[ Previous | Next | Contents | Glossary | Home | Search ]
AIX Version 4.3 Commands Reference, Volume 2

gentun Command

Purpose

Creates a tunnel definition in the tunnel database.

Syntax

gentun -s src_host_IP_address -d dst_host_IP_address -v 4|6 [-t tun_type] [-m pkt_mode] [-f fw_address] [-x dst_mask]] [-e [src_esp_algo]] [-a [src_ah_algo]] [-p src_policy] [-A [dst_ah_algo]] [-P dst_policy] [-k src_esp_key] [-h src_ah_key] [-K dst_esp_key] [-H dst_ah_key] [-r refresh] [-i y|n] [-n src_esp_spi] [-u src_ah_spi] [-N dst_esp_spi] [-U dst_ah_spi] [-b src_enc_mac_algo] [-c src_enc_mac_key] [-B dst_enc_mac_algo] [-C dst_enc_mac_key] [-g] [-z] [-E]

Description

The gentun command creates a definition of a tunnel between a local host and a tunnel partner host. The associated auto-generated filter rules for the tunnel can be optionally generated by this command.

Flags

-s Source Host IP address, IP address of the local host interface to be used by the tunnel. A host name is also valid and the first IP address returned by name server for the host name will be used.
-d Destination Host IP address. In host-host case, this is the IP address of the destination host interface to be used by the tunnel. In host-firewall-host case, this is the IP address of the destination host behind the firewall. A host name is also valid and the first IP address returned by name server for the host name will be used.
-v The IP version for which the tunnel is created. For IP version 4 tunnels, use the value of 4. For IP version 6 tunnels, use the value of 6.
-t Type of the tunnel. Must be specified as IBM or manual. The default value is IBM.

The IBM tunnel uses Session Key Refresh Method, which provides automatic key updates based on the -l, -r, and -i flags. The IBM tunnel is supported only on IP version 4. The key update protocol is an IBM unique implementation and cannot be used when establishing an IP security tunnel with a non-IBM tunnel end-point or any IP version 6 end-point.

The initial tunnel key and any subsequent key updates need to be performed manually when using the manual tunnel. Once a key is installed manually, that same key is used for all tunnel operations until it is changed manually.

The manual tunnel value should be selected when you want to construct a tunnel with a non-IBM IP Security host or any IP version 6 end-point, where the end-point either supports RFCs 1825-1829 or the IETF drafts for the new IP Security encapsulation formats for IP tunnels.

-m Secure Packet Mode. This value must be specified as tunnel or transport. The default value is tunnel. Tunnel mode will encapsulate the entire IP packet, while the transport mode only encapsulates the data portion of the IP packet. When generating a host-firewall-host tunnel (for host behind a firewall), the value of tunnel must be used for this flag.
-f IP address of the firewall that is between the source and destination hosts. A tunnel will be established between this host and the firewall. Therefore the corresponding tunnel definition must be made on the firewall host. A host name may also be used for this flag and the first IP address returned by the name server for that host name will be used.

The -m flag is forced to use default value (tunnel) if the -f flag is specified.

-x Network mask for the secure network behind a firewall. The Destination host is a member of the secure network. The combination of -d and -x allows the source host to communicate with multiple hosts in the secure network through the source-firewall tunnel, which must be in tunnel mode.

This flag is valid only when the -f flag is used.

-e Encryption algorithm, used by source for IP packet encryption. The valid values for -e depend on which encryption algorithms have been installed on the host. The list of all the encryption algorithms can be displayed by issuing the ipsecstat -E command. CDMF, if it has been installed, is the default. For an IBM tunnel, this algorithm will be used for both inbound and outbound traffic through this tunnel.
-a Authentication algorithm, used by source for IP packet authentication. The valid values for -a depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command. The default value is HMAC_MD5 for manual tunnels or KEYED_MD5 for IBM tunnels, if the algorithms are installed. For an IBM tunnel, this algorithm will be used for both inbound and outbound traffic through this tunnel.
-p Source policy, identifies how the IP packet authentication and/or encryption is to be used by this host. If specified as ea, the IP packet gets encrypted before authentication. If specified as ae, it gets encrypted after authentication, whereas specifying e alone or a alone corresponds to the IP packet being encrypted only or authenticated only. The default value for this flag will depend on if the -e and -a flags are supplied. The default policy will be ea if either both or neither the -e and -a flags are supplied. Otherwise the policy will reflect which of the -e and -a flags were supplied. For an IBM tunnel, this policy will apply to both inbound and outbound traffic through this tunnel.
-E (manual tunnel only) Encryption algorithm, used by destination for IP packet encryption. The valid values for -E depend on which encryption algorithms have been installed on the host. The list of all the encryption algorithms can be displayed by issuing the ipsecstat -E command. If this flag is not used, the value used by the -e flag is used. This flag does not apply to IBM tunnels.
-A (manual tunnel only) Authentication algorithm, used by destination for IP packet authentication. The valid values for -A depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command. If this flag is not used, the value used by the -a flag is used. This flag does not apply to IBM tunnels.
-P (manual tunnel only) Destination policy, identifies how the IP packet authentication and/or encryption is to be used by destination. If specified as ea, the IP packet gets encrypted before authentication. If specified as ae, it gets encrypted after authentication, whereas specifying e or a corresponds to the IP packet being encrypted only or authenticated only. The default policy will be ea if either both or neither the -E and -A flags are supplied. Otherwise, the policy will reflect which of the -E and -A flags were specified. This flag does not apply to IBM tunnels.
-l Key Lifetime, specified in minutes.

