Page -> Ejemplo de fichero de configuración comentado para un nodo móvil que use dhcp | Vistas : Página Discusión Ver fuente Historial |
De DIT-CDC
Revisión a fecha de 20:08 27 feb 2007; Gabi (Discusión | contribuciones)
# $Id: dynmnd.conf,v 1.56 2001/10/20 13:36:07 jm Exp $ # Mobile Node configuration file # # Dynamic hierarchial IP tunnel # Copyright (C) 1998-2001, Dynamics group # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 as # published by the Free Software Foundation. See README and COPYING for # more details. # ####################################################################### # # NOTE! # This is an example configuration file designed to give # perspective to the system configuration AND to provide # a basis for a working simple test environment. # The values of some of the parameters may not be the # same as the daemon's defaults, so don't get confused. # # To get a minimal test working, you will need to check the # following items: # * MNHomeIPAddress # * HAIPAddress # * EnableFADecapsulation # * HomeNetPrefix (if using FA decapsulation or # dynamics HA address resolution) # * SPI and SharedSecret # The rest of the items should work with their preset values in # most cases and they can be used to fine tune the operations # after the basic operation have been tested successfully. # ####################################################################### # # The Mobile Nodes's IP address in the Home Network. # If using AAA (see UseAAA below), home address can be set to 0.0.0.0 in order # to request a home address from the AAA infrastructure. This requires that # also MN NAI is configured. MNHomeIPAddress 193.146.185.44 # The Mobile Node's Network Access Identifier (NAI) [RFC2794] # If configured, this NAI is used in registration requests to identify the # mobile user for AAA services. # #MNNetworkAccessIdentifier "soy_driza" # UseAAA < TRUE | FALSE >. TRUE enables AAA extensions (key requests using # material from AAA, HA and home address discovery using AAA, etc.). This # requires that MN NAI and AAA related items below are configured. # FALSE disables these extensions. UseAAA FALSE # The IP address of Mobile Node's Home Agent. In case of a private HA address # this is the address of the surrogate HA. If the HA address is unknown, set # this to 0.0.0.0 and make sure that HomeNetPrefix is correct for dynamic # HA address resolution or use AAA to discover HA address. If the HA has # multiple interfaces, this should be the address of the "public" interface, # i.e., the one toward default gateway (it has to be reachable from the foreign # networks). HAIPAddress 193.146.185.42 # If the HA has more than one interfaces, HAIPAddress should be configured to # be the one reachable from the Internet (i.e., from the foreign networks the # MN may visit). To allows MN to detect other HA's interfaces, their IP # addresses may be configured here. MN will use this list in addition to # HAIPAddress when determining whether an agent advertisement is from its own # HA (i.e., when MN is at home). Multiple lines containing different addresses # may be used to configure more than one alternative HA address. # AlternativeHAIPAddress 10.1.2.3 # AlternativeHAIPAddress 10.2.3.4 # AllowHomeAddrFromForeignNet < TRUE | FALSE >. TRUE allows AAA to assign # a home agent and home address from the foreign network (assuming they are # set to 0.0.0.0 above). FALSE means that both the home agent and the home # address must be from the home domain. AllowHomeAddrFromForeignNet FALSE # The following configuration options PrivateHAIPAddress, PrivateHAIdentifier, # and HANetworkAccessIdentifier are only used with home networks that use # private IP addresses and a surrogate HA. In other cases they should be left # commented. # The private IP address of Mobile Node's Home Agent. # Needed only, if surrogate HA is used. # PrivateHAIPAddress 192.168.200.200 # The identifier for the private HA in SHA (unique 32-bit number) # PrivateHAIdentifier 1 # Home Agent Network Access Identifier (NAI) # If configured, this NAI is used to match the HA agent advertisements when # a MN is determining whether it is at home or not. This is mainly used with # private HA address that may not be globally unique. # HANetworkAccessIdentifier "cancun_ha" # EnableFADecapsulation < TRUE | FALSE >. TRUE enables a mode where # the FA decapsulates the IP-within-IP encapsulated IP packets. # FALSE disables this mode and sets the default mode where the # MN decapsulates the IP-within-IP encapsulated IP packets. # With FA decapsulation the MN uses its home address in the interface