Chapter 28 Administering Mobile IP (Tasks)

This chapter provides procedures for modifying, adding, deleting, and displaying parameters in the Mobile IP configuration file. This chapter also shows you how to display mobility agent status.

This chapter contains the following information:

• Creating the Mobile IP Configuration File (Task Map)

• Creating the Mobile IP Configuration File

• Modifying the Mobile IP Configuration File

• Modifying the Mobile IP Configuration File (Task Map)

• Displaying Mobility Agent Status

• Displaying Mobility Routes on a Foreign Agent

For an introduction to Mobile IP, refer to Chapter 27, Mobile IP (Overview). For detailed information about Mobile IP, refer to Chapter 29, Mobile IP Files and Commands (Reference).

The Mobile IP feature is removed from Solaris 10 updates after Solaris 10 8/07.

Creating the Mobile IP Configuration File (Task Map)

Creating the Mobile IP Configuration File

This section explains how to plan for Mobile IP and create the /etc/inet/mipagent.conffile.

How to Plan for Mobile IP

When you configure the mipagent.conf file for the first time, you need to perform the following tasks:

1. Depending on your organization's requirements for its hosts, determine what functionality your Mobile IP agent can provide:

   • Foreign agent functionality only

   • Home agent functionality only

   • Both foreign agent and home agent functionality

2. Create the /etc/inet/mipagent.conf file and specify the settings you require by using the procedures that are described in this section. You can also copy one of the following files to /etc/inet/mipagent.conf and modify it according to your requirements:

   • For foreign agent functionality, copy /etc/inet/mipagent.conf.fa-sample.

   • For home agent functionality, copy /etc/inet/mipagent.conf.ha-sample.

   • For both foreign agent and home agent functionality, copy /etc/inet/mipagent.conf-sample.

3. You can reboot your system to invoke the boot script that starts the mipagent daemon. Or, you can also start mipagent by typing the following command:

   # /etc/inet.d/mipagent start

How to Create the Mobile IP Configuration File

1. Assume the Primary Administrator role, or become superuser, on the system where you want to enable Mobile IP.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Create the /etc/inet/mipagent.conf file by using one of the following options:

   • In the /etc/inet directory, create an empty file named mipagent.conf.

   • From the following list, copy the sample file that provides the functionality you want for the /etc/inet/mipagent.conf file.

     • /etc/inet/mipagent.conf.fa-sample

     • /etc/inet/mipagent.conf.ha-sample

     • /etc/inet/mipagent.conf-sample

3. Add or change configuration parameters in the /etc/inet/mipagent.conf file to conform to your configuration requirements.

   The remaining procedures in this section describe the steps to modify sections in /etc/inet/mipagent.conf.

How to Configure the General Section

If you copied one of the sample files in the /etc/inet directory, you can omit this procedure because the sample file contains this entry. General Section provides descriptions of the labels and values that are used in this section.

1. Edit the /etc/inet/mipagent.conf file and add the following lines:

   [General] Version = 1.0

   ---

   Note –

   The /etc/inet/mipagent.conf file must contain this entry.

   ---

How to Configure the Advertisements Section

Advertisements Section provides descriptions of the labels and values that are used in this section.

1. Edit the /etc/inet/mipagent.conf file and add or change the following lines by using the values that are required for your configuration.

   [Advertisements interface] HomeAgent = <yes/no> ForeignAgent = <yes/no> PrefixFlags = <yes/no> AdvertiseOnBcast = <yes/no> RegLifetime = n AdvLifetime = n AdvFrequency = n ReverseTunnel = <yes/no/FA/HA/both> ReverseTunnelRequired = <yes/no/FA/HA>

   ---

   Note –

   You must include a different Advertisements section for each interface on the local host that provides Mobile IP services.

   ---

How to Configure the GlobalSecurityParameters Section

GlobalSecurityParameters Section provides descriptions of the labels and values that are used in this section.

