[support] mipv6 error
qhtf126
qhtf126 at 126.com
Mon May 18 12:08:14 JST 2009
hi,
ha.conf :
# Home Agent address: 3ffe:0:0:2::1
# MN Home address : 3ffe:0:0:2::2
remote MobileNode {
ikev2 {
my_id x509_subject "/etc/openssl-ca/public-www/cacert.pem";
peers_id x509_subject "/etc/openssl-ca/clients/certs/mn.mydomain.com.cert";
kmp_auth_method { rsasig; };
my_public_key x509pem
"/etc/openssl-ca/public-www/cacert.pem"
"/etc/openssl-ca/private/cakey.pem";
peers_public_key x509pem
"/etc/openssl-ca/clients/certs/mn.mydomain.com.cert"
"";
};
};
# Policy and selector for protecting the BU/BA messages for Home Registration.
policy HomeRegBinding {
remote_index MobileNode;
ipsec_mode transport;
action auto_ipsec;
ipsec_index { ipsec_esp; };
ipsec_level require;
peers_sa_ipaddr 3ffe:0:0:2::2;
my_sa_ipaddr 3ffe:0:0:2::1;
install off;
};
selector HomeRegBinding_out {
direction outbound;
dst 3ffe:0:0:2::2;
src 3ffe:0:0:2::1;
policy_index HomeRegBinding;
upper_layer_protocol 135 6 5;
reqid 201; # Note: you may choose whatever value you want but must be in sync with mip6d.conf and unique.
};
# Policy and selector for protecting the MPS/MPA messages for Mobile Prefix Discovery.
policy MobPfxDisc {
remote_index MobileNode;
ipsec_mode transport;
action auto_ipsec;
ipsec_index { ipsec_esp; };
ipsec_level require;
peers_sa_ipaddr 3ffe:0:0:2::2;
my_sa_ipaddr 3ffe:0:0:2::1;
install off;
};
selector MobPfxDisc_out {
direction outbound;
dst 3ffe:0:0:2::2;
src 3ffe:0:0:2::1;
policy_index MobPfxDisc;
upper_layer_protocol 135 93 92;
reqid 203;
};
# Tunnel all traffic between MN and HA when the MN is not at home.
policy TunnelPayload {
remote_index MobileNode;
ipsec_mode tunnel;
action auto_ipsec;
ipsec_index { ipsec_esp; };
ipsec_level require;
peers_sa_ipaddr 3ffe:0:0:2::2;
my_sa_ipaddr 3ffe:0:0:2::1;
install off;
};
selector TunnelPayload_out {
direction outbound;
dst 3ffe:0:0:2::2;
src 3ffe:0:0:2::1;
policy_index TunnelPayload;
reqid 205;
};
*********************************************
mip6d.conf :
NodeConfig HA;
## If set to > 0, will not detach from tty
DebugLevel 10;
Interface "eth1"; # the interface that serves the Home Link
UseMnHaIPsec enabled;
KeyMngMobCapability enabled; # currently has no effect, but should be set.
IPsecPolicySet {
HomeAddress 3ffe:0:0:2::2/64;
HomeAgentAddress 3ffe:0:0:2::1;
IPsecPolicy HomeRegBinding UseESP 201; # the value must match reqid from racoon2 conf
IPsecPolicy MobPfxDisc UseESP 203;
IPsecPolicy TunnelPayload UseESP 205;
}
**************************************************
default.conf :
#
# default section
#
default
{
remote {
ikev2 {
logmode normal;
kmp_sa_lifetime_time 10 min;
kmp_sa_lifetime_byte infinite;
max_retry_to_send 3;
interval_to_send 10 sec;
times_per_send 1;
kmp_sa_nego_time_limit 60 sec;
ipsec_sa_nego_time_limit 40 sec;
kmp_enc_alg { aes192_cbc; aes128_cbc; 3des_cbc; };
kmp_prf_alg { hmac_md5; hmac_sha1; aes_xcbc; };
kmp_hash_alg { hmac_sha1; hmac_md5; };
kmp_dh_group { modp1024; modp1536; modp2048; modp3072; };
kmp_auth_method { dss; };
random_pad_content on;
random_padlen on;
max_padlen 50 bytes;
};
acceptable_kmp { ikev2; };
};
policy {
ipsec_mode transport;
ipsec_level require;
};
ipsec {
ipsec_sa_lifetime_time infinite;
ipsec_sa_lifetime_byte infinite;
};
sa {
esp_enc_alg { aes128_cbc; 3des_cbc; };
esp_auth_alg { hmac_sha1; hmac_md5; };
};
};
ipsec ipsec_ah_esp {
ipsec_sa_lifetime_time 28800 sec;
sa_index { ah_01; esp_01; };
};
ipsec ipsec_esp {
ipsec_sa_lifetime_time 28800 sec;
sa_index esp_01;
};
sa ah_01 {
sa_protocol ah;
ah_auth_alg { hmac_sha1; hmac_md5; };
};
sa esp_01 {
sa_protocol esp;
esp_enc_alg { aes128_cbc; 3des_cbc; };
esp_auth_alg { hmac_sha1; hmac_md5; };
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://ml.nautilus6.org/pipermail/support/attachments/20090518/5a8d3dc2/attachment.htm
More information about the Support
mailing list