Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
321322323324325326327328329330
HP-UX IPSec and HP-UX Mobile IPv6
Mobile IPv6 Dynamic Key Configuration Example
Appendix F320
2001:db8:11:11::/64
The tunnel policies do not explicitly specify a destination tunnel
endpoint (the -tdestination parameter is omitted). Instead, the
example specifies the Mobile Nodes’ subnet address and prefix for
the end destination (-destination 2001:db8:11:11::/64). At run
time, the destination tunnel endpoint inherits the address from the
actual end destination address when the tunnel is created.
The dynamic key configuration requires an IKE policy for the Mobile
Nodes. This example uses one IKE policy for both Mobile Nodes.
The dynamic key configuration requires one authentication record
for each Mobile Node. Each authentication record must meet the
following requirements:
The remote address (-remote) specifies the Mobile Nodes home
address.
The remote ID (-rid) uniquely identifies the Mobile Node and
cannot be the Mobile Node’s home address. This example uses
user FQDNs for remote IDs (-rtype USER-FQDN).
The exchange mode is Aggressive Mode (-exchange AM).
Host Policy for Binding Messages (Step 1)
add host mipv6_binding \
-source 2001:db8:11:11::fefe:1111 \(Home Agent)
-destination 2001:db8:11:11::/64 \(Mobile Node subnet addr.)
-proto MH -pri 200 -action ESP_AES128_HMAC_SHA1 \
-flags MIPV6
Policies for Return Routability Messages (Step 2)
There are two gateway policies and a tunnel policy for Return
Routability messages. You can skip this step if you going to secure
payload packets routed through the Home Agent (Step 4).
Gateway IPsec Policy for Home Agent - Correspondent Node
Segments (Step 2A)
You can omit this policy if you are using the default gateway IPsec
policy shipped with HP-UX IPSec.