Support, IP-SM-GW registration in case IP based SMS is used

  2. HSS Should support below new features for VoWifi Support

• SWx interface support … Its between AAA & HSS

• TADS Support for VoWifi (i.e. For Incoming call, in case user is not found VoWifi, Call should be diverted in 2G / 3G or CS Network)

• Authentication Support for VoWifi

• Wifi RAT Type Support

• Subscription for VoWifi Service

Role of PCRF in VoWifi

Existing VoLTE PCRF will be used for handling all VoWifi Calls. In the Mobile Packet Core, PCRF performs classic policy implementation functions. For the Wi-Fi calling solution, it will trigger the setting up of default and dedicated bearers between the PGW and the ePDG on the S2b interfaces for SIP and RTP traffic

Role of PCRF in VoWifi

  1. The PCRF handles Gx and Rx Protocol which is vital in Call Maturing and Location Tagging in CDRs

  2. PCRF plays critical role in NPLI to extract the UE public IP address and port (For Location information in CDR. The User IP & Port will be written in TAS Voice / Video Call CDRs. In case of VoLTE, Actual 4G Cell Id was there). PCRF helps in carrying this information from PGW to IMS Network

  3. The Wifi will come as new RAT Type which needs to be supported in PCRF

Role of IMS in VoWifi

Role of IMS in VoWifi

Existing VoLTE IMS network will be used for handling all VoWifi. IMS is parent technology for both VoLTE & VoWifi. VoWifi is just extension to existing VoLTE Service served by IMS Platform. IMS provides many functions related to SIP-based calling. On control plane signaling, it takes care of SIP authentication, takes care of basic telephony services, and interoperability with other CS & IMS Ecosystems. Other than voice, other multi-media functions such as video calling will also use and run on same IMS infrastructure

Let’s see the adaptations done in IMS for VoWifi

  1. For IMS Network, The Wifi will come as new RAT Type which needs to be supported

  2. For Example, TAS CDRs will be having Wifi as RAT Type for VoWifi Calls

  3. Similarly, For Location information in CDR. The User IP & Port will be written in TAS Voice / Video Call CDRs. In case of VoLTE, Actual 4G Cell Id was there

  4. TAS also needs to support VoWifi TADS & VoWifi Charging

  5. ASBC Needs to support VoWifi/VoLTE handover notification

Section # 5, Improve Quality

Welcome to Section-5 of this Module. Here We will understand how you can keep close watch on VoWifi User experience & What steps you can take to improve same. Since VoWifi experience also depends upon Broadband Provider & Wifi Access Network, it’s important to maintain & view the KPI Metrics as per Public Source IPs of user wherever Possible

Measure VoWifi user experience

How to Measure VoWifi user experience

Well, I am going to covers ways and means to Improve Quality of VoWifi with Volumetric, CDRs & Analytics

You can measure host of things with help of Network KPIs, IMS KPIs & CDR Volumetric. If Possible, you need to maintain & prepare this data against Source IPs which will tell you how Individual Internet Service Provider or Wifi Provider or Broadband Provider is performing. In case KPIs are bad for all Broadband providers, this shows problem with Common element which could be ePDG or AAA. In case specific Broadband provider is having problem, this shows issue specific to that Broadband provider

Node KPIs: This are base KPIs are which are generated by our Network Nodes, you need to monitor: -



• PGW KPIs for VoWifi

• HSS KPIs for VoWifi

• IMS – TAS, SBC KPIs for VoWifi

• Utilization % - Links, Nodes & Media for VoWifi

Any deviation in the KPIs is clear hint about some ongoing issue in network

Subs & Usage Data: These are Volumetric KPIs which helps you to understand how business is performing, Keep track on :-

• Unique Users on VoWifi

• Total Users on VoWifi

• Churned Users on VoWifi

• Total Traffic on VoWifi

• Total Incoming MOUs on VoWifi

• Total Outgoing MOUs on VoWifi

Per Subs Usage: This will tell you comparative & benchmarked data. Just compare these values between VoLTE & VoWifi

• mERL per Subs for VoWifi

• Avg Call Duration for VoWifi

• BHCA Per Subs for VoWifi

For Example, in case you are finding that Avg Call duration is very low for some ISP or Broadband provider. Or these are significantly low in VoWifi as compared to VoLTE. All these things hint to possible problem which needs immediate investigation

Other IMS KPIs: These are generic IMS KPIs which should be measured for VoWifi service separately & Tells clear insight on user experience

• Registration Success rate for VoWifi

• Avg call setup time for VoWifi

• Call Setup Success Rate for VoWifi

• RTP Loss for VoWifi

Future Reading & References

Well now we are at the end of this Module, you can refer to these documents for Future Reading & References

You need to simply type them in google & download PDF copy

3GPP TS 23.402

- Architecture enhancements for non-3GPP accesses

- Covers Complete Architecture in Detail, a Must Must Document for enhancing knowledge on VoWifi

3GPP TS 29.273

- 3GPP EPS AAA interfaces

- AAA Links, Descriptions, Format & Usage


Recent Posts

See All


Commenting has been turned off.
Vikas Shokeen
Vikas Shokeen
Nov 02, 2020

Dev , ePDG have public IP & is reachable via Internet . The Wifi or broadband provider doesn't need to implement any changes at access Side , They simply route traffic towards Internet & it reaches ePDG . Its Handset job to resolve & find ePDG IP Address using DNS Query , We will cover this concept in coming Videos


Dev Bhoite
Dev Bhoite
Nov 02, 2020

Your videos have a great content and easily understandable... I have a question w.r.t untrusted WLAN VoWifi calling. In Trusted WLAN, there is a connection between WLAN (Operator "X") and IMS (Operator "X") via TWAG, this is understood. However, in Untrusted WLAN, how is the connection from WLAN to ePDG. Lets say I am using a Wifi managed by Operator "X" and the IMS is managed by Operator "Y". My question is how my Wifi Operator "X" is going to make connection towards ePDG of Operator "Y". There could be various such untrusted Wifi networks, so how they are going to reach the particular IMS network.

bottom of page