[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
Configuring the Mobile IP Home Agent
To configure the Mobile IP home agent on a virtual
router:
- Configure a license for the Mobile IP home agent.
- Configure the Mobile IP home agent settings.
- Configure one or more mobile hosts.
- Configure the Mobile IP security associations for mobile
hosts.
- Configure the Mobile IP security associations for foreign
agents.
- Assign an interface profile to be referenced by the Mobile
IP home agent.
- (Optional) Verify the Mobile IP configuration. See Monitoring the Mobile IP Home Agent.
The following example illustrates how you can configure
a Mobile IP home agent on a virtual router named test:
- ! Configure the Mobile IP home agent license.
- host1:test(config)#license mobile-ip home-agent
demo
- ! Configure the Mobile IP home agent settings.
- host1:test(config)#ip mobile home-agent care-of-access
acl lifetime 2000 replay 255 reverse-tunnel-off
- ! Configure mobile hosts and their security associations.
- host1:test(config)#ip mobile host 200.1.1.1
lifetime 200
- host1:test(config)#ip mobile secure host 200.1.1.1
spi 0x398 key ascii w4ex algorithm keyed-md5
replay timestamp within 225
- ! Configure foreign agents and their security associations.
- host1:test(config)#ip mobile secure foreign-agent
100.1.1.3 spi 256 key ascii secret replay
timestamp within 255 algorithm hmac-md5
- ! Assign an interface profile for the Mobile IP home agent.
- host1:test(config)#ip mobile profile testProfile
ip
mobile home-agent
- Use to configure the Mobile IP home agent on a virtual
router.
- To specify the access control list (ACL) applied to the
care-of address (CoA) that restricts access for foreign agents or
networks, include the care-of-access keyword
followed by the ACL name.
- To specify the interval within which the registration
requests are established, include the lifetime keyword followed by the number of seconds, in the range 5–65535;
the default value is 36,000 seconds.
- To specify the interval within which a registration can
exceed the home agent configured value, include the replay keyword followed by the number of seconds, in the range 1–255;
the default value is 7 seconds.
- To disable reverse tunneling support by the home agent
for denying T bit registration requests, include the reverse-tunnel-off keyword; reverse tunneling is enabled
by default.
- Example
- host1(config)#ip mobile home-agent care-of-access
acl lifetime 2000 replay 255 reverse-tunnel-off
- Use the no version to disable
the home agent service on the virtual router.
 |
Note:
The values for lifetime, replay, and care-of-access configured
per mobile host by using the ip mobile host command override the values configured by using the ip mobile home-agent command.
|
- See ip mobile home-agent.
ip
mobile host
- Use to configure a mobile node on a virtual router with
an optional host network access identifier (NAI) address or the home
address (IP address of the home agent).
- To specify the mobile node, include the required nai keyword or the required address keyword, as follows:
- To specify the NAI for the mobile node, include the nai keyword. You must choose one of the following formats,
where user represents the user name and realm represents the domain name: user@realm, @realm, or @.
- To specify a nonzero home address of the mobile node,
include the address keyword followed by
the IP address of the mobile node.
- To specify that the AAA server should validate registration
requests and obtain configuration and security associations, include
the aaa keyword.
- To specify the access control list applied to the care-of
address that restricts access for foreign agents or networks, include
the care-of-access keyword followed by
the ACL name.
- To specify the interval within which the registration
requests are established, include the lifetime keyword followed by the number of seconds, in the range 5–65535;
the default value is 36,000 seconds.
- Example 1—This example illustrates local authentication
of a mobile node; do not specify the aaa keyword for local authentication.
- host1(config)#ip mobile host 200.1.1.1 lifetime
200
or
- host1(config)#ip mobile host nai @amazon.net
- Example 2—This example illustrates AAA authentication
of a mobile node; you must specify the aaa keyword for AAA authentication.
- host1(config)#ip mobile host nai @yahoo.com
aaa care-of-access acl2
or
- host1(config)#ip mobile host nai bob@msn.net
aaa lifetime 400
- Use the no version to delete
the configuration of the mobile node on the virtual router.
