Mobile IP with VTUN

This page describes how to set up mobile IP for a mobile host running RedHat Linux 9 using the VTUN package.

Mobile IP in the context of this page refers to the ability of a mobile host to retain the same IP address regardless of its location in the network. This has nothing to do with the protocols being developed by the IETF Mobile IP working group. On this page, mobile IP is implemented by using a home agent to forward packets to and from the mobile host. One of the benefits of using mobile IP is that your TCP connections do not die if your DHCP server gives you a different IP address, or you move between different networks (such as wired and wireless).

Note that this setup has only been tested with DHCP-configured interfaces; it's unknown what other changes may be required (if any) to run mobile IP over a statically-configured interface.

Here is a picture of the network configuration that the instructions below try to achieve. You should change all the configuration files to reflect your own IP addresses.

The dummy0 interface on the mobile host allows the mobile IP address to be reachable on the mobile host even when the tunnel is down. There is also a low-precedence default route pointing to the dummy0 interface which ensures that host unreachable errors do not happen while the tunnel is being reconfigured.

Here are the steps to set up this mobile IP configuration under RedHat Linux 9:

  1. First, you need to install VTUN software. You don't need to install the init script on the mobile host (client), but you do need to install it on the home agent (server).

  2. Download the client VTUN config file and the server VTUN config file, and install them on the client and server, respectively, as /usr/local/etc/vtund.conf. You need to edit both of the configuration files and change clientname, your-password, and the mobile IP address, which should be in the same subnet as the home agent (server). You can leave the other IP address (10.231.11.1) as-is.

  3. If you are running iptables or some other firewall on the home agent (server), you will need to allow access to TCP and UDP port 5000. For instance, these commands in /etc/sysconfig/iptables might help:
    -A block -p tcp -m tcp --dport 5000 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A block -p udp --dport 5000 -j ACCEPT
    -A block -p udp --sport 5000 -j ACCEPT
    
  4. Start the VTUN daemon on the home agent (server), e.g. by running /etc/init.d/vtund start as root. At this point, you should be done with the home agent (server) configuration.

  5. Install two scripts on the client machine, /sbin/ifup-local and /sbin/ifdown-local. Also, download and install /etc/sysconfig/network-scripts/ifcfg-dummy0. You need to edit /etc/sysconfig/network-scripts/ifcfg-dummy0 to specify your mobile IP address.

  6. Apply this patch to /sbin/ifup to prevent an innocuous error message (or download the full patched version of /sbin/ifup).

  7. Apply this patch to /sbin/dhclient-script to make DHCP install only a host route rather than a default route (or download the full patched version of /sbin/dhclient-script). You need to edit /sbin/dhclient-script and change the DEFAULTROUTE variable to the address of your home agent (server).

  8. Lastly, install /sbin/vtun-client. Edit this file to specify the name of your tunnel (from the vtund.conf file) and the address of your home agent (server).
At this point, you can try bringing down the interfaces on your mobile host and bringing them back up. The modified dhclient-script should install a host route for your home agent (server) in the routing table, and run vtund to set up the tunnel. If vtund succeeds in setting up the tunnel, it will install a default route going over the tunnel device.

If something goes wrong with vtund setting up the tunnel, check your syslog (e.g. /var/log/messages); vtund is usually pretty good at logging useful error information there, on both the home agent (server) and the mobile host (client).

You may want to double-check that your /etc/sysconfig/network-scripts/ifcfg-XXX files have PEERDNS set to no; there is no good reason why you should use the DNS servers supplied by the DHCP server if your traffic is going through the tunnel.

If you have multiple interfaces up at the same time, it looks like the Linux routing code will choose the most recently added route. As a result, your mobile IP traffic will use the most recently activated interface.