Chapter 24 Administering Mobile IP (Task)

This chapter provides procedures for modifying, adding, deleting, and displaying parameters in the Mobile IP configuration file. This chapter also shows you how to display mobility agent status.

This chapter contains the following information:

• Configuring the Mobile IP Configuration File

• Configuring the Mobile IP Configuration File Task Map

• Modifying the Mobile IP Configuration File

• Modifying the Mobile IP Configuration File Task Map

• Displaying Mobility Agent Status

• Displaying Mobility Routes on a Foreign Agent

Configuring the Mobile IP Configuration File

When you configure the mipagent.conf file for the first time, you need to perform the following tasks:

1. Depending on your organization's host's requirements, determine what functionality your Mobile IP agent can provide:

   • Foreign agent functionality only

   • Home agent functionality only

   • Both foreign and home agent functionality

2. Create the /etc/inet/mipagent.conf file and enter the settings you require by using the procedures that are described in this section. You can also copy one of the following files to /etc/inet/mipagent.conf and modify it according to your requirements:

   • For foreign agent functionality, copy /etc/inet/mipagent.conf.fa-sample.

   • For home agent functionality , copy /etc/inet/mipagent.conf.ha-sample.

   • For both foreign agent and home agent functionality, copy /etc/inet/mipagent.conf-sample.

3. You can reboot your system to invoke the boot script that starts the mipagent daemon. You can also start mipagent by typing the following command on a command line:

   # /etc/inet.d/mipagent start

Configuring the Mobile IP Configuration File Task Map

The following table provides a brief description of the tasks that are described in this section.

How to Create the Mobile IP Configuration File

1. Become superuser on the system where you want to enable Mobile IP.

2. Depending on your preference, do one of the following substeps.

   • In the /etc/inet directory, create an empty file named mipagent.conf.

   • From the following list, copy the sample file that provides the functionality you want to the file /etc/inet/mipagent.conf.

     • /etc/inet/mipagent.conf.fa-sample

     • /etc/inet/mipagent.conf.ha-sample

     • /etc/inet/mipagent.conf-sample

3. Add or change configuration parameters in the /etc/inet/mipagent.conf file to conform to your configuration requirements. The remaining procedures in this section describe the steps that you perform.

How to Configure the General Section

If you copied one of the sample files, you can omit this procedure because the sample file contains this entry.

Edit the /etc/inet/mipagent.conf file and add the following lines.

[General] Version = 1.0

The /etc/inet/mipagent.conf file must contain the preceding entry.

General Section provides descriptions of the labels and values that are used in this section.

How to Configure the Advertisements Section

Edit the /etc/inet/mipagent.conf file and add or change the following lines by using the values that are required for your configuration.

[Advertisements Interface-name] HomeAgent = <yes/no> ForeignAgent = <yes/no> PrefixFlags = <yes/no> AdvertiseOnBcast = <yes/no> RegLifetime = n AdvLifetime = n AdvFrequency = n ReverseTunnel = <yes/no/FA/HA/both> ReverseTunnelRequired = <yes/no/FA/HA>

You must include a different Advertisements section for each interface on the local host that provides Mobile IP services.

Advertisements Section provides descriptions of the labels and values that are used in this section.

How to Configure the GlobalSecurityParameters Section

Edit the /etc/inet/mipagent.conf file and add or change the following lines by using the values that are required for your configuration.

[GlobalSecurityParameters] MaxClockSkew = n HA-FAauth = <yes/no> MN-FAauth = <yes/no> Challenge = <yes/no> KeyDistribution = files

GlobalSecurityParameters Section provides descriptions of the labels and values that are used in this section.

How to Configure the Pool Section

Edit the /etc/inet/mipagent.conf file and add or change the following lines by using the values that are required for your configuration.

[Pool Pool-identifier] BaseAddress = IP-address Size = size

Pool Section provides descriptions of the labels and values that are used in this section.

How to Configure the SPI Section

Edit the /etc/inet/mipagent.conf file and add or change the following lines by using the values that are required for your configuration.

[SPI SPI-identifier] ReplayMethod = <none/timestamps> Key = key

You must include a different SPI section for each security context that is deployed.

SPI Section provides descriptions of the labels and values that are used in this section.

How to Configure the Address Section

Edit the /etc/inet/mipagent.conf file and add or change the following lines by using the values that are required for your configuration.

• For a mobile node, use the following:

  [Address address] Type = node SPI = SPI-identifier

• For an agent, use the following:

  [Address address] Type = agent SPI = SPI-identifier IPsecRequest = action {properties} [: action {properties}] IPsecReply = action {properties} [: action {properties}] IPsecTunnel = action {properties} [: action {properties}]

  action and {properties} are any action and associated properties that are defined in the ipsec(7P) man page.

  ---

  Note –

  The SPI that is configured previously corresponds to the MD5 protection mechanism that is required by RFC 2002. The SPI that is configured previously does not correspond to the SPI that is used by IPsec. For more information about IPsec, see Chapter 19, IPsec (Overview) and Chapter 20, Administering IPsec (Task). Also see the ipsec(7P) man page.

  ---

• For mobile node that is identified by its NAI, use the following:

  [Address NAI] Type = Node SPI = SPI-identifier Pool = Pool-identifier

• For default mobile node, use the following:

  [Address Node-Default] Type = Node SPI = SPI-identifier Pool = Pool-identifier

Address Section provides descriptions of the labels and values that are used in this section.

Modifying the Mobile IP Configuration File

This section shows you how to modify the Mobile IP configuration file by using the mipagentconfig(1M) command. The section also shows you how to display the current settings of parameter destinations.

Configuring the Mobility IP Agent provides a conceptual description of the mipagentconfig(1M) command's usage. You can also review the mipagentconfig(1M) man page.

Modifying the Mobile IP Configuration File Task Map

How to Modify the General Section

1. Become superuser on the system where you want to enable Mobile IP.

2. On a command line, type the following command for each label that you want to modify in the General section.

   # mipagentconfig change <label> <value>

The following example shows how you might change the version number (in the future) in the configuration file's General section.

Example 24–1 Changing Parameters in the General Section

# mipagentconfig change version 2

How to Modify the Advertisements Section

1. Become superuser on the system where you want to enable Mobile IP.

2. On a command line, type the following command for each label that you want to modify in the Advertisements section.

   # mipagentconfig change adv device-name <label> <value>

For example, if you are changing the agent's advertised lifetime to 300 seconds for device le0, use the following command.

# mipagentconfig change adv le0 AdvLifetime 300

The following example shows how you might change other parameters in the configuration file's Advertisements section.

Example 24–2 Changing Parameters in the Advertisements Section

# mipagentconfig change adv le0 HomeAgent yes
# mipagentconfig change adv le0 ForeignAgent no
# mipagentconfig change adv le0 PrefixFlags no
# mipagentconfig change adv le0 RegLifetime 300
# mipagentconfig change adv le0 AdvFrequency 4
# mipagentconfig change adv le0 ReverseTunnel yes

How to Modify the GlobalSecurityParameters Section

1. Become superuser on the system where you want to enable Mobile IP.

2. On a command line, type the following command for each label that you want to modify in the GlobalSecurityParameters section.

   # mipagentconfig change <label> <value>

For example, if you are enabling home agent and foreign agent authentication, use the following command.

# mipagentconfig change HA-FAauth yes

The following example shows how you might change other parameters in the configuration file's GlobalSecurityParameters section.

Example 24–3 Changing Parameters in the GlobalSecurityParameters Section

# mipagentconfig change MaxClockSkew 200
# mipagentconfig change MN-FAauth yes
# mipagentconfig change Challenge yes
# mipagentconfig change KeyDistribution files

How to Modify the Pool Section

1. Become superuser on the system where you want to enable Mobile IP.

2. On a command line, type the following command for each label that you want to modify in the Pool section.

   # mipagentconfig change Pool Pool-identifier <label> <value>

For example, if you are changing the base address to 192.168.1.1 and size to 100 of Pool 10, use the following commands.

Example 24–4 Changing Parameters in the Pool Section

# mipagentconfig change Pool 10 BaseAddress 192.168.1.1
# mipagentconfig change Pool 10 Size 100

How to Modify the SPI Section

1. Become superuser on the system where you want to enable Mobile IP.

2. On a command line, type the following command for each label that you want to modify in the SPI section.

   # mipagentconfig change SPI SPI-identifier <label> <value>

For example, if you are changing the key for SPI 257 to 5af2aee39ff0b332, use the following command.

# mipagentconfig change SPI 257 Key 5af2aee39ff0b332

The following example shows how to change the ReplayMethod label in the configuration file's SPI section.

Example 24–5 Changing Parameters in the SPI Section

# mipagentconfig change SPI 257 ReplayMethod timestamps

How to Modify the Address Section

1. Become superuser on the system where you want to enable Mobile IP.

2. On a command line, type the following command for each label that you want to modify in the Address section.

   # mipagentconfig change addr [NAI | IPaddr | node-default] <label> <value>

   See Address Section for a description of the three configuration methods (NAI, IP address, and node-default).

For example, if you are changing the SPI of IP address 10.1.1.1 to 258, use the following command.

# mipagentconfig change addr 10.1.1.1 SPI 258

The following example shows how you can change other parameters that provided in the sample configuration file's Address section.

Example 24–6 Changing Parameters in the Address Section

# mipagentconfig change addr 10.1.1.1 Type agent
# mipagentconfig change addr 10.1.1.1 SPI 259
# mipagentconfig change addr mobilenode@abc.com Type node
# mipagentconfig change addr mobilenode@abc.com SPI 258
# mipagentconfig change addr mobilenode@abc.com Pool 2
# mipagentconfig change addr node-default SPI 259
# mipagentconfig change addr node-default Pool 3
# mipagentconfig change addr 10.68.30.36 Type agent
# mipagentconfig change addr 10.68.30.36 SPI 260
# mipagentconfig change IPsecRequest apply {auth_algs md5 sa shared}

How to Add or Delete Configuration File Parameters

1. Become superuser on the system where you want to enable Mobile IP.

2. On a command line, type the appropriate command for each label that you want to add or delete for the designated section.

   For the General section use the following:

   # mipagentconfig [add | delete] <label> <value>

   For the Advertisements section use the following:

   # mipagentconfig [add | delete] adv device-name <label> <value>

   ---

   Note –

   You can add an interface by typing the following:

   # mipagentconfig add adv device-name

   In this instance, default values are assigned to the interface (for both foreign agent and home agent).

   ---

   For the GlobalSecurityParameters section use the following:

   # mipagentconfig [add | delete] <label> <value>

   For the Pool section use the following:

   # mipagentconfig [add | delete] Pool Pool-identifier <label> <value>

   For the SPI section use the following:

   # mipagentconfig [add | delete] SPI SPI-identifier <label> <value>

   For the Address section use the following:

   # mipagentconfig [add | delete] addr [NAI | IPaddr | node-default] \ <label> <value>

Do not create identical Advertisements, Pool, SPI, and Address sections.

For example, to create a new address pool, Pool 11, that has a base address of 192.167.1.1 and a size of 100, use the following commands.

Example 24–7 Adding a New Pool and Parameters

# mipagentconfig add Pool 11 BaseAddress 192.167.1.1 
# mipagentconfig add Pool 11 size 100

Or you might want to delete a particular security parameter. The following example shows you how to delete SPI 257.

Example 24–8 Deleting an SPI

# mipagentconfig delete SPI 257

How to Display Current Parameter Settings in the Configuration File

You can use the mipagentconfig get command to display current settings that are associated with parameter destinations.

1. Become superuser on the system where you are enabling Mobile IP.

2. On a command line, type the following command for each parameter for which you want to display settings.

   # mipagentconfig get [<parameter> | <label>]

For example, if you are displaying the advertisement settings for the le0 device, use the following command.

# mipagentconfig get adv le0

This command causes the following results to be displayed (for example).

[Advertisements le0]
   HomeAgent = yes
   ForeignAgent = yes

The following example shows the results of using the mipagentconfig get command with other parameter destinations.

Example 24–9 Using the mipagentconfig get Command

# mipagentconfig get MaxClockSkew
      [GlobalSecurityParameters]
         MaxClockSkew=300

# mipagentconfig get HA-FAauth
      [GlobalSecurityParameters]
         HA-FAauth=no

# mipagentconfig get MN-FAauth
      [GlobalSecurityParameters]
         MN-FAauth=no

# mipagentconfig get Challenge
      [GlobalSecurityParameters]
         Challenge=no

# mipagentconfig get Pool 10
      [Pool 10]
         BaseAddress=192.168.1.1
         Size=100

# mipagentconfig get SPI 257
      [SPI 257]
         Key=11111111111111111111111111111111
         ReplayMethod=none

# mipagentconfig get SPI 258
      [SPI 258]
         Key=15111111111111111111111111111111
         ReplayMethod=none

# mipagentconfig get addr 10.1.1.1
      [Address 10.1.1.1]
         SPI=258
         Type=agent

# mipagentconfig get addr 192.168.1.200
      [Address 192.168.1.200]
         SPI=257
         Type=node

# mipagentconfig get addr 10.1.1.1
      [Address 10.1.1.1]
         Type=agent
         SPI=258
         IPsecRequest = apply {auth_algs md5 sa shared}
         IPsecReply = permit {auth_algs md5}
         IPsecTunnel = apply {encr_algs 3des sa shared}

Displaying Mobility Agent Status

You can use the mipagentstat command to display a foreign agent's visitors list and a home agent's binding table. Mobile IP Mobility Agent Status provides a conceptual description of the mipagentstat command. You can also review the mipagentstat(1M) man page.

How to Display Mobility Agent Status

1. Become superuser on the system where you are enabling Mobile IP.

2. On a command line, type the following command.

   # mipagentstat <option>

   You can use the following options:

   -f	Shows the list of active mobile nodes in the foreign agent's visitor list
   -h	Shows the list of active mobile nodes in the home agent's binding table
   -p	Shows the list of security associations with an agent's mobility agent peers

For example, to show the visitor list for all mobile nodes that are registered with the foreign agent, use the following command.

# mipagentstat -f

This command causes the following results to be displayed (for example).

Mobile Node     Home Agent     Time (s)     Time (s)  Flags
                               Granted      Remaining
--------------- -------------- ------------ --------- -----
foobar.xyz.com  ha1.xyz.com    600          125       .....T.
10.1.5.23       10.1.5.1       1000         10        .....T.

To show the foreign agent security associations, use the following command.

# mipagentstat -p

This command causes the following results to be displayed (for example).

Foreign                  ..... Security Association(s).....
Agent                    Requests Replies  FTunnel  RTunnel
----------------------   -------- -------- -------- --------
forn-agent.eng.sun.com   AH       AH       ESP      ESP

To show the home agent security associations, use the following command.

# mipagentstat -fp

This command causes the following results to be displayed (for example).

Home                     ..... Security Association(s) .....
Agent                    Requests Replies  FTunnel  RTunnel
----------------------   -------- -------- -------- --------
home-agent.eng.sun.com   AH       AH       ESP      ESP
ha1.xyz.com              AH,ESP   AH       AH,ESP   AH,ESP

Displaying Mobility Routes on a Foreign Agent

You can use the netstat command to display additional information about source-specific routes that are created by forward and reverse tunnels. See the netstat(1M) man page for more information about this command.

How to Display Mobility Routes on a Foreign Agent

1. Become superuser on the system where you are enabling Mobile IP.

2. On a command line, type the following command.

   # netstat -rn

The following example shows the routes for a foreign agent that uses a reverse tunnel.

Routing Table:   IPv4 Source-Specific     
Destination      In If     Source      Gateway Flags  Use  Out If
--------------  ------- ------------ --------- -----  ---- -------
10.6.32.11      ip.tun1      --      10.6.32.97  UH      0 hme1
    --          hme1    10.6.32.11       --      U       0 ip.tun1

The first line indicates that the destination IP address 10.6.32.11 and the incoming interface ip.tun1 select hme1 as the interface that forwards the packets. The next line indicates that any packet originating from interface hme1 and source address 10.6.32.11 must be forwarded to ip.tun1. This is an example of a reverse-tunnel route.