This chapter provides procedures for modifying, adding, deleting, and displaying parameters in the Mobile IP configuration file. This chapter also shows you how to display mobility agent status.This chapter contains the following information:Creating the Mobile IP Configuration File (Task Map) Creating the Mobile IP Configuration File Modifying the Mobile IP Configuration File Modifying the Mobile IP Configuration File (Task Map) Displaying Mobility Agent Status Displaying Mobility Routes on a Foreign Agent For an introduction to Mobile IP, refer to Chapter 27, Mobile IP (Overview). For detailed information about Mobile IP, refer to Chapter 29, Mobile IP Files and Commands (Reference). Task Description For Instructions Create the Mobile IP configuration file. Involves creating the /etc/inet/mipagent.conf file or copying one of the sample files. How to Create the Mobile IP Configuration File Configure the General section. Involves typing the version number into the General section of the Mobile IP configuration file. How to Configure the General Section Configure the Advertisements section. Involves adding labels and values, or changing them, in the Advertisements section of the Mobile IP configuration file. How to Configure the Advertisements Section Configure the GlobalSecurityParameters section. Involves adding labels and values, or changing them, in the GlobalSecurityParameters section of the Mobile IP configuration file. How to Configure the GlobalSecurityParameters Section Configure the Pool section. Involves adding labels and values, or changing them, in the Pool section of the Mobile IP configuration file. How to Configure the Pool Section Configure the SPI section. Involves adding labels and values, or changing them, in the SPI section of the Mobile IP configuration file. How to Configure the SPI Section Configure the Address section. Involves adding labels and values, or changing them, in the Address section of the Mobile IP configuration file. How to Configure the Address Section This section explains how to plan for Mobile IP and create the /etc/inet/mipagent.conffile.When you configure the mipagent.conf file for the first time, you need to perform the following tasks: Depending on your organization's requirements for its hosts, determine what functionality your Mobile IP agent can provide:Foreign agent functionality only Home agent functionality only Both foreign agent and home agent functionality Create the /etc/inet/mipagent.conf file and specify the settings you require by using the procedures that are described in this section. You can also copy one of the following files to /etc/inet/mipagent.conf and modify it according to your requirements:For foreign agent functionality, copy /etc/inet/mipagent.conf.fa-sample. For home agent functionality, copy /etc/inet/mipagent.conf.ha-sample. For both foreign agent and home agent functionality, copy /etc/inet/mipagent.conf-sample. You can reboot your system to invoke the boot script that starts the mipagent daemon. Or, you can also start mipagent by typing the following command:# /etc/inet.d/mipagent start Assume the Primary Administrator role, or become superuser, on the system where you want to enable Mobile IP.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration. Create the /etc/inet/mipagent.conf file by using one of the following options:In the /etc/inet directory, create an empty file named mipagent.conf. From the following list, copy the sample file that provides the functionality you want for the /etc/inet/mipagent.conf file./etc/inet/mipagent.conf.fa-sample /etc/inet/mipagent.conf.ha-sample /etc/inet/mipagent.conf-sample Add or change configuration parameters in the /etc/inet/mipagent.conf file to conform to your configuration requirements.The remaining procedures in this section describe the steps to modify sections in /etc/inet/mipagent.conf. If you copied one of the sample files in the /etc/inet directory, you can omit this procedure because the sample file contains this entry. General Section provides descriptions of the labels and values that are used in this section. Edit the /etc/inet/mipagent.conf file and add the following lines:[General] Version = 1.0The /etc/inet/mipagent.conf file must contain this entry. Advertisements Section provides descriptions of the labels and values that are used in this section. Edit the /etc/inet/mipagent.conf file and add or change the following lines by using the values that are required for your configuration.