[support] IPSec in NEMO BS with static keys
Georgopoulos, Panagiotis
panos at comp.lancs.ac.uk
Wed Aug 19 00:54:00 JST 2009
Hello all,
I am experimenting with IPSec using static keys over NEMO BS
and I would like to use esp in transport mode for my BU and BA and esp in
tunnel mode for all the other traffic generated from my Mobile Router (MR)
and any other MN that is connected to its access point.
Currently traffic generated from my MR to the HA (and anything beyond the
HA) seems to be working fine. However, traffic (e.g. pings from the MNN)
reach the HA and the HA does nothing.
My network testbed is very simple, like the following :
HA -----Home Network------Access
Network------------MR------------MNN
The IP address setup is the following :
. HA : 2001:db91::2
. MR HoA : 2001:db91::2222
. Access network prefix : 2001:db94::/64
. MR's MNP: 2001:db72::/64
. MNN : 2001:db72::2
My nemod.conf allows a binding from my mobile router and knows that it is
advertising the 2001:db72:: network with the following line :
BindingAclPolicy 2001:db91::2222 (2001:db72::/64) NoMCoAReg allow;
I have added the following lines regarding IPSEC in my nemod.conf in both
the HA and the MR :
## IPsec configuration
UseMnHaIPsec enabled;
## Key Management Mobility Capability
KeyMngMobCapability disabled;
IPsecPolicySet {
HomeAgentAddress 2001:db91::2;
#MR4
HomeAddress 2001:db91::2222/64;
#I want to use esp in tunnel mode for BU and
BA
IPsecPolicy HomeRegBinding UseESP 10;
#I want all traffic (except BUs and Bas) from
the MR and all MNs
#connected to the MR to be tunnelled using esp
#i am not entirely sure if the TunnelPayload
option is correct.
IPsecPolicy TunnelPayload UseESP 20;
}
I also imported the following policies using the setkey tool
:
# MN -> HA transport SA for BU
add 2001:db91::2222 2001:db91::2 esp 2000
-u 10
-m transport
-E des-cbc "TAHITEST"
-A hmac-sha1 "this is the test key" ;
# HA -> MN transport SA for BA
add 2001:db91::2 2001:db91::2222 esp 2001
-u 10
-m transport
-E des-cbc "TAHITEST"
-A hmac-sha1 "this is the test key" ;
#Regarding the rules bellow, do they have to match the source and
destination
# address of every packet or do they have to be just the two end points of
the tunnel?
#if the former is correct, then the following two rules do not apply to
traffic
#being generated from an MN connected to my MR
# MN -> HA any traffic
add 2001:db91::2222 2001:db91::2 esp 2002
-u 20
-m tunnel
-E des-cbc "TAHITEST"
-A hmac-sha1 "this is the test key" ;
# HA -> MN any traffic
add 2001:db91::2 2001:db91::2222 esp 2003
-u 20
-m tunnel
-E des-cbc "TAHITEST"
-A hmac-sha1 "this is the test key" ;
When I run the code and do a binding from my MR to my HA, the BUs and BAs
are fine, being esp'ed in transport mode.
In addition when I ping from my MR to the HA I see packets which seem to be
esp'ed in tunnel mode (at least from what I can tell as it is difficult to
debug that).
However, when I am trying to ping from my MNN to my HA I see ping requests
going up to the HA (esp'ed) but then the HA just ignores them and does not
reply at all. Even if I ping something from the MNN to a machine beyond the
HA, I see the request reaching the HA and is apparently decapsulated from
the ipsec tunnel but it is never forwarded.
So, the basic question is, does the above setup put the appropriate rules in
place for a node to act as a MR and enable MN to reach the HA and the
outside world or do I have to explicitly define something additional (and
what?). Are the above sa and nemod confs files fine?
Many thanks in advance,
Panos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://ml.nautilus6.org/pipermail/support/attachments/20090818/2824e42d/attachment.htm
More information about the Support
mailing list