[support] IPSec in NEMO BS with static keys

Romain KUNTZ kuntz at lsiit.u-strasbg.fr
Fri Aug 21 07:22:03 JST 2009 

Hi,

On 2009/08/20, at 15:31, Sebastien Decugis wrote:
>> Has anyone on the list tried to use IPSec for a mobile network  
>> (basically
>> using umip+nepl)?
>
> Yes I have used similar setup (but with dynamic keying: the SA are
> created by racoon2, not manually) at some point in the past and I was
> successful protecting MNN->CN traffic between the MN and the HA. It
> required a patch at the moment, that I believe has been merged in the
> nepl patch since (I think Romain can confirm this, I did not check
> myself, sorry). I remember the patch consisted in looping through the
> list of prefixes when we add the IPsec rules.

Yes, the patch was integrated in since a few releases of the NEPL patch.

By the way Panos, was the "setkey" log you sent created while mip6d  
was running on the MR and the MR registered to the HA? It seems that  
your SPDs are empty, which makes me think that mip6d was not launched  
and/or the MR did not register to the HA (mip6d takes care of  
installing the SPDs).

>> You are right that using MCoA is complicating things more. I will  
>> follow
>> your advice and disable it for now to see if it helps.
>
> I am not sure, but I'd say you should not use source code with MCoA
> patch applied for testing IPsec, if I understood Romain comment
> correctly (just disabling in the configuration will probably be not  
> enough).

Yes, this is what I meant. You should start with umip+nepl only  
(without the mcoa patch applied). Once it works fine, you could move  
to an environment with MCoA, but I do not guarantee it would work.

>> You are right, but the question is do I install IPsec policies in  
>> the SAD or
>> the SPD and how? (relating with the above)
>
> umip takes care of the SPD for you. You only need to provide entries  
> in
> the SAD. The kernel will automatically use an appropriate SAD entry  
> when
> a packet matches a policy in the SPD. If no appropriate entry  
> exists, an
> ACQUIRE message will be generated, then you'll see an error after a
> timeout (I think the error is "permission denied" but I am not so  
> sure).
> I am not too sure how the SAD entry in tunnel mode must be specified  
> in
> the case you are interested in. I usually find that matching entries
> with the reqid is easier, maybe something to try?

Maybe Arnaud could send a dump of the SAD entries when his racoon  
environment is running, in order to check how it look likes?

Cheers,
romain

More information about the Support mailing list