For IBM tunnels, this value indicates the time in minutes each session key may be used. The value specified affects performance of the tunnel. For example, the smaller the value, the more often a new session key is computed and exchanged with the tunnel partner. Generally, values used for CDMF should be smaller than those used for DES due to the strength of the encryption algorithms.

In IBM tunnels, a new session key is automatically generated after every key life expires. The generated session keys are used by the encryption (ESP) and authentication (AH) algorithms. The old and new keys are valid for an overlapped period of time determined by the Session Key Refresh Overlap Time (specified in the -r flag). This is so that messages generated with the old key, which are in-transit in the network, can be decrypted or validated on arrival even after a new key computation. If the key lifetime is n minutes, both the old key and the new key are valid during the last Refresh Overlap Time minutes of the n minutes.

The valid values for IBM tunnels are 1 - 1440. The default value for IBM tunnels is 30.

For manual tunnels, this value indicates the time of operability before the tunnel expires.

The valid values for manual tunnels are 0 - 44640. Value 0 indicates that the manual tunnel will never expire. The default value for manual tunnels is 480.

-k This is the ESP Key String for a manual tunnel or the pseudo random function key for an IBM tunnel. It is used by the source to create the tunnel as well as the session key if IBM tunnel is used. The input must be a hexdecimal string started with "0x". If this flag is not used, the system will generate a key using a random number generator.
-h This is the AH Key String for a manual tunnel or the MAC key string for an IBM tunnel. The input must be a hexdecimal string started with "0x". If this flag is not used, the system will generate a key using a random number generator.
-K (manual tunnel only) The Key String for destination ESP. The input must be a hexdecimal string started with "0x". If this flag is not used, the system will generate a key using a random number generator.
-H (manual tunnel only) The Key String for destination AH. The input must be a hexdecimal string started with "0x". If this flag is not used, the system will generate a key using a random number generator.
-r (IBM tunnel only) This is the Session Key Refresh Overlap Time that determines the amount of overlap time in minutes of the new session key start and the end of the lifetime of an old session key . The value specified will be the amount of time in minutes that a previous session key will still be valid after a key refresh has been done. The value specified cannot be greater than the Key Lifetime. The valid values are 1 - 720. The default value is 1.
-i (IBM tunnel only) Initiator Flag, identifies which partner starts the IBM session key negotiations. Specifying a value of y causes the local host to try to initiate a session with the target host. That session is used to run the session key exchange protocol. A value of n causes the local host to wait for the target host to initiate the session. If both partners are identified as the tunnel initiator, a deadlock resolution algorithm resolves the conflict. At least one of the partners must be set as the initiator in order for the tunnel to operate.
-n (manual tunnel only) Security Parameter Index for source ESP. This is a numeric value that, along with the destination IP address, identifies which security association to use for packets using ESP. If this flag is not used, the system will generate an SPI for you.
-u (manual tunnel only) Security Parameter Index for source AH. Use SPI and the destination IP address to determine which security association to use for AH. If this flag is not used, the value of the -n SPI will be used.
-N (manual tunnel only) Security Parameter Index for the destination ESP. It must be entered for a manual tunnel if the policy specified in the -P flag includes ESP. This flag does not apply to IBM tunnels.
-U (manual tunnel only) Security Parameter Index for the destination AH. If this flag is not used, the -N spi will be used.
-y (manual tunnel only) Replay prevention flag. Replay prevention is valid only when the ESP or AH header is using the new header format (see the -z flag). The valid values for the -y flag are Y (yes) and N (no). All encapsulations that are used in this tunnel (AH, ESP, sending, and receiving) will use the replay field if the value of this flag is Y. The default value is N.
-z (manual tunnel only) New header format flag. The new header format preserves a field in the ESP and AH headers for replay prevention and also allows ESP authentication. The replay field will only be used when the replay flag (-y) is set to Y. The valid values for the -z flag are Y (yes) and N (no). The default value when the -z flag is not used depends on the algorithms you've chosen for the tunnel. It will default to N unless either an algorithm other than KEYED_MD5 is used for either the -a or -A flags, or if the -b or -B flags are used.
-b (manual tunnel only) Source ESP Authentication Algorithm (New header format only). The valid values for -b depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command.
-c (manual tunnel only) Source ESP Authentication Key (New header format only). It must be a hexdecimal string started with "0x". If this flag is not used, the system will generate one for you.
-B (manual tunnel only) Destination ESP Authentication Algorithm (New header format only). The valid values for -B depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command. If this flag is not used, it is set to the same value as the -b flag.
-C (manual tunnel only) Destination ESP Authentication Key (New header format only). It must be a hexdecimal string started with "0x". If this flag is not used, it is set to the same value as the -c flag.
-g System auto-generated filter rule flag. If this flag is not used, the command will generate two filter rules for the tunnel automatically. The auto-generated filter rules will allow IP traffic between the two end points of the tunnel to go through the tunnel. If the -g flag is specified, the command will only create the tunnel definition, and the user will have to add user defined filter rules to let the tunnel work.

Related Information

The chtun command, rmtun command, exptun command, imptun command, mktun command, and lstun command.


[ Previous | Next | Contents | Glossary | Home | Search ]