IPSec and the Mobile Router

Last, but by no means least, is integration of IPSec into the mobile router solution. In Chapter 6, you learned that Mobile IP and IPSec complement each other and you saw some of the specific considerations for their deployment. Now it is time to address the piece that was previously not covered: the Mobile Node. In many mobile router deployments, the network is treated like a mobile branch office. In this case, all nodes attached to the mobile network would be expected to communicate with an enterprise-based application without each node establishing a VPN session. In a branch office scenario, the edge router would establish a VPN tunnel across the corporate network. The same can be done with a mobile router. Figure 7-19 shows how the mobile router runs IPSec over Mobile IP. The Home Agent is outside the private network, and the termination of the IPSec tunnel is handled by a VPN device that straddles the internal and external networks. This is a simplified example. In reality, this solution is easily integrated into standard DMZ architectures by placing the Home Agent on the Demilitarized Zone (DMZ) and using existing VPN concentrators.

Figure 7-19. Mobile Router with IPSec

Configuration of IPSec on the mobile router is different from standard IPSec configuration. IOS IPSec encapsulation happens on the egress interface of the router. However, because the mobile router changes the interface on which packets are sent out, and those interfaces might not have valid addresses, you cannot configure IPSec directly. The trick is to use the loopback interface on which the Home Address is configured. Because the Home Address is constant and always available, it is the ideal address to use for the IPSec endpoint. To do this, however, all packets must egress that interface. Fortunately, loopback interfaces do just that; they loop traffic back. That is, traffic sent out a loopback interface comes back in and is passed through standard routing again. To take advantage of this functionality, the "set interface" target of policy routing takes all traffic coming in from the mobile network and "loops it back" through the loopback interface. With the crypto map applied to the loopback interface, all traffic is encrypted and then sent back in for standard forwarding. At this point, the encrypted traffic is forwarded through the FA or more likely through a reverse tunnel. From an inbound perspective, traffic is decrypted automatically when it reaches the mobile router.

Example 7-3 shows the configuration for a mobile router running IPSec. It is beyond the scope of this book to cover the configuration of IPSec, but the crypto map is applied to the loopback and the route map that is used for policy routing.

Example 7-3. Mobile Router Running IPSec
 hostname MobileRouter ! crypto isakmp policy 15  hash md5  group 2  lifetime 5000 ! crypto isakmp policy 20  authentication pre-share  lifetime 10000 crypto isakmp key 1234567890 address ! ! crypto ipsec transform-set ts1 esp-des esp-sha-hmac ! crypto map tocorp 10 ipsec-isakmp  set peer  set transform-set ts1  match address 101 ! interface Loopback0  description Home Address  ip address  no ip mroute-cache  crypto map tocorp ! interface FastEthernet0/1  decription Mobile Network  ip address  ip policy route-map cryptotraffic  duplex auto  speed auto ! interface FastEthernet1/0  description Roaming Interface  ip address  ip mobile router-service roam  ip mobile router-service solicit  duplex half ! interface FastEthernet2/0  description Roaming Interface  no ip address  ip mobile router-service roam priority 10  ip mobile router-service solicit  duplex half ! router mobile ! ip mobile secure home-agent spi 100 key ascii cisco ip mobile router  address  home-agent ! ! access-list 101 permit ip ! route-map cryptotraffic permit 10  match ip address 101  set interface Loopback0 ! end 

    Mobile IP Technology and Applications
    Mobile IP Technology and Applications
    ISBN: 158705132X
    EAN: 2147483647
    Year: 2005
    Pages: 124

    Similar book on Amazon

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net