-t |
The tunnel identifier (ID), a locally unique, numeric identifier for a particular
tunnel definition. The value must match an existing tunnel ID. |
-s |
Source Host IP address, IP address of the local host interface to be used by the
tunnel. A host name is also valid and the first IP address returned by name server for the host name will be
used. |
-d |
Destination Host IP address. For a host-host tunnel, this value is the IP address of
the destination host interface to be used by the tunnel. For a host-firewall-host tunnel, this is the IP
address of a destination host behind the firewall. A host name is also valid and the first IP address
returned by the name server for the host name will be used. |
-v |
The IP version for which the tunnel is created. For IP version 4 tunnels, use the value
of 4. For IP version 6 tunnels, use the value of 6. |
-m |
Secure Packet Mode. This value must be specified as tunnel or
transport. |
-f |
IP address of the firewall that is between source and destination hosts. A tunnel will
be established between the source and the firewall. Therefore the corresponding tunnel definition must be
made in the firewall host. A host name can also be specified with this flag, and the first IP address
returned by name server for the host name will be used.
The -m flag is forced to use default value (tunnel) if -f is specified. |
-x |
This flag is used for host-firewall-host tunnels. The value is the network mask for the
secure network behind a firewall. The Destination host specified with the -d flag is a member of the
secure network. The combination of the -d and -x flags allows source host communications with
multiple hosts in the secure network through the source-firewall tunnel, which must be in tunnel Mode.
This flag is valid only when -f is specified. |
-e |
Encryption algorithm, used by source host for IP packet encryption. The valid values
for -e depend on which encryption algorithms have been installed on the host. The list of all
encryption algorithms can be displayed by issuing the ipsescstat -E command. For IBM tunnels,
this will apply to both inbound and outbound traffic in the tunnel. |
-a |
Authentication algorithm, used by source host for IP packet authentication. The valid
values for -a depend on which authentication algorithms have been installed on the host. The list of
all authentication algorithms can be displayed by issuing the ipsecstat -A command. For IBM
tunnels, this will apply to both inbound and outbound traffic in the tunnel. |
-p |
Source policy, identifies how the IP packet authentication and/or encryption is to be
used by source. If the value of this flag is specified as ea, the IP packet gets encrypted before
authentication. If specified as ae, it gets encrypted after authentication, whereas specifying
e or a alone corresponds to the IP packet being encrypted only or authenticated only. For
IBM tunnels, this will apply to both inbound and outbound traffic in the tunnel. |
-E |
(manual tunnel only) Encryption algorithm, which is used by the destination for
IP packet encryption. The valid values for -E depend on which encryption algorithms have been
installed on the host. The list of all the encryption algorithms can be displayed by issuing the ipsecstat
-E command. For IBM tunnels, this flag is invalid. |
-A |
(manual tunnel only) Authentication algorithm, which is used by the destination
for IP packet encryption. The valid values for -A depend on which authentication algorithms have been
installed on the host. The list of all the authentication algorithms can be displayed by issuing the
ipsecstat -A command. For IBM tunnels, this flag is invalid. |
-P |
(manual tunnel only) Destination policy, identifies how the IP packet
authentication and/or encryption is to be used by destination. If the value of this flag is specified as
ea, the IP packet gets encrypted before authentication. If specified as ae, it gets encrypted
after authentication, whereas specifying e or a alone corresponds to the IP packet being
encrypted only or authenticated only. For IBM tunnels, this flag is invalid. |
-l |
Key Lifetime, specified in minutes.
For IBM tunnels, this value indicates the time a session key may be used. The value specified
affects performance of the tunnel. For example, the smaller the value, the more often a new key is computed
and exchanged with the tunnel partner. Generally, values used for CDMF should be smaller than those used for
DES due to the strength of the encryption algorithms.
A new session key is automatically generated after every session key lifetime expires. The generated
session keys are used by the encryption and authentication algorithms. The old and new keys are valid for an
overlapped period of time determined by the Session Key Refresh Overlap Time. This is so that messages
generated with the old key, which are in-transit in the network, can be decrypted or validated on arrival
even after a new key computation. If the key lifetime is n minutes, both the old key and new key are valid
during the last Refresh Overlap Time minutes of the n minutes.
The valid values for IBM tunnels are 1 - 1440.
For manual tunnels, the value of this flag indicates the time of operability before the tunnel
expires.
The valid values for manual tunnels are 0 - 44640. Value 0 indicates that the manual tunnel
will never expire. |
-k |
The Key String for the source ESP. It is used by the source to create the tunnel as
well as the session key if IBM tunnel is used. The input must be a hexdecimal string started with
"0x". |
-h |
The Key String for source AH. The input must be a hexdecimal string started with
"0x". |
-K |
The Key String for destination ESP. The input must be a hexdecimal string started with
"0x". |
-H |
The Key String for destination AH. The input must be a hexdecimal string started with
"0x". |
-r |
(IBM tunnel only) Session Key Refresh Overlap Time, determines the amount of
overlap time of the new key start and an old key expiration. The value specified will be the amount of time
in minutes that a previous session key will still be valid after a key refresh has been done. The value
specified can not be greater than the Key Lifetime. The valid values are 1 - 720. |
-i |
(IBM tunnel only) Initiator Flag, identifies which partner starts the session
negotiations. Specifying a value of y causes the local host to try to initiate a session with the
target host. That session is used to run the session key exchange protocol. A value of n causes the
local host to wait for the target host to initiate the session key exchange. If both partners are identified
as the tunnel initiator, a deadlock resolution algorithm resolves the conflict. At least one of the partners
must be set as the initiator in order for the tunnel to operate. |
-n |
(manual tunnel only) Security Parameter Index for source ESP. This SPI and the
destination IP address is used to determine which security association to use for ESP. |
-u |
(manual tunnel only) Security Parameter Index for source AH. This SPI and the
destination IP address is used to determine which security association to use for AH. |
-N |
(manual tunnel only) Security Parameter Index for the destination ESP. |
-U |
(manual tunnel only) Security Parameter Index for the destination AH. |
-y |
(manual tunnel only) Replay prevention flag. Replay prevention is valid only
when the ESP or AH header is using the new header format (see the -z flag). The valid values for the
-y flag are Y (yes) and N (no). |
-z |
(manual tunnel only) New header format flag. The new header format reserves a
field in ESP or AH header for replay prevention and also allows ESP authentication. The replay field is used
only when the replay flag (-y) is set to Y. The valid values are Y (yes) and N (no). |
-b |
(manual tunnel only) Source ESP Authentication Algorithm (New header format
only). The valid values for -b depend on which authentication algorithms have been installed on the host.
The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command. |
-c |
(manual tunnel only) Source ESP Authentication Key (New header format only). It
must be a hexdecimal string started with "0x". |
-B |
(manual tunnel only) Destination ESP Authentication Algorithm (New header format
only). The valid values for -B depend on which authentication algorithms have been installed on the host.
The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A
command. |
-C |
(manual tunnel only) Destination ESP Authentication Key (New header format
only). It must be a hexdecimal string started with "0x". |