Page -> Ejemplo de fichero de configuración comentado Vistas :  Página  Discusión  Ver fuente  Historial 

De DIT-CDC

# $Id: dynmnd.conf,v 1.56 2001/10/20 13:36:07 jm Exp $
# Mobile Node configuration file
#
# Dynamic hierarchial IP tunnel
# Copyright (C) 1998-2001, Dynamics group
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation. See README and COPYING for
# more details.
#
#######################################################################
#
# NOTE! 
#	This is an example configuration file designed to give
#	perspective to the system configuration AND to provide
#	a basis for a working simple test environment.
#	The values of some of the parameters may not be the
#	same as the daemon's defaults, so don't get confused.
#
#	To get a minimal test working, you will need to check the
#	following items:
#	  * MNHomeIPAddress
#	  * HAIPAddress
#	  * EnableFADecapsulation
#	  * HomeNetPrefix (if using FA decapsulation or
#	    dynamics HA address resolution)
#	  * SPI and SharedSecret
#	The rest of the items should work with their preset values in
#	most cases and they can be used to fine tune the operations
#	after the basic operation have been tested successfully.
#
#######################################################################
#
# The Mobile Nodes's IP address in the Home Network.
# If using AAA (see UseAAA below), home address can be set to 0.0.0.0 in order
# to request a home address from the AAA infrastructure. This requires that
# also MN NAI is configured.
MNHomeIPAddress 193.146.185.44 

# The Mobile Node's Network Access Identifier (NAI) [RFC2794]
# If configured, this NAI is used in registration requests to identify the
# mobile user for AAA services.
#
#MNNetworkAccessIdentifier "soy_driza"

# UseAAA < TRUE | FALSE >. TRUE enables AAA extensions (key requests using
# material from AAA, HA and home address discovery using AAA, etc.). This
# requires that MN NAI and AAA related items below are configured.
# FALSE disables these extensions.
UseAAA FALSE

# The IP address of Mobile Node's Home Agent. In case of a private HA address
# this is the address of the surrogate HA. If the HA address is unknown, set
# this to 0.0.0.0 and make sure that HomeNetPrefix is correct for dynamic
# HA address resolution or use AAA to discover HA address. If the HA has
# multiple interfaces, this should be the address of the "public" interface,
# i.e., the one toward default gateway (it has to be reachable from the foreign
# networks).
HAIPAddress 193.146.185.42 

# If the HA has more than one interfaces, HAIPAddress should be configured to
# be the one reachable from the Internet (i.e., from the foreign networks the
# MN may visit). To allows MN to detect other HA's interfaces, their IP
# addresses may be configured here. MN will use this list in addition to
# HAIPAddress when determining whether an agent advertisement is from its own
# HA (i.e., when MN is at home). Multiple lines containing different addresses
# may be used to configure more than one alternative HA address.
# AlternativeHAIPAddress 10.1.2.3
# AlternativeHAIPAddress 10.2.3.4

# AllowHomeAddrFromForeignNet < TRUE | FALSE >. TRUE allows AAA to assign
# a home agent and home address from the foreign network (assuming they are
# set to 0.0.0.0 above). FALSE means that both the home agent and the home
# address must be from the home domain.
AllowHomeAddrFromForeignNet FALSE

# The following configuration options PrivateHAIPAddress, PrivateHAIdentifier,
# and HANetworkAccessIdentifier are only used with home networks that use
# private IP addresses and a surrogate HA. In other cases they should be left
# commented.

# The private IP address of Mobile Node's Home Agent.
# Needed only, if surrogate HA is used.
# PrivateHAIPAddress 192.168.200.200

# The identifier for the private HA in SHA (unique 32-bit number)
# PrivateHAIdentifier 1

# Home Agent Network Access Identifier (NAI)
# If configured, this NAI is used to match the HA agent advertisements when
# a MN is determining whether it is at home or not. This is mainly used with
# private HA address that may not be globally unique.
#
HANetworkAccessIdentifier "cancun_ha"

# EnableFADecapsulation < TRUE | FALSE >. TRUE enables a mode where
# the FA decapsulates the IP-within-IP encapsulated IP packets.
# FALSE disables this mode and sets the default mode where the 
# MN decapsulates the IP-within-IP encapsulated IP packets.
# With FA decapsulation the MN uses its home address in the interface even in
# the foreign network and with MN decapsulation MN needs to acquire a
# co-located care-of address from the visited network (this needs an external
# program; see man pages for more information).
# The two modes cannot be used simultaneously.
EnableFADecapsulation TRUE

