Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
301302303304305306307308309310
HP-UX IPSec and HP-UX Mobile IPv6
Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent
Appendix F 301
Step 4: (Optional) Securing Payload Packets
Routed Through the Home Agent
RFC 3776 specifies that you may use IPsec to secure data (payload)
packets between Mobile Nodes and Correspondent Nodes when these
packets are forwarded through the Home Agent. This is the data path for
Basic Operation, used when Route Optimization is not established.
RFC 3776 also specifies that if the Home Agent supports stateful address
autoconfiguration (such as DHCPv6) for the Mobile Nodes, or supports
multicast group membership control protocols, the IPsec implementation
must support payload protection.
To secure payload packets between Mobile Nodes and Correspondent
Nodes that are forwarded through the Home Agent, use the following
procedure to configure three IPsec policies on the Home Agent for each
Mobile Node. If you are using IKE, you can configure one set of three
policies for a group of Mobile Nodes by specifying a subnet address and
prefix for the Mobile Node address.
Step 4A: Configure a gateway IPsec policy for the data path segments
between the Home Agent and the Correspondent Node.
Step 4B: Configure a gateway IPsec policy for the data path segments
between the Home Agent and the Mobile Node.
Step 4C: Configure a tunnel IPsec policy for the data path segments
between the Home Agent and the Mobile Node.
Step 4A: Payload Packets: Configuring the Home
Agent - Correspondent Node Gateway IPsec Policy
The first gateway IPsec policy is for the clear text data path segments,
which are between the Home Agent and the Correspondent Node. The
source and destination address specifications are relative to the packets
forwarded by the local node, which is the Home Agent: the source is the
Mobile Node’s home address and the destination is the Correspondent
Node address (or an IPv6 wildcard address). This is similar to the policy
configured “Step 2A: Return Routability Messages: Configuring the
Home Agent - Correspondent Node Gateway IPsec Policy” on page 293,
with the following differences: