Specifications
15-6
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-5260-01
Chapter 15 Configuring Proxy Mobile IP
Configuring Proxy Mobile IP
Typically, the visiting client sends packets as it normally would. The access point intercepts these
packets and sends them to the foreign agent, which routes them to their final destination, the
correspondent node.
GRE Encapsulation
Instead of IPinIP Encapsulation, you can select GRE encapsulation. Use the ip proxy-mobile tunnel gre
command to select GRE encapsulation.
Reverse Tunnels
Forward tunnels carry packets destined to the mobile node from the home network to the foreign
network. You can also set up a reverse tunnel. A reverse tunnel carries packets between the home
network and the foreign network, but it tunnels packets from the mobile node instead of packets to the
mobile node. Therefore, instead of the foreign agent routing the packets from the mobile node normally,
the foreign agent sends packets from the mobile node back to the home agent through the reverse tunnel.
The home agent on the mobile node’s home subnet routes the packets normally. Use the ip proxy-mobile
tunnel reverse command to configure a reverse tunnel.
Proxy Mobile IP Security
Mobile IP uses a strong authentication scheme to protect communications to and from visiting clients.
All registration messages between a visiting client and the home agent must contain the Mobile-Home
Authentication Extension (MHAE). Proxy Mobile IP also implements this requirement in the
registration messages sent by the access point on behalf of the visiting clients to the home agent.
The integrity of the registration messages is protected by a shared 128-bit key between the access point
(on behalf of the visiting client) and the home agent. You can enter the shared key on the access point or
on a RADIUS server.
The keyed message digest algorithm 5 (MD5) in prefix+suffix mode is used to compute the authenticator
value in the appended MHAE. Mobile IP and proxy Mobile IP also support the hash-based message
authentication code (HMAC-MD5). The receiver compares the authenticator value it computes over the
message with the value in the extension to verify the authenticity.
Optionally, the Mobile-Foreign Authentication Extension and the Foreign-Home Authentication
Extension are appended to protect message exchanges between a visiting client and foreign agent and
between a foreign agent and home agent, respectively.
Replay protection uses the identification field in the registration messages as a timestamp and sequence
number. The home agent returns its time stamp to synchronize the visiting client for registration. In
proxy Mobile IP, the visiting clients are not synchronized to their home agents because the access point
intercepts all home agent messages.
Configuring Proxy Mobile IP
These sections describe how to configure proxy Mobile IP:
• Configuration Guidelines, page 15-7
• Configuring Proxy Mobile IP on Your Wired LAN, page 15-7
• Configuring Proxy Mobile IP on Your Access Point, page 15-8