even in # the foreign network and with MN decapsulation MN needs to acquire a # co-located care-of address from the visited network (this needs an external # program; see man pages for more information). # The two modes cannot be used simultaneously. EnableFADecapsulation FALSE # Network address of home network (CIDR format: a.b.c.d/prefix_length) # This is used with FA decapsulation and dynamics HA address resolution. If # commented, the routing entry is not removed nor added. The home net entry # may optionally be used with MN decapsulation - see MNDecapsRouteHandling # option below. # # Example: 192.168.242.0/24 HomeNetPrefix 193.146.185.40/29 # Home net default gateway # This entry can be used to force a gateway that the MN uses when it is # at home. If this is left commented, the MN tries to use the default route # that was in use when the program was started. # HomeNetGateway 193.146.185.41 ############################################################################# # a SPI (Security Parameter Index) must be defined for every MN. # It is used for indexing the security association at the Home Agent. SPI 998 # # The SharedSecret is provided as a HEX number string. The shared secret can # also be given as a character string # (e.g. character string "ABCDE" corresponds to HEX number string 4142434445). # Note: RFC 2002 specifies that the default key size is 128 bits (i.e. # 16 bytes or 32 hex 'characters'). Dynamics supports also other key lengths. # This shared secret is used with the HA. This must be commented out when using # AAA infrastructure for key generation. In this case, the AAA related items # below must be configured. # SharedSecret < shared secret > # SharedSecret 016A352B2F235E SharedSecret "soydriza" # # Authentication algorithm # 1: MD5/prefix+suffix (a.k.a. keyed-MD5) [RFC 2002] # 4: HMAC-MD5 [RFC 2104] # 5: SHA-1 [FIPS 180-1] # 6: HMAC-SHA1 [RFC 2104] # Note! MD5/prefix+suffix has known weaknesses and use of HMAC-MD5 is # recommented. MD5/prefix+suffix algorithm is for backwards compatability with # older versions that do not support more secure HMAC-MD5. AuthenticationAlgorithm 4 # # Replay prevention method: # 0: none # 1: time stamps # 2: nonces ReplayMethod 1 # # Mobile Node may have optional security associations with Foreign # Agents. If the security association exists an additional Mobile Node - # Foreign Agent Authentication Extension is added to the registration requests. # # The following list contains the shared secrets indexed by SPI (and # Foreign Agent IP address). The algorithm field specifies the method # used for key distribution (see the list above). The format of the share # secret field is identical to the one used with the MN-HA security # association list above. # FA_SECURITY_BEGIN # SPI FA IP Alg. Shared Secret #2001 192.168.0.1 4 0123456789ABCDEF #2002 192.168.0.2 4 "eslkfj89jr3hduh3R!as" FA_SECURITY_END # MN-AAA Authentication and Challenge/Response [RFC3012] # If the MN does not have a security association with an FA, it may use AAA # infrastructure for authentication. If this is used, also MN NAI # ('MNNetworkAccessIdentifier' above) should be configured. # SPI to be used in MN-AAA authentication. # Reserved SPI values: # 2 = CHAP_SPI, CHAP style authentication using MD5 [RFC 3012] # 3 = MD5/prefix+suffix [draft-ietf-mobileip-aaa-key-03.txt] # 4 = HMAC MD5 [draft-ietf-mobileip-aaa-key-03.txt] # MN-AAA-SPI 12345 # Shared secret for MN-AAA authentication (see 'SharedSecret' above for format # instructions) # MN-AAA-SharedSecret "test" # Algorithms to be used for MN-AAA authentication and key generation # 1 = MD5/prefix+suffix (RFC 2002) # 2 = RADIUS authentication (Sec. 8 of RFC 3012) # 3 = MD5/prefix+suffix (RFC 2002) (alias for 1 above) # 4 = HMAC-MD5 (Sec. 6 of RFC 3012; RFC 2104) # 5 = SHA-1 (FIPS 180-1) # 6 = HMAC-SHA1 (RFC 2104) # Note: with algorithm 2, 'MN-AAA-SPI' should be set to reserved number # CHAP_SPI (default: 2). # MN-AAA-AuthenticationAlgorithm 4 # MN-AAA-KeyGenerationAlgorithm 4 ############################################################################# # TunnelingMode < 1 | 2 | 3 | 4 > # The packets between the MN and a Correspondent Node (CN) can be routed using # different routes. This option can be used to select, which mode will be # selected. # Possible values: # 1 = automatic, prefer reverse tunnel (i.e. bi-directional tunnel) # 2 = automatic, prefer triangle tunnel (i.e. tunnel only in CN->MN direction) # 3 = accept only reverse tunnel # 4 = accept only triangle tunnel TunnelingMode 1 # When MN can get its own co-located care-of address and use reverse