You must specify a security association for the mobile device in order to use proxy Mobile IP. The security association can be specified locally on the access point with this window or can be specified externally on the RADIUS server.

All potential mobile devices and their corresponding home agents must have security associations. The security association can be configured locally from this page or through an authentication, authorization, and accounting (AAA) server (configured on the Security/Server Manager window). Security associations are used to authenticate the mobile client in proxy Mobile IP messages to the home agent. If the AAA server is configured with the SA bindings, nothing must be configured on this page. If the SA bindings are configured locally, enter security association information for one IP address or a range of IP addresses on this page.

Tunneling

The access point uses the security association information, the visiting client's IP address, and the information that it learns from the foreign agent advertisements to form a Mobile IP registration request on behalf of the visiting client. It sends the registration request to the visiting client's home agent through the foreign agent. The foreign agent checks the validity of the registration request, which includes verifying that the requested lifetime does not exceed its limitations and that the requested tunnel encapsulation is available. If the registration request is valid, the foreign agent relays the request to the home agent.

During the agent discovery phase, the home agent and foreign agent advertise their services on the network by using the ICMP Router Discovery Protocol (IRDP). The access point reacts to these advertisements.

The IRDP advertisements carry Mobile IP extensions that specify whether an agent is a home agent, foreign agent, or both; its care-of address; the types of services it provides, such as reverse tunneling and generic routing encapsulation (GRE); and the allowed registration lifetime or roaming period for visiting client devices.

Enable GRE encapsulation in the Registration Request

The access point requests for GRE encapsulation in all MN registration requests. This configuration ensures that the forward tunnel setup from the home agent to the foreign agent uses GRE encapsulation. By default, this configuration is not enabled on the access point, and instead of IPinIP encapsulation, you can select GRE encapsulation.

Enable Reverse Tunnel in the Registration Request

The access point requests for a reverse tunnel in all MN registration requests. If the foreign agent is configured for reverse tunnel, then a tunnel is also set from the foreign agent to the home agent. All packets from the foreign network sent to anywhere on the network are first sent to the home agent on this reverse tunnel and then onward to their true destinations. By default, this configuration is not enabled on the access point.

Security Association Bindings

Current SA Bindings List

Displays the range of IP addresses in the security association bindings that are currently set.

New/Edit SA Binding

This section enables you to enter security association information for one IP address or a range of IP addresses.

IP Address Range

Enter the starting and ending IP addresses in the range. The first IP address must be lower than the ending address.

Security Parameter Index

Supply an index that identifies a security context between a pair of nodes.

Key

Include the shared encryption key. Indicate whether it is represented in ASCII or Hexadecimal.

 

See Also: Services: Proxy Mobile IP - General Set-up, Services: Proxy Mobile IP - Subnet Table, Services: Proxy Mobile IP - Statistics