[ Previous | Next | Contents | Glossary | Home | Search ]
AIX Version 4.3 Commands Reference, Volume 1

chtun Command

Purpose

Changes a tunnel definition.

Syntax

chtun -t tunnel_ID -v {4|6} [-s src_host_IP_address] [-d dst_host_IP_address] [-m pkt_mode] [-f fw_address [-x dst_mask]] [-e src_esp_algo] [-a src_ah_algo]] [-p src_policy] [-E dst_esp_algo] [-A dst_ah_algo]] [-P dst_policy] [-l lifetime] [-k src_esp_key] [-h src_ah_key] [-K dst_esp_key] [-H dst_ah_key] [-r refresh] [-i {y|n}] [-n src_esp_spi] [-u src_ah_spi] [-N dst_esp_spi] [-U dst_ah_spi] [-b src_enc_mac_algo] [-c src_enc_mac_key] [-B dst_enc_mac_algo] [-C dst_enc_mac_key]

Description

Use the chtun command to change a definition of a tunnel between a local host and a tunnel partner host. If a flag is not specified, then the value given for the gentun command should stay the value for that field. It may also change the auto-generated filter rules created for the tunnel by the gentun command.

Flags

-t The tunnel identifier (ID), a locally unique, numeric identifier for a particular tunnel definition. The value must match an existing tunnel ID.
-s Source Host IP address, IP address of the local host interface to be used by the tunnel. A host name is also valid and the first IP address returned by name server for the host name will be used.
-d Destination Host IP address. For a host-host tunnel, this value is the IP address of the destination host interface to be used by the tunnel. For a host-firewall-host tunnel, this is the IP address of a destination host behind the firewall. A host name is also valid and the first IP address returned by the name server for the host name will be used.
-v The IP version for which the tunnel is created. For IP version 4 tunnels, use the value of 4. For IP version 6 tunnels, use the value of 6.
-m Secure Packet Mode. This value must be specified as tunnel or transport.
-f IP address of the firewall that is between source and destination hosts. A tunnel will be established between the source and the firewall. Therefore the corresponding tunnel definition must be made in the firewall host. A host name can also be specified with this flag, and the first IP address returned by name server for the host name will be used.

The -m flag is forced to use default value (tunnel) if -f is specified.

-x This flag is used for host-firewall-host tunnels. The value is the network mask for the secure network behind a firewall. The Destination host specified with the -d flag is a member of the secure network. The combination of the -d and -x flags allows source host communications with multiple hosts in the secure network through the source-firewall tunnel, which must be in tunnel Mode.

This flag is valid only when -f is specified.

-e Encryption algorithm, used by source host for IP packet encryption. The valid values for -e depend on which encryption algorithms have been installed on the host. The list of all encryption algorithms can be displayed by issuing the ipsescstat -E command. For IBM tunnels, this will apply to both inbound and outbound traffic in the tunnel.
-a Authentication algorithm, used by source host for IP packet authentication. The valid values for -a depend on which authentication algorithms have been installed on the host. The list of all authentication algorithms can be displayed by issuing the ipsecstat -A command. For IBM tunnels, this will apply to both inbound and outbound traffic in the tunnel.
-p Source policy, identifies how the IP packet authentication and/or encryption is to be used by source. If the value of this flag is specified as ea, the IP packet gets encrypted before authentication. If specified as ae, it gets encrypted after authentication, whereas specifying e or a alone corresponds to the IP packet being encrypted only or authenticated only. For IBM tunnels, this will apply to both inbound and outbound traffic in the tunnel.
-E (manual tunnel only) Encryption algorithm, which is used by the destination for IP packet encryption. The valid values for -E depend on which encryption algorithms have been installed on the host. The list of all the encryption algorithms can be displayed by issuing the ipsecstat -E command. For IBM tunnels, this flag is invalid.
-A (manual tunnel only) Authentication algorithm, which is used by the destination for IP packet encryption. The valid values for -A depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command. For IBM tunnels, this flag is invalid.
-P (manual tunnel only) Destination policy, identifies how the IP packet authentication and/or encryption is to be used by destination. If the value of this flag is specified as ea, the IP packet gets encrypted before authentication. If specified as ae, it gets encrypted after authentication, whereas specifying e or a alone corresponds to the IP packet being encrypted only or authenticated only. For IBM tunnels, this flag is invalid.
-l Key Lifetime, specified in minutes.