- See ip mobile host.
ip
mobile profile
- Use to configure or associate a preconfigured interface
profile with the home agent in a virtual router.
- For information about configuring a virtual router, see
the JUNOSe System Basics Configuration
Guide.
- Example
- host1(config)#ip mobile profile virDefault
- Use the no version to remove
the profile configuration from the virtual router.
- See ip mobile profile.
ip
mobile secure foreign-agent
- Use to configure the security associations for a foreign
agent.
- To specify a nonzero address for the foreign agent, include
the IP address of the foreign agent.
- To specify the security parameter index (SPI) value to
authenticate inbound requests and permit authentication for outbound
registration requests, include the required spi keyword followed by a 4-octet hexadecimal number, in the range 0x100–0xFFFFFFFF.
- To specify the authentication key for this security association,
include the required key keyword followed
by either the hex keyword or the ascii keyword, as follows:
- To specify a hexadecimal key, use the hex keyword followed by a 32-character (128-bit) hexadecimal value in
the range 0x0–0xFFFFFFFE.
- To specify an ASCII key, use the ascii keyword followed by an alphanumeric value up to a maximum of 16
characters (128 bits).
- To specify the number of seconds by which a registration
request can exceed the time value configured on the home agent, include
the optional replay timestamp
within keywords followed by the number of seconds, in
the range 1–255; the default value is 7 seconds.
- To specify the type of authentication algorithm for Mobile
IP messages, include the optional algorithm keyword followed by either the hmac-md5 keyword or the keyed-md5 keyword.
- Example
- host1(config)#ip mobile secure foreign-agent
100.1.1.3 spi 256 key ascii secret replay
timestamp within 255 algorithm hmac-md5
- Use the no version to delete
the security associations for the specified foreign agent on the virtual
router.
- See ip mobile secure foreign-agent.
ip
mobile secure host
- Use to configure the security associations for a mobile
node.
- You must configure security associations only for mobile
nodes on which local authentication is configured.
|
Note:
If you delete a mobile node host by using the no
ip mobile host command, all security associations that
you configured for this host are deleted.
|
- To specify the mobile node, include the required nai keyword or the required address keyword, as follows:
- To specify the network access identifier (NAI) for the
mobile node, include the nai keyword. You
must choose one of the following formats, where user represents the user name and realm represents
the domain name: user@realm, @realm, or @.
- To specify a nonzero home address of the mobile node,
include the address keyword followed by
the IP address of the mobile node.
- To specify the security parameter index (SPI) value to
authenticate inbound requests and permit authentication for outbound
registration requests, include the required spi keyword followed by a 4-octet hexadecimal number, in the range 0x100–0xFFFFFFFF.
- To specify the authentication key for this security association,
include the required key keyword followed
by either the hex keyword or the ascii keyword, as follows:
- To specify a hexadecimal key, use the hex keyword followed by a 32-character (128-bit) hexadecimal value in
the range 0x0–0xFFFFFFFE.
- To specify an ASCII key, use the ascii keyword followed by an alphanumeric value up to a maximum of 16
characters (128 bits).
- To specify the number of seconds by which a registration
request can exceed the time value configured on the home agent, include
the optional replay timestamp
within keywords followed by the number of seconds, in
the range 1–255; the default value is 7 seconds.
- To specify the type of authentication algorithm for Mobile
IP messages, include the optional algorithm keyword followed by either the hmac-md5 keyword or the keyed-md5 keyword.
- Examples
- host1(config)#ip mobile secure host 200.1.1.1
spi 0x398 key ascii w4ex algorithm keyed-md5
replay timestamp within 225
or
- host1(config)#ip mobile secure host nai @amazon.net
spi 0x100 key ascii pD4En algorithm keyed-md5
replay timestamp within 100
- Use the no version to delete
the security associations for the specified host on the virtual router.
- See ip mobile secure host.
license
mobile-ip home-agent
- Use to configure the license key to enable a home agent.
- Specify a name for the license key; up to a maximum of
16 alphanumeric characters.
- Example
- host1(config)#license mobile-ip home-agent
demo
- Use the no version to delete
the license key configuration.
- See license mobile-ip home-agent.
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