# Network address of home network (CIDR format: a.b.c.d/prefix_length)
# This is used with FA decapsulation and dynamics HA address resolution. If
# commented, the routing entry is not removed nor added. The home net entry
# may optionally be used with MN decapsulation - see MNDecapsRouteHandling
# option below.
#
# Example: 192.168.242.0/24
HomeNetPrefix 193.146.185.40/29

# Home net default gateway
# This entry can be used to force a gateway that the MN uses when it is
# at home. If this is left commented, the MN tries to use the default route
# that was in use when the program was started.
#
HomeNetGateway 193.146.185.41

#############################################################################
# a SPI (Security Parameter Index) must be defined for every MN.
# It is used for indexing the security association at the Home Agent.
SPI 998
#
# The SharedSecret is provided as a HEX number string. The shared secret can
# also be given as a character string 
# (e.g. character string "ABCDE" corresponds to HEX number string 4142434445).
# Note: RFC 2002 specifies that the default key size is 128 bits (i.e.
# 16 bytes or 32 hex 'characters'). Dynamics supports also other key lengths.
# This shared secret is used with the HA. This must be commented out when using
# AAA infrastructure for key generation. In this case, the AAA related items
# below must be configured.
# SharedSecret < shared secret >
# SharedSecret 016A352B2F235E
SharedSecret "soydriza"


#
# Authentication algorithm
#    1: MD5/prefix+suffix (a.k.a. keyed-MD5) [RFC 2002]
#    4: HMAC-MD5 [RFC 2104]
#    5: SHA-1 [FIPS 180-1]
#    6: HMAC-SHA1 [RFC 2104]
# Note! MD5/prefix+suffix has known weaknesses and use of HMAC-MD5 is
# recommented. MD5/prefix+suffix algorithm is for backwards compatability with
# older versions that do not support more secure HMAC-MD5.
AuthenticationAlgorithm 4
#
# Replay prevention method:
#   0: none
#   1: time stamps
#   2: nonces
ReplayMethod 1
#
# Mobile Node may have optional security associations with Foreign
# Agents. If the security association exists an additional Mobile Node -
# Foreign Agent Authentication Extension is added to the registration requests.
#
# The following list contains the shared secrets indexed by SPI (and
# Foreign Agent IP address). The algorithm field specifies the method
# used for key distribution (see the list above). The format of the share
# secret field is identical to the one used with the MN-HA security
# association list above.
#
FA_SECURITY_BEGIN
# SPI		FA IP		Alg.	Shared Secret
#2001		192.168.0.1	4	0123456789ABCDEF
#2002		192.168.0.2	4	"eslkfj89jr3hduh3R!as"
FA_SECURITY_END


# MN-AAA Authentication and Challenge/Response [RFC3012]

# If the MN does not have a security association with an FA, it may use AAA
# infrastructure for authentication. If this is used, also MN NAI
# ('MNNetworkAccessIdentifier' above) should be configured.

# SPI to be used in MN-AAA authentication.
# Reserved SPI values:
#   2 = CHAP_SPI, CHAP style authentication using MD5 [RFC 3012]
#   3 = MD5/prefix+suffix [draft-ietf-mobileip-aaa-key-03.txt]
#   4 = HMAC MD5 [draft-ietf-mobileip-aaa-key-03.txt]
# MN-AAA-SPI 12345

# Shared secret for MN-AAA authentication (see 'SharedSecret' above for format
# instructions)
# MN-AAA-SharedSecret "test"

# Algorithms to be used for MN-AAA authentication and key generation
#   1 = MD5/prefix+suffix (RFC 2002)
#   2 = RADIUS authentication (Sec. 8 of RFC 3012)
#   3 = MD5/prefix+suffix (RFC 2002)  (alias for 1 above)
#   4 = HMAC-MD5 (Sec. 6 of RFC 3012; RFC 2104)
#   5 = SHA-1 (FIPS 180-1)
#   6 = HMAC-SHA1 (RFC 2104)
# Note: with algorithm 2, 'MN-AAA-SPI' should be set to reserved number
# CHAP_SPI (default: 2).
# MN-AAA-AuthenticationAlgorithm 4
# MN-AAA-KeyGenerationAlgorithm 4


#############################################################################
# TunnelingMode < 1 | 2 | 3 | 4 >
# The packets between the MN and a Correspondent Node (CN) can be routed using
# different routes. This option can be used to select, which mode will be
# selected.
# Possible values:
# 1 = automatic, prefer reverse tunnel (i.e. bi-directional tunnel)
# 2 = automatic, prefer triangle tunnel (i.e. tunnel only in CN->MN direction)
# 3 = accept only reverse tunnel
# 4 = accept only triangle tunnel
TunnelingMode 1