For IBM tunnels, this value indicates the time a session key may be used. The value specified affects performance of the tunnel. For example, the smaller the value, the more often a new key is computed and exchanged with the tunnel partner. Generally, values used for CDMF should be smaller than those used for DES due to the strength of the encryption algorithms.

A new session key is automatically generated after every session key lifetime expires. The generated session keys are used by the encryption and authentication algorithms. The old and new keys are valid for an overlapped period of time determined by the Session Key Refresh Overlap Time. This is so that messages generated with the old key, which are in-transit in the network, can be decrypted or validated on arrival even after a new key computation. If the key lifetime is n minutes, both the old key and new key are valid during the last Refresh Overlap Time minutes of the n minutes.

The valid values for IBM tunnels are 1 - 1440.

For manual tunnels, the value of this flag indicates the time of operability before the tunnel expires.

The valid values for manual tunnels are 0 - 44640. Value 0 indicates that the manual tunnel will never expire.

-k The Key String for the source ESP. It is used by the source to create the tunnel as well as the session key if IBM tunnel is used. The input must be a hexdecimal string started with "0x".
-h The Key String for source AH. The input must be a hexdecimal string started with "0x".
-K The Key String for destination ESP. The input must be a hexdecimal string started with "0x".
-H The Key String for destination AH. The input must be a hexdecimal string started with "0x".
-r (IBM tunnel only) Session Key Refresh Overlap Time, determines the amount of overlap time of the new key start and an old key expiration. The value specified will be the amount of time in minutes that a previous session key will still be valid after a key refresh has been done. The value specified can not be greater than the Key Lifetime. The valid values are 1 - 720.
-i (IBM tunnel only) Initiator Flag, identifies which partner starts the session negotiations. Specifying a value of y causes the local host to try to initiate a session with the target host. That session is used to run the session key exchange protocol. A value of n causes the local host to wait for the target host to initiate the session key exchange. If both partners are identified as the tunnel initiator, a deadlock resolution algorithm resolves the conflict. At least one of the partners must be set as the initiator in order for the tunnel to operate.
-n (manual tunnel only) Security Parameter Index for source ESP. This SPI and the destination IP address is used to determine which security association to use for ESP.
-u (manual tunnel only) Security Parameter Index for source AH. This SPI and the destination IP address is used to determine which security association to use for AH.
-N (manual tunnel only) Security Parameter Index for the destination ESP.
-U (manual tunnel only) Security Parameter Index for the destination AH.
-y (manual tunnel only) Replay prevention flag. Replay prevention is valid only when the ESP or AH header is using the new header format (see the -z flag). The valid values for the -y flag are Y (yes) and N (no).
-z (manual tunnel only) New header format flag. The new header format reserves a field in ESP or AH header for replay prevention and also allows ESP authentication. The replay field is used only when the replay flag (-y) is set to Y. The valid values are Y (yes) and N (no).
-b (manual tunnel only) Source ESP Authentication Algorithm (New header format only). The valid values for -b depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command.
-c (manual tunnel only) Source ESP Authentication Key (New header format only). It must be a hexdecimal string started with "0x".
-B (manual tunnel only) Destination ESP Authentication Algorithm (New header format only). The valid values for -B depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command.
-C (manual tunnel only) Destination ESP Authentication Key (New header format only). It must be a hexdecimal string started with "0x".

Related Information

The gentun command, exptun command, imptun command, mktun command, rmtun command, and lstun command.


[ Previous | Next | Contents | Glossary | Home | Search ]