1. Edit the /etc/inet/mipagent.conf file and add or change the following lines by using the values that are required for your configuration:

   [GlobalSecurityParameters] MaxClockSkew = n HA-FAauth = <yes/no> MN-FAauth = <yes/no> Challenge = <yes/no> KeyDistribution = files

How to Configure the Pool Section

Pool Section provides descriptions of the labels and values that are used in this section:

1. Edit the /etc/inet/mipagent.conf file

2. Add or change the following lines by using the values that are required for your configuration:

   [Pool pool-identifier] BaseAddress = IP-address Size = size

How to Configure the SPI Section

SPI Section provides descriptions of the labels and values that are used in this section.

1. Edit the /etc/inet/mipagent.conf file.

2. Add or change the following lines by using the values that are required for your configuration:

   [SPI SPI-identifier] ReplayMethod = <none/timestamps> Key = key

   ---

   Note –

   You must include a different SPI section for each security context that is deployed.

   ---

How to Configure the Address Section

Address Section provides descriptions of the labels and values that are used in this section.

1. Edit the /etc/inet/mipagent.conf file.

2. Add or change the following lines by using the values that are required for your configuration:

   • For a mobile node, use the following:

     [Address address] Type = node SPI = SPI-identifier

   • For an agent, use the following:

     [Address address] Type = agent SPI = SPI-identifier

   • For a mobile node that is identified by its NAI, use the following:

     [Address NAI] Type = Node SPI = SPI-identifier Pool = pool-identifier

   • For a default mobile node, use the following:

     [Address Node-Default] Type = Node SPI = SPI-identifier Pool = pool-identifier

Modifying the Mobile IP Configuration File (Task Map)

Modifying the Mobile IP Configuration File

This section shows you how to modify the Mobile IP configuration file by using the mipagentconfig command. This section also shows you how to display the current settings of parameter destinations.

Configuring the Mobility IP Agent provides a conceptual description of the mipagentconfig command's usage. You can also review the mipagentconfig(1M) man page.

How to Modify the General Section

1. Assume the Primary Administrator role, or become superuser on the system where you want to enable Mobile IP.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. On a command line, type the following command for each label that you want to modify in the General section.

   # mipagentconfig change <label> <value>

Example 28–1 Modifying a Parameter in the General Section

The following example shows how you might change the version number in the configuration file's General section.

# mipagentconfig change version 2

How to Modify the Advertisements Section

1. Assume the Primary Administrator role, or become superuser, on the system where you want to enable Mobile IP.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Type the following command for each label that you want to modify in the Advertisements section:

   # mipagentconfig change adv device-name <label> <value>

   For example, if you are changing the agent's advertised lifetime to 300 seconds for device hme0, use the following command.

   # mipagentconfig change adv hme0 AdvLifetime 300

Example 28–2 Modifying the Advertisements Section

The following example shows how you might change other parameters in the configuration file's Advertisements section.

# mipagentconfig change adv hme0 HomeAgent yes
# mipagentconfig change adv hme0 ForeignAgent no
# mipagentconfig change adv hme0 PrefixFlags no
# mipagentconfig change adv hme0 RegLifetime 300
# mipagentconfig change adv hme0 AdvFrequency 4
# mipagentconfig change adv hme0 ReverseTunnel yes

How to Modify the GlobalSecurityParameters Section

1. Assume the Primary Administrator role, or become superuser, on the system where you want to enable Mobile IP.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Type the following command for each label that you want to modify in the GlobalSecurityParameters section:

   # mipagentconfig change <label> <value>

   For example, if you are enabling home agent and foreign agent authentication, use the following command:

   # mipagentconfig change HA-FAauth yes

Example 28–3 Modifying the Global Security Parameters Section

The following example shows how you might change other parameters in the configuration file's GlobalSecurityParameters section.

# mipagentconfig change MaxClockSkew 200
# mipagentconfig change MN-FAauth yes
# mipagentconfig change Challenge yes
# mipagentconfig change KeyDistribution files

How to Modify the Pool Section

1. Assume the Primary Administrator role, or become superuser, on the system where you want to enable Mobile IP.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Type the following command for each label that you want to modify in the Pool section:

   # mipagentconfig change Pool pool-identifier <label> <value>

Example 28–4 Modifying the Pool Section

The following example shows the commands to use for changing the base address to 192.168.1.1 and the size of Pool 10 to 100.

