[support] IPSec in NEMO BS with static keys

[Sebastien Decugis]

Hello,


> Has anyone on the list tried to use IPSec for a mobile network (basically
> using umip+nepl)?

Yes I have used similar setup (but with dynamic keying: the SA are
created by racoon2, not manually) at some point in the past and I was
successful protecting MNN->CN traffic between the MN and the HA. It
required a patch at the moment, that I believe has been merged in the
nepl patch since (I think Romain can confirm this, I did not check
myself, sorry). I remember the patch consisted in looping through the
list of prefixes when we add the IPsec rules.


> You are right that using MCoA is complicating things more. I will follow
> your advice and disable it for now to see if it helps.

I am not sure, but I'd say you should not use source code with MCoA
patch applied for testing IPsec, if I understood Romain comment
correctly (just disabling in the configuration will probably be not enough).

> You are right, but the question is do I install IPsec policies in the SAD or
> the SPD and how? (relating with the above)

umip takes care of the SPD for you. You only need to provide entries in
the SAD. The kernel will automatically use an appropriate SAD entry when
a packet matches a policy in the SPD. If no appropriate entry exists, an
ACQUIRE message will be generated, then you'll see an error after a
timeout (I think the error is "permission denied" but I am not so sure).
I am not too sure how the SAD entry in tunnel mode must be specified in
the case you are interested in. I usually find that matching entries
with the reqid is easier, maybe something to try?

Sorry I am not more specific here, I don't have a working setup anymore...

Best regards,
Sebastien.