Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX IPSec version A.02.00 Administrator's Guide: HP-UX 11i version 1 and HP-UX 11i version 2 > Chapter 7 HP-UX IPSec and HP-UX Mobile IPv6

Mobile IPv6 Configuration Example
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

This section contains ipsec_config batch file entries for a Mobile IPv6 Home Agent.

  • The local system’s (Home Agent) IP address is 3ffe::83ff:fef7:1111.

  • The Mobile Node’s IP address is 3ffe::83ff:fef7:2222.

Binding Messages

The following batch file entry configures a host IPSec policy to secure Binding Update and Binding Acknowledgement messages (protocol MH) between the local node (Home Agent) and the Mobile Node.

add host mn_2222_binding \
-source 3ffe::83ff:fef7:1111 \(Home Agent)
-destination 3ffe::83ff:fef7:2222 \(Mobile Node’s Home Address)
-proto MH -pri 200 -action ESP_AES128_HMAC_SHA1 \
-flags MIPV6\
-in ESP/2500007/0x1234567890123456789012345678901234567890\
/0x12345678901234567890123456789012/0x1234567890123456 \
-out ESP/2500008/0x0123456789012345678901234567890123456789\
/0x01234567890123456789012345678901/0x0123456789012345

Return Routability Messages

Configure HP-UX IPSec to secure Home Test Init and Home Test Return Routability Messages routed through the local node (Home Agent).

Return Routability Gateway IPSec Policies

You must configure two gateway IPSec polices on the local node (Home Agent) for this topology:

  • One for the data path segments between the Home Agent and the Correspondent Node.

  • One for the data path segments between the Home Agent and the Mobile Node.

Gateway IPSec Policy for Home Agent - Correspondent Node Segments


add gateway mn2222_rr_to_cn \
-source 3ffe::83ff:fef7:2222 \(Mobile Node’s Home Address)
-destination 0::0 \(wildcard for any Correspondent Node)
-protocol MH -pri 200 -action FORWARD -flags MIPV6

Gateway IPSec Policy for Home Agent - Mobile Node Segments


add gateway mn2222_rr_to_mobile_node \
-source 0::0 \(wildcard for any Correspondent Node)
-destination 3ffe::83ff:fef7:2222 \(Mobile Node’s Home Address)
-protocol MH -pri 210 -tunnel mn2222_rr_tunnel \
-flags MIPV6

Return Routability Tunnel IPSec Policy

Configure the tunnel between the local system (Home Agent) and the Mobile Node. This tunnel is used when forwarding Mobile IPv6 protocol packets (protocol MH) between the Mobile Node and Correspondent Nodes. The tunnel endpoints are the Mobile Node and the local system (Home Agent), and uses manual keys for authenticated ESP, with AES128 encryption and HMAC SHA-1 authentication.

add tunnel mn2222_rr_tunnel \
-tsource 3ffe::83ff:fef7:1111 \(Home Agent)
-tdestination 3ffe::83ff:fef7:2222 \(Mobile Node’s Home Addr.)
-source 0::0 \(wildcard for any Correspondent Node)
-destination 3ffe::83ff:fef7:2222 \(Mobile Node’s Home Address)
-protocol MH \
-action ESP_AES128_HMAC_SHA1 \
-in ESP/2500010/0x1234567890123456789012345678901234567890\
/0x12345678901234567890123456789012/0x1234567890123456 \
-out ESP/2500011/0x0123456789012345678901234567890123456789\
/0x01234567890123456789012345678901/0x0123456789012345

(Optional) Prefix Discovery Messages

The following batch file entry configures a host IPSec policy to secure Mobile Prefix Solicitation and Mobile Prefix Advertisement messages (protocol ICMPV6) between the local node (Home Agent) and the Mobile Node. ICMPv6 Echo Request and Echo Reply messages are also secured.

add host mn2222_prefix \
-source 3ffe::83ff:fef7:1111 \(Home Agent)
-destination 3ffe::83ff:fef7:2222 \(Mobile Node’s Home Address)
-proto ICMPV6 -pri 210 -action ESP_AES128_HMAC_SHA1 \
-flags MIPV6\
-in ESP/2500007/0x1234567890123456789012345678901234567890\
/0x12345678901234567890123456789012/0x1234567890123456 \
-out ESP/2500008/0x0123456789012345678901234567890123456789\
/0x01234567890123456789012345678901/0x0123456789012345

(Optional) Payload Messages Routed Through the Home Agent

Configure HP-UX IPSec to secure payload messages between the Mobile Node and the Correspondent Node when they are routed through the local node (Home Agent).

Payload Gateway IPSec Policies

You must configure two gateway IPSec polices for this topology: one for the data path between the Home Agent and the Correspondent Node, and one for the data path between the Home Agent and the Mobile Node. The priority values for these policies must be greater (lower priority) than the gateway IPSec policies configured for the Return Routability messages, and the protocol is ALL.

Gateway IPSec Policy for Home Agent - Correspondent Node Segments


add gateway mn2222_payload_to_cn \
-source 3ffe::83ff:fef7:2222 \(Mobile Node’s Home Address)
-destination 0::0 \(wildcard for any Correspondent Node)
-protocol ALL -pri 300 -action FORWARD -flags MIPV6

Gateway IPSec Policy for Home Agent - Mobile Node Segments


add gateway mn2222_payload_to_mobile_node \
-source 0::0 \(wildcard for any Correspondent Node)
-destination 3ffe::83ff:fef7:2222 \(Mobile Node’s Home Address)
-protocol ALL -pri 310 -tunnel mn2222_payload_tunnel \
-flags MIPV6

Payload Tunnel IPSec Policy

Configure the tunnel between the local system (Home Agent) and the Mobile Node. This is similar to the tunnel configured for Return Routability messages, except protocol is ALL and the manual key SPI numbers (inbound SPI numbers must be unique) and the keys are different.

add tunnel mn2222_payload_tunnel \
-tsource 3ffe::83ff:fef7:1111 \(Home Agent)
-tdestination 3ffe::83ff:fef7:1111 \(Mobile Node’s Home Addr.)
-source 0::0 \(wildcard for any Correspondent Node)
-destination 3ffe::83ff:fef7:2222 \(Mobile Node’s Home Address)
-protocol ALL \
-action ESP_AES128_HMAC_SHA1 \
-in ESP/2500012/0x123456789012345678901234567890123456789A\
/0x1234567890123456789012345678901A/0x123456789012345A \
-out ESP/2500013/0x012345678901234567890123456789012345678B\
/0x0123456789012345678901234567890B/0x012345678901234B



Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent
  		 


Batch File Template  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2004 Hewlett-Packard Development Company, L.P.