# When MN can get its own co-located care-of address and use reverse tunneling,
# the normal method is to set the default route to the tunnel. This means that
# all the packets destined to other networks than the current subnet in the
# visited network are send via the HA. If the co-located COA is public, it can
# be used for sessions that do not need constant IP address (e.g. most of the
# web browsing). The following configuration option specifies the routing
# operation that is used with the co-located COA.
# Possible values:
#   0 = set default route to the tunnel
#   1 = set only the home net route to the tunnel (the above HomeNetPrefix
#       options must be set)
#   2 = do not change the routing entries (i.e. some external means must be
#       used to direct traffic to the tunnel, e.g. manually adding host route
#       to a specific host)
MNDecapsRouteHandling 0

# DefaultTunnelLifetime is the lifetime suggested in registration
# The lifetime is defined in seconds, default value is 300.
# The request timer will be set according to this value. If the FA's agent
# advertisment has a smaller time, it is used instead.
# Special case: 65535 (or more) seconds means unlimited time (the binding will
# not expire)
# MNDefaultTunnelLifetime [ seconds ]
MNDefaultTunnelLifetime 1

# UDP port to be used for sending registration requests
# Port 434 is allocated for Mobile IP signaling and this should not be changed
# unless the network is known to use some other port (i.e. all the FAs and HAs
# must have the same port configured).
UDPPort 434

# Socket priority for signaling sockets (UDP) can be set with SO_PRIORITY to
# allow easier QoS configuration. If this argument is set, the given value is
# used as a priority for the signaling socket. E.g. CBQ class can be used to
# make sure that signaling is not disturbed by other traffic on a congested
# link.
# This feature is still undocumented and can be left commented.
#
# SocketPriority 1

# The log messages are written through syslog service. The facility to be
# used defaults to LOG_LOCAL0, but it can be set with this parameter
# to any of the possible facilities (LOG_AUTHPRIV, LOG_DAEMON, and so on).
# The processing of log messages is defined in /etc/syslog.conf file.
SyslogFacility LOG_DAEMON

# Ignore these interfaces. No agent advertisements are received nor
# agent solicitations sent for these interfaces.
IGNORE_INTERFACES_BEGIN
lo
dummy0
tunl0 
gre0
IGNORE_INTERFACES_END

# Other programs may set routing entries so that the data connection may
# fail. The MN can try to enforce the routes that it believes should be used.
# This operation should currently be used only with FA decapsulation. If the
# route enforcement is activated the MN daemon prevents certain route changes.
EnforceRoutes FALSE

# MN can be instructed to poll for current AP address when using a wireless
# LAN driver that supports wireless extensions. This can be used to speed up
# handoffs when using managed mode (BSS).
# Polling interval is configured in micro seconds
# (i.e., 1000000 equals to 1 second)
# -1 = AP polling disabled
APPollingInterval -1

# MN can be instructed to send periodic agent solicitations to find new FAs.
# Normally, MN uses agent solicitations when it does not have a valid agent
# advertisement. Periodic solicitation occurs even if the connection seems to
# be up. This will cause more broadcast messages and is thus disabled in the
# default configuration, but it can speed up handoffs in some environments.
# Solicitation interval is configured in micro seconds (usec)
# (i.e., 1000000 usec equals to 1 second). A rnadom time between 0 and 0.5
# second will be added to solicitation intervals to prevent unwanted
# synchronization of broadcast messages. In addition, solicitations will not be
# send more often than once per second, so this interval should not be
# configured to be less than 1000000 usec.
# -1 = Periodic agent solicitation disabled
SolicitationInterval 1000000 

#############################################################################
# Mobile Nodes use unix domain sockets to communicate through their API
# interfaces.
# The group and owner must be names as strings, no groupIDs or userIDs are
# allowed. The file permissions are set in octal values like in chmod(1).
# The configuration parameters of the two API sockets are as follows:
MNAPIReadSocketPath "/var/run/dynamics_mn_read"
MNAPIReadSocketGroup "root"
MNAPIReadSocketOwner "root"
MNAPIReadSocketPermissions 0666
#
MNAPIAdminSocketPath "/var/run/dynamics_mn_admin"
MNAPIAdminSocketGroup "root"
MNAPIAdminSocketOwner "root"
MNAPIAdminSocketPermissions 0700
#
# Every configuration file must end to the keyword 'END'.
END



Navegación
Enlaces externos
Herramientas personales