IP Security Installation

The IP Security feature in AIX is separately installable and loadable. The filesets that need to be installed are:

• bos.net.ipsec.rte
• bos.msg.LANG.net.ipsec (where LANG is the desired language, such as en_US)

and either

• bos.crypto for CDMF support (40-bit key Commercial Data Masking Facility available on the World Trade Accessory Pack)

  OR

• bos.crypto-us for DES (56-bit Data Encryption Standard available on the U.S. Accessory Pack)
• bos.crypto-priv for Triple DES support (available in U.S. and Canada only)

Once installed, IP Security can be separately loaded for IP Version 4 and IP Version 6. This is accomplished by issuing mkdev commands or through the IP Security SMIT menus.

Loading IP Security

Note: Loading IP Security will enable the filtering function. Therefore, before loading, it is important to ensure the correct filter rules are created, or all outside communication may be blocked. Also, be sure to install the cryptographic modules before loading the IP Security kernel extension.

First, it is important to decide the desired default action for packets that are not secure: permit or deny.

1. To enable the default filter action, use the -z to indicate permit or deny. You can also use the SMIT fast path smit ipsec4 (for IP Version 4) or smit ipsec6 (for IP Version 6) to perform these actions.
   • To permit non-secure traffic:

     mkfilt -u -i -z p

   • To deny non-secure traffic:

     mkfilt -u -i -z d

2. Load IP Security with one of the following commands:
   • For IP V4:

     mkdev -c ipsec -t 4

   • For IP V6:

     mkdev -c ipsec -t 6

This procedure loads the IP Security devices. If the loading completed successfully, the lsdev command will show the IP Security devices as available. For example:

 > lsdev -C -c ipsec
   ipsec_v4 Available IP Version 4 Security Extension
   ipsec_v6 Available IP Version 6 Security Extension

Once the IP Security kernel extension has been loaded, tunnels and filters are ready to be configured.