[Advertisements interface] HomeAgent = <yes/no> ForeignAgent = <yes/no> PrefixFlags = <yes/no> AdvertiseOnBcast = <yes/no> RegLifetime = n AdvLifetime = n AdvFrequency = n ReverseTunnel = <yes/no/FA/HA/both> ReverseTunnelRequired = <yes/no/FA/HA>You must include a different Advertisements section for each interface on the local host that provides Mobile IP services. GlobalSecurityParameters Section provides descriptions of the labels and values that are used in this section. Edit the /etc/inet/mipagent.conf file and add or change the following lines by using the values that are required for your configuration:[GlobalSecurityParameters] MaxClockSkew = n HA-FAauth = <yes/no> MN-FAauth = <yes/no> Challenge = <yes/no> KeyDistribution = files Pool Section provides descriptions of the labels and values that are used in this section: Edit the /etc/inet/mipagent.conf file Add or change the following lines by using the values that are required for your configuration:[Pool pool-identifier] BaseAddress = IP-address Size = size SPI Section provides descriptions of the labels and values that are used in this section. Edit the /etc/inet/mipagent.conf file. Add or change the following lines by using the values that are required for your configuration:[SPI SPI-identifier] ReplayMethod = <none/timestamps> Key = keyYou must include a different SPI section for each security context that is deployed. Address Section provides descriptions of the labels and values that are used in this section. Edit the /etc/inet/mipagent.conf file. Add or change the following lines by using the values that are required for your configuration:For a mobile node, use the following:[Address address] Type = node SPI = SPI-identifier For an agent, use the following:[Address address] Type = agent SPI = SPI-identifier IPsecRequest = action {properties} [: action {properties}] IPsecReply = action {properties} [: action {properties}] IPsecTunnel = action {properties} [: action {properties}]where action and {properties} are any action and associated properties that are defined in the ipsec7P man page.The SPI that is configured previously corresponds to the MD5 protection mechanism that is required by RFC 2002. The SPI that is configured previously does not correspond to the SPI that is used by IPsec. For more information about IPsec, see Chapter 19, IP Security Architecture (Overview) and Chapter 20, Configuring IPsec (Tasks). Also see the ipsec7P man page. For a mobile node that is identified by its NAI, use the following:[Address NAI] Type = Node SPI = SPI-identifier Pool = pool-identifier For a default mobile node, use the following:[Address Node-Default] Type = Node SPI = SPI-identifier Pool = pool-identifier Task Description For Instructions Modify the General section. Uses the mipagentconfig change command to change the value of a label in the General section of the Mobile IP configuration file. How to Modify the General Section Modify the Advertisements section. Uses the mipagentconfig change command to change the value of a label in the Advertisements section of the Mobile IP configuration file. How to Modify the Advertisements Section Modify the GlobalSecurityParameters section. Uses the mipagentconfig change command to change the value of a label in the GlobalSecurityParameters section of the Mobile IP configuration file. How to Modify the GlobalSecurityParameters Section Modify the Pool section. Uses the mipagentconfig change command to change the value of a label in the Pool section of the Mobile IP configuration file. How to Modify the Pool Section Modify the SPI section. Uses the mipagentconfig change command to change the value of a label in the SPI section of the Mobile IP configuration file. How to Modify the SPI Section Modify the Address section. Uses the mipagentconfig change command to change the value of a label in the Address section of the Mobile IP configuration file. How to Modify the Address Section Add or delete parameters. Uses the mipagentconfig add or delete commands to add new parameters, labels, and values or to delete existing ones in any section of the Mobile IP configuration file. How to Add or Delete Configuration File Parameters Display the current settings of parameter destinations. Uses the mipagentconfig get command to display current settings of any section of the Mobile IP configuration file. How to Display Current Parameter Values in the Configuration File This section shows you how to modify the Mobile IP configuration file by using the mipagentconfig command. This section also shows you how to display the current settings of parameter destinations.Configuring the Mobility IP Agent provides a conceptual description of the mipagentconfig command's usage. You can also review the mipagentconfig1M man page.Assume the Primary Administrator role, or become superuser on the system where you want to enable Mobile IP.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration. On a command line, type the following command for each label that you want to modify in the General section.# mipagentconfig change <label> <value> The following example shows how you might change the version number in the configuration file's General section.# mipagentconfig change version 2 Assume the Primary Administrator role, or become superuser, on the system where you want to enable Mobile IP.