- changed the config format for mip6makeconfig.sh.

- transport parameters and tunnel parameters must be defined separately. - uses unique id to avoid unintended updating of SA values.
kame · Jan 31, 2003 · d80814f · d80814f
1 parent 019a7f0
commit d80814f
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 21 deletions.
diff --git a/kame/kame/mip6control/config b/kame/kame/mip6control/config
@@ -1,12 +1,31 @@
 #
 # a sample config file for mip6makeconfig.sh
 #
-# this file must be placed in /usr/local/v6/etc/mobileip6/xxxxx where
-# xxxxx is 5 digits.
+# this file must be placed in /usr/local/v6/etc/mobileip6/nodename where
+# nodename is a arbitrary name of a mobile node.
+#
+
+#
+# set proper addresses for both a mobile node and a home agent.
 #
 mobile_node=2001:200:0:0:201:11ff:fe54:4fde
 home_agent=2001:200:0:0:201:11ff:fe54:5ffc
-spi_mn_to_ha=2000
-spi_ha_to_mn=2001
-algorithm=blowfish-cbc
-secret="THIS_IS_MY_SECRET!!!"
+
+#
+# parameters for the IPsec transport mode to protect home (de)registration.
+#
+transport_spi_mn_to_ha=2000
+transport_spi_ha_to_mn=2001
+transport_protocol=ah
+transport_algorithm=hmac-sha1
+transport_secret="THIS_IS_AH_SECRET!!!"
+
+#
+# parameters for the IPsec tunnel mode to protect RR signals.
+#
+tunnel_spi_mn_to_ha=2002
+tunnel_spi_ha_to_mn=2003
+tunnel_uid_mn_to_ha=2002
+tunnel_uid_ha_to_mn=2003
+tunnel_algorithm=blowfish-cbc
+tunnel_secret="THIS_IS_ESP_SECRET!!"
diff --git a/kame/kame/mip6control/mip6makeconfig.sh b/kame/kame/mip6control/mip6makeconfig.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $Id: mip6makeconfig.sh,v 1.2 2002/12/04 05:39:05 keiichi Exp $
+# $Id: mip6makeconfig.sh,v 1.3 2003/01/31 10:19:46 keiichi Exp $
 
 cat=/bin/cat
 basename=/usr/bin/basename
@@ -12,6 +12,8 @@ if [ -r /etc/rc.conf ]; then
 	. /etc/rc.conf
 fi
 
+ipv6_mobile_config_dir=${ipv6_mobile_config_dir:-/usr/local/v6/etc/mobileip6}
+
 if [ $# -ne 1 ]; then
 	${cat} <<EOF
 Usage: ${0} node_dir
@@ -24,8 +26,6 @@ EOF
 	exit 1
 fi
 
-ipv6_mobile_config_dir=${ipv6_mobile_config_dir:-/usr/local/v6/etc/mobileip6}
-
 #
 # check node_dir
 #
@@ -42,6 +42,15 @@ node_dir=${ipv6_mobile_config_dir}/${1}
 #
 . ${node_dir}/config
 
+#
+# set other auto configurable parameters
+#
+if [ "X${transport_protocol}" = "Xah" ]; then
+	transport_algoarg='-A'
+else
+	transport_algoarg='-E'
+fi
+
 #
 # write security association configuration files
 #
@@ -51,19 +60,37 @@ node_dir=${ipv6_mobile_config_dir}/${1}
 #
 ${cat} << EOF > ${node_dir}/add
 add ${mobile_node} ${home_agent}
-	esp ${spi_mn_to_ha} -E ${algorithm} "${secret}";
+	${transport_protocol} ${transport_spi_mn_to_ha}
+	-m transport
+	${transport_algoarg} ${transport_algorithm} "${transport_secret}";
+add ${home_agent} ${mobile_node}
+	${transport_protocol} ${transport_spi_ha_to_mn}
+	-m transport
+	${transport_algoarg} ${transport_algorithm} "${transport_secret}";
+add ${mobile_node} ${home_agent}
+	esp ${tunnel_spi_mn_to_ha}
+	-m tunnel
+	-u  ${tunnel_uid_mn_to_ha}
+	-E ${tunnel_algorithm} "${tunnel_secret}";
 add ${home_agent} ${mobile_node}
-	esp ${spi_ha_to_mn} -E ${algorithm} "${secret}";
+	esp ${tunnel_spi_ha_to_mn}
+	-m tunnel
+	-u ${tunnel_uid_ha_to_mn}
+	-E ${tunnel_algorithm} "${tunnel_secret}";
 EOF
 
 #
 # SA deletion
 #
 ${cat} << EOF > ${node_dir}/delete
 delete ${mobile_node} ${home_agent}
-	esp ${spi_mn_to_ha};
+	${transport_protocol} ${transport_spi_mn_to_ha};
+delete ${home_agent} ${mobile_node}
+	${transport_protocol} ${transport_spi_ha_to_mn};
+delete ${mobile_node} ${home_agent}
+	esp ${tunnel_spi_mn_to_ha};
 delete ${home_agent} ${mobile_node}
-	esp ${spi_ha_to_mn};
+	esp ${tunnel_spi_ha_to_mn};
 EOF
 
 #
@@ -76,10 +103,10 @@ EOF
 ${cat} <<EOF > ${node_dir}/spdadd_home_agent
 spdadd ${home_agent} ${mobile_node}
 	62 -P out ipsec
-	esp/transport//require;
+	${transport_protocol}/transport//require;
 spdadd ${mobile_node} ${home_agent}
 	62 -P in ipsec
-	esp/transport//require;
+	${transport_protocol}/transport//require;
 EOF
 
 #
@@ -98,10 +125,10 @@ EOF
 ${cat} <<EOF >> ${node_dir}/spdadd_home_agent
 spdadd ::/0 ${mobile_node}
 	62 -P out ipsec
-	esp/tunnel/${home_agent}-${mobile_node}/require;
+	esp/tunnel/${home_agent}-${mobile_node}/unique:${tunnel_uid_ha_to_mn};
 spdadd ${mobile_node} ::/0
 	62 -P in ipsec
-	esp/tunnel/${mobile_node}-${home_agent}/require;
+	esp/tunnel/${mobile_node}-${home_agent}/unique:${tunnel_uid_mn_to_ha};
 EOF
 
 #
@@ -120,10 +147,10 @@ EOF
 ${cat} <<EOF > ${node_dir}/spdadd_mobile_node
 spdadd ${mobile_node} ${home_agent}
 	62 -P out ipsec
-	esp/transport//require;
+	${transport_protocol}/transport//require;
 spdadd ${home_agent} ${mobile_node}
 	62 -P in ipsec
-	esp/transport//require;
+	${transport_protocol}/transport//require;
 EOF
 
 #
@@ -142,10 +169,10 @@ EOF
 ${cat} <<EOF >> ${node_dir}/spdadd_mobile_node
 spdadd ${mobile_node} ::/0
 	62 -P out ipsec
-	esp/tunnel/${mobile_node}-${home_agent}/require;
+	esp/tunnel/${mobile_node}-${home_agent}/unique:${tunnel_uid_mn_to_ha};
 spdadd ::/0 ${mobile_node}
 	62 -P in ipsec
-	esp/tunnel/${home_agent}-${mobile_node}/use;
+	esp/tunnel/${home_agent}-${mobile_node}/unique:${tunnel_uid_ha_to_mn};
 EOF
 
 #