# mipagentconfig change Pool 10 BaseAddress 192.168.1.1
# mipagentconfig change Pool 10 Size 100

How to Modify the SPI Section

1. Assume the Primary Administrator role, or become superuser, on the system where you want to enable Mobile IP.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Type the following command for each label that you want to modify in the SPI section:

   # mipagentconfig change SPI SPI-identifier <label> <value>

   For example, if you are changing the key for SPI 257 to 5af2aee39ff0b332, use the following command.

   # mipagentconfig change SPI 257 Key 5af2aee39ff0b332

Example 28–5 Modifying the SPI Section

The following example shows how to change the ReplayMethod label in the configuration file's SPI section.

# mipagentconfig change SPI 257 ReplayMethod timestamps

How to Modify the Address Section

1. Assume the Primary Administrator role, or become superuser, on the system where you want to enable Mobile IP.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Type the following command for each label that you want to modify in the Address section:

   # mipagentconfig change addr [NAI | IPaddr | node-default] <label> <value>

   See Address Section for a description of the three configuration methods (NAI, IP address, and node-default).

   For example, if you are changing the SPI of IP address 10.1.1.1 to 258, use the following command:

   # mipagentconfig change addr 10.1.1.1 SPI 258

Example 28–6 Modifying the Address Section

The following example shows how you can change other parameters that are provided in the sample configuration file's Address section.

# mipagentconfig change addr 10.1.1.1 Type agent
# mipagentconfig change addr 10.1.1.1 SPI 259
# mipagentconfig change addr mobilenode@abc.com Type node
# mipagentconfig change addr mobilenode@abc.com SPI 258
# mipagentconfig change addr mobilenode@abc.com Pool 2
# mipagentconfig change addr node-default SPI 259
# mipagentconfig change addr node-default Pool 3
# mipagentconfig change addr 10.68.30.36 Type agent
# mipagentconfig change addr 10.68.30.36 SPI 260

How to Add or Delete Configuration File Parameters

1. Assume the Primary Administrator role, or become superuser, on the system where you want to enable Mobile IP.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Type the appropriate command for each label that you want to add or delete for the designated section:

   • For the General section use the following:

     # mipagentconfig [add | delete] <label> <value>

   • For the Advertisements section use the following:

     # mipagentconfig [add | delete] adv device-name <label> <value>

     ---

     Note –

     You can add an interface by typing the following:

     # mipagentconfig add adv device-name

     In this instance, default values are assigned to the interface (for both the foreign agent and the home agent).

     ---

   • For the GlobalSecurityParameters, section use the following:

     # mipagentconfig [add | delete] <label> <value>

   • For the Pool section, use the following:

     # mipagentconfig [add | delete] Pool pool-identifier <label> <value>

   • For the SPI section, use the following:

     # mipagentconfig [add | delete] SPI SPI-identifier <label> <value>

   • For the Address section, use the following:

     # mipagentconfig [add | delete] addr [NAI | IP-address | node-default] \ <label> <value>

   ---

   Note –

   Do not create identical Advertisements, Pool, SPI, and Address sections.

   ---

Example 28–7 Modifying File Parameters

For example, to create a new address pool, Pool 11, that has a base address of 192.167.1.1 and a size of 100, use the following commands.

# mipagentconfig add Pool 11 BaseAddress 192.167.1.1 
# mipagentconfig add Pool 11 size 100

Example 28–8 Deleting SPI

The following example shows how to delete the SPI security parameter SPI 257.

# mipagentconfig delete SPI 257

How to Display Current Parameter Values in the Configuration File

You can use the mipagentconfig get command to display current settings that are associated with parameter destinations.

1. Assume the Primary Administrator role, or become superuser, on the system where you are enabling Mobile IP.

   The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

2. Type the following command for each parameter for which you want to display settings:

   # mipagentconfig get [<parameter> | <label>]

   For example, if you are displaying the advertisement settings for the hme0 device, use the following command:

   # mipagentconfig get adv hme0

   As a result, the following output might be displayed:

   [Advertisements hme0] HomeAgent = yes ForeignAgent = yes

Example 28–9 Using the mipagentconfig get Command to Display Parameter Values

The following example shows the results of using the mipagentconfig get command with other parameter destinations.