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration. Type the following command for each label that you want to modify in the Advertisements section:# mipagentconfig change adv device-name <label> <value>For example, if you are changing the agent's advertised lifetime to 300 seconds for device hme0, use the following command.# mipagentconfig change adv hme0 AdvLifetime 300 The following example shows how you might change other parameters in the configuration file's Advertisements section.# mipagentconfig change adv hme0 HomeAgent yes # mipagentconfig change adv hme0 ForeignAgent no # mipagentconfig change adv hme0 PrefixFlags no # mipagentconfig change adv hme0 RegLifetime 300 # mipagentconfig change adv hme0 AdvFrequency 4 # mipagentconfig change adv hme0 ReverseTunnel yes Assume the Primary Administrator role, or become superuser, on the system where you want to enable Mobile IP.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration. Type the following command for each label that you want to modify in the GlobalSecurityParameters section:# mipagentconfig change <label> <value>For example, if you are enabling home agent and foreign agent authentication, use the following command:# mipagentconfig change HA-FAauth yes The following example shows how you might change other parameters in the configuration file's GlobalSecurityParameters section.# mipagentconfig change MaxClockSkew 200 # mipagentconfig change MN-FAauth yes # mipagentconfig change Challenge yes # mipagentconfig change KeyDistribution files Assume the Primary Administrator role, or become superuser, on the system where you want to enable Mobile IP.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration. Type the following command for each label that you want to modify in the Pool section:# mipagentconfig change Pool pool-identifier <label> <value> The following example shows the commands to use for changing the base address to 192.168.1.1 and the size of Pool 10 to 100.# mipagentconfig change Pool 10 BaseAddress 192.168.1.1 # mipagentconfig change Pool 10 Size 100 Assume the Primary Administrator role, or become superuser, on the system where you want to enable Mobile IP.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration. Type the following command for each label that you want to modify in the SPI section:# mipagentconfig change SPI SPI-identifier <label> <value>For example, if you are changing the key for SPI 257 to 5af2aee39ff0b332, use the following command.# mipagentconfig change SPI 257 Key 5af2aee39ff0b332 The following example shows how to change the ReplayMethod label in the configuration file's SPI section.# mipagentconfig change SPI 257 ReplayMethod timestamps Assume the Primary Administrator role, or become superuser, on the system where you want to enable Mobile IP.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration. Type the following command for each label that you want to modify in the Address section:# mipagentconfig change addr [NAI | IPaddr | node-default] <label> <value>See Address Section for a description of the three configuration methods (NAI, IP address, and node-default).For example, if you are changing the SPI of IP address 10.1.1.1 to 258, use the following command:# mipagentconfig change addr 10.1.1.1 SPI 258 The following example shows how you can change other parameters that are provided in the sample configuration file's Address section.# mipagentconfig change addr 10.1.1.1 Type agent # mipagentconfig change addr 10.1.1.1 SPI 259 # mipagentconfig change addr mobilenode@abc.com Type node # mipagentconfig change addr mobilenode@abc.com SPI 258 # mipagentconfig change addr mobilenode@abc.com Pool 2 # mipagentconfig change addr node-default SPI 259 # mipagentconfig change addr node-default Pool 3 # mipagentconfig change addr 10.68.30.36 Type agent # mipagentconfig change addr 10.68.30.36 SPI 260 # mipagentconfig change IPsecRequest apply {auth_algs md5 sa shared} Assume the Primary Administrator role, or become superuser, on the system where you want to enable Mobile IP.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration. Type the appropriate command for each label that you want to add or delete for the designated section:For the General section use the following:# mipagentconfig [add | delete] <label> <value> For the Advertisements section use the following:# mipagentconfig [add | delete] adv device-name <label> <value>You can add an interface by typing the following:# mipagentconfig add adv device-nameIn this instance, default values are assigned to the interface (for both the foreign agent and the home agent). For the GlobalSecurityParameters, section use the following:# mipagentconfig [add | delete] <label> <value> For the Pool section, use the following:# mipagentconfig [add | delete] Pool pool-identifier <label> <value> For the SPI section, use the following:# mipagentconfig [add | delete] SPI SPI-identifier <label> <value> For the Address section, use the following:# mipagentconfig [add | delete] addr [NAI | IP-address | node-default] \ <label> <value> Do not create identical Advertisements, Pool, SPI, and Address sections. For example, to create a new address pool, Pool 11, that has a base address of 192.167.1.1 and a size of 100, use the following commands.