[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Mobile IPv6 - IPsec interaction.
In your previous mail you wrote:
But snide comments aside, you _can_ do this today: you set your policy
to build a tunnel that authorizes your mobile host (based on some
identification) to tunnel packets as your home address. Seriously, it
is that simple. I admit that _how_ you set your policy is IPSec
implementation specific. However, _what_ you need to setup isn't.
For example, you want to configure your tunnel something like this:
On the mobile host:
type=tunnel
server=11.22.0.1
server_id=server.my.site <- used to authenticate home agent
my_inside_addr=11.22.33.44
my_auth_id=laptop.my.site <- my authentication ID
On the home agent:
type=tunnel
client_id=laptop.my.site <- used to authenticate mobile host
client_inside_addr=11.22.33.44
my_auth_id=server.my.site <- my authentication ID
=> so your proposal is to use the manual setup. At least one free
implementation has this, in FreeS/WAN this gives on the home agent:
conn my_laptop
type=transport
auth=ah
authby=rsasig
auto=add
left=%any
leftid=@laptop.my.site
leftsubnet=<my_laptop home address>/128
right=<home agent address>
rightid=@server.my.site
rightsubnet=<home agent address>/128
(I don't use Linux or FreeS/WAN but this should work according to the
documentation).
So we can say the issue is solved for the home agent but of course
manual config doesn't scale and won't work for random correspondents,
ie. we should look for an automatical and standardized way to do this...
Thanks
Francis.Dupont@enst-bretagne.fr
Follow-Ups:
References: