From d80814ff01f2b0f3a6abbb827c37672898c0036e Mon Sep 17 00:00:00 2001
From: keiichi <keiichi>
Date: Fri, 31 Jan 2003 10:19:46 +0000
Subject: [PATCH] - changed the config format for mip6makeconfig.sh.   -
 transport parameters and tunnel parameters must be defined separately.   -
 uses unique id to avoid unintended updating of SA values.

---
 kame/kame/mip6control/config            | 31 +++++++++++---
 kame/kame/mip6control/mip6makeconfig.sh | 57 ++++++++++++++++++-------
 2 files changed, 67 insertions(+), 21 deletions(-)

diff --git a/kame/kame/mip6control/config b/kame/kame/mip6control/config
index 9c2c70c4b0..d8f0ab665f 100644
--- a/kame/kame/mip6control/config
+++ b/kame/kame/mip6control/config
@@ -1,12 +1,31 @@
 #
 # a sample config file for mip6makeconfig.sh
 #
-# this file must be placed in /usr/local/v6/etc/mobileip6/xxxxx where
-# xxxxx is 5 digits.
+# this file must be placed in /usr/local/v6/etc/mobileip6/nodename where
+# nodename is a arbitrary name of a mobile node.
+#
+
+#
+# set proper addresses for both a mobile node and a home agent.
 #
 mobile_node=2001:200:0:0:201:11ff:fe54:4fde
 home_agent=2001:200:0:0:201:11ff:fe54:5ffc
-spi_mn_to_ha=2000
-spi_ha_to_mn=2001
-algorithm=blowfish-cbc
-secret="THIS_IS_MY_SECRET!!!"
+
+#
+# parameters for the IPsec transport mode to protect home (de)registration.
+#
+transport_spi_mn_to_ha=2000
+transport_spi_ha_to_mn=2001
+transport_protocol=ah
+transport_algorithm=hmac-sha1
+transport_secret="THIS_IS_AH_SECRET!!!"
+
+#
+# parameters for the IPsec tunnel mode to protect RR signals.
+#
+tunnel_spi_mn_to_ha=2002
+tunnel_spi_ha_to_mn=2003
+tunnel_uid_mn_to_ha=2002
+tunnel_uid_ha_to_mn=2003
+tunnel_algorithm=blowfish-cbc
+tunnel_secret="THIS_IS_ESP_SECRET!!"
diff --git a/kame/kame/mip6control/mip6makeconfig.sh b/kame/kame/mip6control/mip6makeconfig.sh
index 0b0db0e546..53eef661d5 100755
--- a/kame/kame/mip6control/mip6makeconfig.sh
+++ b/kame/kame/mip6control/mip6makeconfig.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $Id: mip6makeconfig.sh,v 1.2 2002/12/04 05:39:05 keiichi Exp $
+# $Id: mip6makeconfig.sh,v 1.3 2003/01/31 10:19:46 keiichi Exp $
 
 cat=/bin/cat
 basename=/usr/bin/basename
@@ -12,6 +12,8 @@ if [ -r /etc/rc.conf ]; then
 	. /etc/rc.conf
 fi
 
+ipv6_mobile_config_dir=${ipv6_mobile_config_dir:-/usr/local/v6/etc/mobileip6}
+
 if [ $# -ne 1 ]; then
 	${cat} <<EOF
 Usage: ${0} node_dir
@@ -24,8 +26,6 @@ EOF
 	exit 1
 fi
 
-ipv6_mobile_config_dir=${ipv6_mobile_config_dir:-/usr/local/v6/etc/mobileip6}
-
 #
 # check node_dir
 #
@@ -42,6 +42,15 @@ node_dir=${ipv6_mobile_config_dir}/${1}
 #
 . ${node_dir}/config
 
