Last, but by no means least, is integration of IPSec into the mobile router solution. In Chapter 6, you learned that Mobile IP and IPSec complement each other and you saw some of the specific considerations for their deployment. Now it is time to address the piece that was previously not covered: the Mobile Node. In many mobile router deployments, the network is treated like a mobile branch office. In this case, all nodes attached to the mobile network would be expected to communicate with an enterprise-based application without each node establishing a VPN session. In a branch office scenario, the edge router would establish a VPN tunnel across the corporate network. The same can be done with a mobile router. Figure 7-19 shows how the mobile router runs IPSec over Mobile IP. The Home Agent is outside the private network, and the termination of the IPSec tunnel is handled by a VPN device that straddles the internal and external networks. This is a simplified example. In reality, this solution is easily integrated into standard DMZ architectures by placing the Home Agent on the Demilitarized Zone (DMZ) and using existing VPN concentrators.
Figure 7-19. Mobile Router with IPSec
Configuration of IPSec on the mobile router is different from standard IPSec configuration. IOS IPSec encapsulation happens on the egress interface of the router. However, because the mobile router changes the interface on which packets are sent out, and those interfaces might not have valid addresses, you cannot configure IPSec directly. The trick is to use the loopback interface on which the Home Address is configured. Because the Home Address is constant and always available, it is the ideal address to use for the IPSec endpoint. To do this, however, all packets must egress that interface. Fortunately, loopback interfaces do just that; they loop traffic back. That is, traffic sent out a loopback interface comes back in and is passed through standard routing again. To take advantage of this functionality, the "set interface" target of policy routing takes all traffic coming in from the mobile network and "loops it back" through the loopback interface. With the crypto map applied to the loopback interface, all traffic is encrypted and then sent back in for standard forwarding. At this point, the encrypted traffic is forwarded through the FA or more likely through a reverse tunnel. From an inbound perspective, traffic is decrypted automatically when it reaches the mobile router.
Example 7-3 shows the configuration for a mobile router running IPSec. It is beyond the scope of this book to cover the configuration of IPSec, but the crypto map is applied to the loopback and the route map that is used for policy routing.
Example 7-3. Mobile Router Running IPSec
hostname MobileRouter ! crypto isakmp policy 15 hash md5 group 2 lifetime 5000 ! crypto isakmp policy 20 authentication pre-share lifetime 10000 crypto isakmp key 1234567890 address 192.168.101.1 ! ! crypto ipsec transform-set ts1 esp-des esp-sha-hmac ! crypto map tocorp 10 ipsec-isakmp set peer 192.168.101.1 set transform-set ts1 match address 101 ! interface Loopback0 description Home Address ip address 192.168.50.1 255.255.255.255 no ip mroute-cache crypto map tocorp ! interface FastEthernet0/1 decription Mobile Network ip address 192.168.30.1 255.255.255.0 ip policy route-map cryptotraffic duplex auto speed auto ! interface FastEthernet1/0 description Roaming Interface ip address 188.8.131.52 255.255.255.0 ip mobile router-service roam ip mobile router-service solicit duplex half ! interface FastEthernet2/0 description Roaming Interface no ip address ip mobile router-service roam priority 10 ip mobile router-service solicit duplex half ! router mobile ! ip mobile secure home-agent 192.168.101.2 spi 100 key ascii cisco ip mobile router address 192.168.50.1 255.255.255.0 home-agent 192.168.101.2 ! ! access-list 101 permit ip 192.168.30.0 0.0.0.255 192.168.100.0 0.0.0.255 ! route-map cryptotraffic permit 10 match ip address 101 set interface Loopback0 ! end