tunneling, # the normal method is to set the default route to the tunnel. This means that # all the packets destined to other networks than the current subnet in the # visited network are send via the HA. If the co-located COA is public, it can # be used for sessions that do not need constant IP address (e.g. most of the # web browsing). The following configuration option specifies the routing # operation that is used with the co-located COA. # Possible values: # 0 = set default route to the tunnel # 1 = set only the home net route to the tunnel (the above HomeNetPrefix # options must be set) # 2 = do not change the routing entries (i.e. some external means must be # used to direct traffic to the tunnel, e.g. manually adding host route # to a specific host) MNDecapsRouteHandling 0 # DefaultTunnelLifetime is the lifetime suggested in registration # The lifetime is defined in seconds, default value is 300. # The request timer will be set according to this value. If the FA's agent # advertisment has a smaller time, it is used instead. # Special case: 65535 (or more) seconds means unlimited time (the binding will # not expire) # MNDefaultTunnelLifetime [ seconds ] MNDefaultTunnelLifetime 1 # UDP port to be used for sending registration requests # Port 434 is allocated for Mobile IP signaling and this should not be changed # unless the network is known to use some other port (i.e. all the FAs and HAs # must have the same port configured). UDPPort 434 # Socket priority for signaling sockets (UDP) can be set with SO_PRIORITY to # allow easier QoS configuration. If this argument is set, the given value is # used as a priority for the signaling socket. E.g. CBQ class can be used to # make sure that signaling is not disturbed by other traffic on a congested # link. # This feature is still undocumented and can be left commented. # # SocketPriority 1 # The log messages are written through syslog service. The facility to be # used defaults to LOG_LOCAL0, but it can be set with this parameter # to any of the possible facilities (LOG_AUTHPRIV, LOG_DAEMON, and so on). # The processing of log messages is defined in /etc/syslog.conf file. SyslogFacility LOG_DAEMON # Ignore these interfaces. No agent advertisements are received nor # agent solicitations sent for these interfaces. IGNORE_INTERFACES_BEGIN lo dummy0 tunl0 gre0 IGNORE_INTERFACES_END # Other programs may set routing entries so that the data connection may # fail. The MN can try to enforce the routes that it believes should be used. # This operation should currently be used only with FA decapsulation. If the # route enforcement is activated the MN daemon prevents certain route changes. EnforceRoutes FALSE # MN can be instructed to poll for current AP address when using a wireless # LAN driver that supports wireless extensions. This can be used to speed up # handoffs when using managed mode (BSS). # Polling interval is configured in micro seconds # (i.e., 1000000 equals to 1 second) # -1 = AP polling disabled APPollingInterval -1 # MN can be instructed to send periodic agent solicitations to find new FAs. # Normally, MN uses agent solicitations when it does not have a valid agent # advertisement. Periodic solicitation occurs even if the connection seems to # be up. This will cause more broadcast messages and is thus disabled in the # default configuration, but it can speed up handoffs in some environments. # Solicitation interval is configured in micro seconds (usec) # (i.e., 1000000 usec equals to 1 second). A rnadom time between 0 and 0.5 # second will be added to solicitation intervals to prevent unwanted # synchronization of broadcast messages. In addition, solicitations will not be # send more often than once per second, so this interval should not be # configured to be less than 1000000 usec. # -1 = Periodic agent solicitation disabled SolicitationInterval 1000000 ############################################################################# # Mobile Nodes use unix domain sockets to communicate through their API # interfaces. # The group and owner must be names as strings, no groupIDs or userIDs are # allowed. The file permissions are set in octal values like in chmod(1). # The configuration parameters of the two API sockets are as follows: MNAPIReadSocketPath "/var/run/dynamics_mn_read" MNAPIReadSocketGroup "root" MNAPIReadSocketOwner "root" MNAPIReadSocketPermissions 0666 # MNAPIAdminSocketPath "/var/run/dynamics_mn_admin" MNAPIAdminSocketGroup "root" MNAPIAdminSocketOwner "root" MNAPIAdminSocketPermissions 0700 # # Every configuration file must end to the keyword 'END'. END