+#
+# set other auto configurable parameters
+#
+if [ "X${transport_protocol}" = "Xah" ]; then
+	transport_algoarg='-A'
+else
+	transport_algoarg='-E'
+fi
+
 #
 # write security association configuration files
 #
@@ -51,9 +60,23 @@ node_dir=${ipv6_mobile_config_dir}/${1}
 #
 ${cat} << EOF > ${node_dir}/add
 add ${mobile_node} ${home_agent}
-	esp ${spi_mn_to_ha} -E ${algorithm} "${secret}";
+	${transport_protocol} ${transport_spi_mn_to_ha}
+	-m transport
+	${transport_algoarg} ${transport_algorithm} "${transport_secret}";
+add ${home_agent} ${mobile_node}
+	${transport_protocol} ${transport_spi_ha_to_mn}
+	-m transport
+	${transport_algoarg} ${transport_algorithm} "${transport_secret}";
+add ${mobile_node} ${home_agent}
+	esp ${tunnel_spi_mn_to_ha}
+	-m tunnel
+	-u  ${tunnel_uid_mn_to_ha}
+	-E ${tunnel_algorithm} "${tunnel_secret}";
 add ${home_agent} ${mobile_node}
-	esp ${spi_ha_to_mn} -E ${algorithm} "${secret}";
+	esp ${tunnel_spi_ha_to_mn}
+	-m tunnel
+	-u ${tunnel_uid_ha_to_mn}
+	-E ${tunnel_algorithm} "${tunnel_secret}";
 EOF
 
 #
@@ -61,9 +84,13 @@ EOF
 #
 ${cat} << EOF > ${node_dir}/delete
 delete ${mobile_node} ${home_agent}
-	esp ${spi_mn_to_ha};
+	${transport_protocol} ${transport_spi_mn_to_ha};
+delete ${home_agent} ${mobile_node}
+	${transport_protocol} ${transport_spi_ha_to_mn};
+delete ${mobile_node} ${home_agent}
+	esp ${tunnel_spi_mn_to_ha};
 delete ${home_agent} ${mobile_node}
-	esp ${spi_ha_to_mn};
+	esp ${tunnel_spi_ha_to_mn};
 EOF
 
 #
@@ -76,10 +103,10 @@ EOF
 ${cat} <<EOF > ${node_dir}/spdadd_home_agent
 spdadd ${home_agent} ${mobile_node}
 	62 -P out ipsec
-	esp/transport//require;
+	${transport_protocol}/transport//require;
 spdadd ${mobile_node} ${home_agent}
 	62 -P in ipsec
-	esp/transport//require;
+	${transport_protocol}/transport//require;
 EOF
 
 #
@@ -98,10 +125,10 @@ EOF
 ${cat} <<EOF >> ${node_dir}/spdadd_home_agent
 spdadd ::/0 ${mobile_node}
 	62 -P out ipsec
-	esp/tunnel/${home_agent}-${mobile_node}/require;
+	esp/tunnel/${home_agent}-${mobile_node}/unique:${tunnel_uid_ha_to_mn};
 spdadd ${mobile_node} ::/0
 	62 -P in ipsec
-	esp/tunnel/${mobile_node}-${home_agent}/require;
+	esp/tunnel/${mobile_node}-${home_agent}/unique:${tunnel_uid_mn_to_ha};
 EOF
 
 #
@@ -120,10 +147,10 @@ EOF
 ${cat} <<EOF > ${node_dir}/spdadd_mobile_node
 spdadd ${mobile_node} ${home_agent}
 	62 -P out ipsec
-	esp/transport//require;
+	${transport_protocol}/transport//require;
 spdadd ${home_agent} ${mobile_node}
 	62 -P in ipsec
-	esp/transport//require;
+	${transport_protocol}/transport//require;
 EOF
 
 #
@@ -142,10 +169,10 @@ EOF
 ${cat} <<EOF >> ${node_dir}/spdadd_mobile_node
 spdadd ${mobile_node} ::/0
 	62 -P out ipsec
-	esp/tunnel/${mobile_node}-${home_agent}/require;
+	esp/tunnel/${mobile_node}-${home_agent}/unique:${tunnel_uid_mn_to_ha};
 spdadd ::/0 ${mobile_node}
 	62 -P in ipsec
-	esp/tunnel/${home_agent}-${mobile_node}/use;
+	esp/tunnel/${home_agent}-${mobile_node}/unique:${tunnel_uid_ha_to_mn};
 EOF
 
 #