# mipagentconfig add Pool 11 BaseAddress 192.167.1.1 # mipagentconfig add Pool 11 size 100 The following example shows how to delete the SPI security parameter SPI 257.# mipagentconfig delete SPI 257 You can use the mipagentconfig get command to display current settings that are associated with parameter destinations. Assume the Primary Administrator role, or become superuser, on the system where you are enabling Mobile IP.The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration. Type the following command for each parameter for which you want to display settings:# mipagentconfig get [<parameter> | <label>] For example, if you are displaying the advertisement settings for the hme0 device, use the following command:# mipagentconfig get adv hme0As a result, the following output might be displayed:[Advertisements hme0] HomeAgent = yes ForeignAgent = yes The following example shows the results of using the mipagentconfig get command with other parameter destinations.# mipagentconfig get MaxClockSkew [GlobalSecurityParameters] MaxClockSkew=300 # mipagentconfig get HA-FAauth [GlobalSecurityParameters] HA-FAauth=no # mipagentconfig get MN-FAauth [GlobalSecurityParameters] MN-FAauth=no # mipagentconfig get Challenge [GlobalSecurityParameters] Challenge=no # mipagentconfig get Pool 10 [Pool 10] BaseAddress=192.168.1.1 Size=100 # mipagentconfig get SPI 257 [SPI 257] Key=11111111111111111111111111111111 ReplayMethod=none # mipagentconfig get SPI 258 [SPI 258] Key=15111111111111111111111111111111 ReplayMethod=none # mipagentconfig get addr 10.1.1.1 [Address 10.1.1.1] SPI=258 Type=agent # mipagentconfig get addr 192.168.1.200 [Address 192.168.1.200] SPI=257 Type=node# mipagentconfig get addr 10.1.1.1 [Address 10.1.1.1] Type=agent SPI=258 IPsecRequest = apply {auth_algs md5 sa shared} IPsecReply = permit {auth_algs md5} IPsecTunnel = apply {encr_algs 3des sa shared} You can use the mipagentstat command to display a foreign agent's visitors list and a home agent's binding table. Mobile IP Mobility Agent Status provides a conceptual description of the mipagentstat command. You can also review the mipagentstat1M man page.Become superuser or assume an equivalent role on the system where you are enabling Mobile IP.Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Display the mobility agent status.# mipagentstat options -fShows the list of active mobile nodes in the foreign agent's visitor list. -hShows the list of active mobile nodes in the home agent's binding table. -pShows the list of security associations with an agent's mobility agent peers. This example shows how to display the visitor list for all mobile nodes that are registered with a foreign agent.# mipagentstat -fAs a result, output similar to the following is displayed:Mobile Node Home Agent Time (s) Time (s) Flags Granted Remaining --------------- -------------- ------------ --------- ----- foobar.xyz.com ha1.xyz.com 600 125 .....T. 10.1.5.23 10.1.5.1 1000 10 .....T.This example shows how to display foreign agent security associations.# mipagentstat -pAs a result, output similar to the following is displayed:Foreign ..... Security Association(s)..... Agent Requests Replies FTunnel RTunnel ---------------------- -------- -------- -------- -------- forn-agent.eng.sun.com AH AH ESP ESPThis example shows how to display home agent security associations.# mipagentstat -fpAs a result, output similar to the following is displayed:Home ..... Security Association(s) ..... Agent Requests Replies FTunnel RTunnel ---------------------- -------- -------- -------- -------- home-agent.eng.sun.com AH AH ESP ESP ha1.xyz.com AH,ESP AH AH,ESP AH,ESP You can use the netstat command to display additional information about source-specific routes that are created by forward tunnels and reverse tunnels. See the netstat(1M) man page for more information about this command.Become superuser or assume an equivalent role on the system where you are enabling Mobile IP.Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. Display the mobility routes.# netstat -rn The following example shows the routes for a foreign agent that uses a reverse tunnel.Routing Table: IPv4 Source-Specific Destination In If Source Gateway Flags Use Out If -------------- ------- ------------ --------- ----- ---- ------- 10.6.32.11 ip.tun1 -- 10.6.32.97 UH 0 hme1 -- hme1 10.6.32.11 -- U 0 ip.tun1The first line indicates that the destination IP address 10.6.32.11 and the incoming interface ip.tun1 select hme1 as the interface that forwards the packets. The next line indicates that any packet originating from interface hme1 and source address 10.6.32.11 must be forwarded to ip.tun1.