# mipagentconfig get MaxClockSkew
      [GlobalSecurityParameters]
         MaxClockSkew=300

# mipagentconfig get HA-FAauth
      [GlobalSecurityParameters]
         HA-FAauth=no

# mipagentconfig get MN-FAauth
      [GlobalSecurityParameters]
         MN-FAauth=no

# mipagentconfig get Challenge
      [GlobalSecurityParameters]
         Challenge=no

# mipagentconfig get Pool 10
      [Pool 10]
         BaseAddress=192.168.1.1
         Size=100

# mipagentconfig get SPI 257
      [SPI 257]
         Key=11111111111111111111111111111111
         ReplayMethod=none

# mipagentconfig get SPI 258
      [SPI 258]
         Key=15111111111111111111111111111111
         ReplayMethod=none

# mipagentconfig get addr 10.1.1.1
      [Address 10.1.1.1]
         SPI=258
         Type=agent

# mipagentconfig get addr 192.168.1.200
      [Address 192.168.1.200]
         SPI=257
         Type=node

Displaying Mobility Agent Status

You can use the mipagentstat command to display a foreign agent's visitors list and a home agent's binding table. Mobile IP Mobility Agent Status provides a conceptual description of the mipagentstat command. You can also review the mipagentstat(1M) man page.

How to Display Mobility Agent Status

1. Become superuser or assume an equivalent role on the system where you are enabling Mobile IP.

   Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

2. Display the mobility agent status.

   # mipagentstat options

   -f

   Shows the list of active mobile nodes in the foreign agent's visitor list.

   -h

   Shows the list of active mobile nodes in the home agent's binding table.

   -p

   Shows the list of security associations with an agent's mobility agent peers.

Example 28–10 Displaying Mobility Agent Status

This example shows how to display the visitor list for all mobile nodes that are registered with a foreign agent.

# mipagentstat -f

As a result, output similar to the following is displayed:

Mobile Node     Home Agent     Time (s)     Time (s)  Flags
                               Granted      Remaining
--------------- -------------- ------------ --------- -----
foobar.xyz.com  ha1.xyz.com    600          125       .....T.
10.1.5.23       10.1.5.1       1000         10        .....T.

As a result, output similar to the following is displayed:

Foreign                  ..... Security Association(s).....
Agent                    Requests Replies  FTunnel  RTunnel
----------------------   -------- -------- -------- --------
forn-agent.eng.sun.com   AH       AH       ESP      ESP

This example shows how to display home agent security associations.

# mipagentstat -fp

As a result, output similar to the following is displayed:

Home                     ..... Security Association(s) .....
Agent                    Requests Replies  FTunnel  RTunnel
----------------------   -------- -------- -------- --------
home-agent.eng.sun.com   AH       AH       ESP      ESP
ha1.xyz.com              AH,ESP   AH       AH,ESP   AH,ESP

Displaying Mobility Routes on a Foreign Agent

You can use the netstat command to display additional information about source-specific routes that are created by forward tunnels and reverse tunnels. See the netstat(1M) man page for more information about this command.

How to Display Mobility Routes on a Foreign Agent

1. Become superuser or assume an equivalent role on the system where you are enabling Mobile IP.

   Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

2. Display the mobility routes.

   # netstat -rn

Example 28–11 Displaying Mobility Routes on a Foreign Agent

The following example shows the routes for a foreign agent that uses a reverse tunnel.

Routing Table:   IPv4 Source-Specific     
Destination      In If     Source      Gateway Flags  Use  Out If
--------------  ------- ------------ --------- -----  ---- -------
10.6.32.11      ip.tun1      --      10.6.32.97  UH      0 hme1
    --          hme1    10.6.32.11       --      U       0 ip.tun1

The first line indicates that the destination IP address 10.6.32.11 and the incoming interface ip.tun1 select hme1 as the interface that forwards the packets. The next line indicates that any packet originating from interface hme1 and source address 10.6.32.11 must be forwarded to ip.tun1.