[support] IPSec in NEMO BS with static keys

Romain KUNTZ kuntz at lsiit.u-strasbg.fr
Thu Aug 20 18:32:55 JST 2009 

Hi Panos,

I've never used IPsec tunnel mode to protect data from a mobile  
network, but here are some thoughts:

On 2009/08/18, at 17:54, Georgopoulos, Panagiotis wrote:
>                 I am experimenting with IPSec using static keys over  
> NEMO BS and I would like to use esp in transport mode for my BU and  
> BA and esp in tunnel mode for all the other traffic generated from  
> my Mobile Router (MR) and any other MN that is connected to its  
> access point.
>
> Currently traffic generated from my MR to the HA (and anything  
> beyond the HA) seems to be working fine. However, traffic (e.g.  
> pings from the MNN) reach the HA and the HA does nothing.
>
>                 My network testbed is very simple, like the  
> following :
>
>                 HA -----Home Network------Access Network------------ 
> MR------------MNN
>
>                 The IP address setup is the following :
> ·         HA : 2001:db91::2
> ·         MR HoA : 2001:db91::2222
> ·         Access network prefix : 2001:db94::/64
> ·         MR’s MNP: 2001:db72::/64
> ·         MNN : 2001:db72::2
>
> My nemod.conf allows a binding from my mobile router and knows that  
> it is advertising the 2001:db72:: network with the following line :
> BindingAclPolicy 2001:db91::2222 (2001:db72::/64) NoMCoAReg allow;

So far configuration seems fine, but from the "NoMCoAReg" keyword it  
seems that you use the MCoA implementation on the HA. Do you also use  
it on the MR? The MCoA implementation is quite experimental and has  
never been tested with IPsec. I'm even pretty sure that it breaks the  
IPsec code.

> I have added the following lines regarding IPSEC in my nemod.conf in  
> both the HA and the MR :
>
> ## IPsec configuration
> UseMnHaIPsec enabled;
>
> ## Key Management Mobility Capability
> KeyMngMobCapability disabled;
>

> IPsecPolicySet {
> HomeAgentAddress 2001:db91::2;
>
> #MR4
> HomeAddress 2001:db91::2222/64;
>
> #I want to use esp in tunnel mode for BU and BA
> IPsecPolicy HomeRegBinding UseESP 10;
>
> #I want all traffic (except BUs and Bas) from the MR and all MNs
> #connected to the MR to be tunnelled using esp
> #i am not entirely sure if the TunnelPayload option is correct…
> IPsecPolicy TunnelPayload UseESP 20;
> }
>
> I also imported the following policies using the setkey tool :
>
> # MN -> HA transport SA for BU
> add 2001:db91::2222 2001:db91::2 esp 2000
>         -u 10
>         -m transport
>         -E des-cbc "TAHITEST"
>         -A hmac-sha1 "this is the test key" ;
>
> # HA -> MN transport SA for BA
> add 2001:db91::2 2001:db91::2222 esp 2001
>         -u 10
>         -m transport
>         -E des-cbc "TAHITEST"
>         -A hmac-sha1 "this is the test key" ;
>
> #Regarding the rules bellow, do they have to match the source and  
> destination
> # address of every packet or do they have to be just the two end  
> points of the tunnel?
> #if the former is correct, then the following two rules do not apply  
> to traffic
>  #being generated from an MN connected to my MR
> # MN -> HA any traffic
> add 2001:db91::2222 2001:db91::2 esp 2002
>         -u 20
>         -m tunnel
>         -E des-cbc "TAHITEST"
>         -A hmac-sha1 "this is the test key" ;
>
> # HA -> MN any traffic
> add 2001:db91::2 2001:db91::2222 esp 2003
>         -u 20
>         -m tunnel
>         -E des-cbc "TAHITEST"
>         -A hmac-sha1 "this is the test key" ;

UMIP takes care of installing the IPsec security Policies for the MNP  
(in src/ipsec.c, unless you have a too old version of UMIP? Could you  
send what "setkey -PD" and "setkey -D" deplays on your MR and HA?),  
but I'd guess still need to install the IPSec SA for them.

> When I run the code and do a binding from my MR to my HA, the BUs  
> and BAs are fine, being esp’ed in transport mode.
>
> In addition when I ping from my MR to the HA I see packets which  
> seem to be esp’ed in tunnel mode (at least from what I can tell as  
> it is difficult to debug that).
>
> However, when I am trying to ping from my MNN to my HA I see ping  
> requests going up to the HA (esp’ed) but then the HA just ignores  
> them and does not reply at all. Even if I ping something from the  
> MNN to a machine beyond the HA, I see the request reaching the HA  
> and is apparently decapsulated from the ipsec tunnel but it is never  
> forwarded.
>
> So, the basic question is, does the above setup put the appropriate  
> rules in place for a node to act as a MR and enable MN to reach the  
> HA and the outside world or do I have to explicitly define something  
> additional (and what?). Are the above sa and nemod confs files fine?

The above configuration seems fine for MR<->HA data exchange, but  
incomplete to support traffic from MNNs. In particular, I would  
suspect the IPsec SA to lack some conf for the traffic from/to the MNP.

Cheers,
romain

More information about the Support mailing list