[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 04013) Re: Is it possible to encrypt all packets in Reverse tunelling?



Hello Michal,

I think you may try the "TunnelPayload" option in IPSecPolicy rules.

About your second question, I don't think it is possible to tunnel the
BU/BA -- but I may be wrong.

Best regards,
Sebastien.

Michal Franczak a écrit :
> Hello all,
> Is it possible to encapsulate by IPsec all packets send between the
> Mobile Node and the Home Agent?
> Currently I've managed to configure reverse tunbelling with IPsec but it
> encrypts only packets destignated to the Home Agent.
> Here are parts of my config files:
> 
> sa.conf:
> # 2003::1 is home address of MN
> # 2003::2 is address of HA
> #des-cbc key should be 8 characters long
> #hmac-sha1 key should be 20 characters long
> flush;
> # MN -> HA transport SA for BU
>  add 2003:0:0:0::1 2003:0:0:0::2 esp 2000
>        -u 1
>        -m transport
>        -E des-cbc "my_key_1"
>        -A hmac-sha1 "this is the test key" ;
> # HA -> MN transport SA for BA
>  add 2003:0:0:0::2 2003:0:0:0::1 esp 2001
>         -u 2
>         -m transport
>         -E des-cbc "my_key_1"
>         -A hmac-sha1 "this is the test key" ;
> # MN -> HA transport SA for MPS
>  add 2003:0:0:0::1 2003:0:0:0::2 esp 2002
>         -u 3
>         -m transport
>         -E des-cbc "my_key_1"
>         -A hmac-sha1 "this is the test key" ;
> # HA -> MN transport SA for MPA
>  add 2003:0:0:0::2 2003:0:0:0::1 esp 2003
>         -u 4
>         -m transport
>         -E des-cbc "my_key_1"
>         -A hmac-sha1 "this is the test key" ;
> # MN -> HA tunnel SA for HoTI
>  add 2003:0:0:0::1 2003:0:0:0::2 esp 2004
>     -u 5
>         -m tunnel
>         -E des-cbc "my_key_1"
>         -A hmac-sha1 "this is the test key" ;
> # HA -> MN tunnel SA for HoT
>  add 2003:0:0:0::2 2003:0:0:0::1 esp 2005
>     -u 6
>         -m tunnel
>         -E des-cbc "my_key_1"
>         -A hmac-sha1 "this is the test key" ;
> 
> and the part of mip6d.conf responsible for IPsec:
>     IPsecPolicy HomeRegBinding UseESP 1 2;
>     IPsecPolicy MobPfxDisc UseESP 3;
> #    IPsecPolicy TunnelMh UseESP;
> #    IPsecPolicy TunnelHomeTesting UseESP;
>     IPsecPolicy TunnelHomeTesting UseESP 5 6;
> 
> I've tried IPsecPolicy all UseESP but it seems not to work
> 
> Second question is if it is possible to send Binding Update in IPsec
> tunnel mode not in transport mode.
> Best Regards Michal

-- 
Sebastien Decugis
http://www.nautilus6.org