Manualshelf

HP-UX IPSec version A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
221222223224225226227228229230
HP-UX IPSec and HP-UX Mobile IPv6
Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent
Chapter 7222
Step 4: (Optional) Securing Payload Packets
Routed Through the Home Agent
RFC 3776 specifies that you may use IPSec to secure data (payload)
packets between Mobile Nodes and Correspondent Nodes when these
packets are forwarded through the Home Agent (this is the data path for
Basic Operation, used when Route Optimization is not established).
RFC 3776 also specifies that if the Home Agent supports stateful address
autoconfiguration (such as DHCPv6) for the Mobile Nodes, or supports
multicast group membership control protocols, the IPSec
implementation must support payload protection, but using it is not
mandatory.
To secure payload packets between Mobile Nodes and Correspondent
Nodes that are forwarded through the Home Agent, use the following
procedure to configure three IPSec policies on the Home Agent for each
Mobile Node:
Step 4A: Configure a gateway IPSec policy for the data path segments
between the Home Agent and the Correspondent Node.
Step 4B: Configure a gateway IPSec policy for the data path segments
between the Home Agent and the Mobile Node.
Step 4C: Configure a tunnel IPSec policy for the data path segments
between the Home Agent and the Mobile Node.
Step 4A: Payload Packets: Configuring the Gateway
IPSec Policy for Home Agent - Correspondent Node
Segments
The first gateway IPSec policy is for the clear text data path segments,
which are between the Home Agent and the Correspondent Node. The
source and destination address specifications are relative to the packets
forwarded by the local node, which is the Home Agent: the source is the
Mobile Node’s home address and the destination is the Correspondent
Node address (or an IPv6 wildcard address). This is similar to the policy
configured “Step 2A: Return Routability Messages: Configuring the
Gateway IPSec Policy for Home Agent - Correspondent Node Segments”
on page 215, with the following differences: