[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

System Management Guide: Communications and Networks


Configuring Manual Tunnels

The following procedures configure IP Security to use manual tunnels.

Setting Up Tunnels and Filters

To set up a manual tunnel, it is not necessary to separately configure the filter rules. As long as all traffic between two hosts goes through the tunnel, the necessary filter rules are automatically generated. The process of setting up a tunnel is to define the tunnel on one end, import the definition on the other end, and activate the tunnel and filter rules on both ends. Then the tunnel is ready to use.

Information about the tunnel must be made to match on both sides if it is not explicitly supplied.

For instance, the encryption and authentication algorithms specified for the source will be used for the destination if the destination values are not specified. This makes creating the tunnel much simpler.

Creating a Manual Tunnel on Host A

You can configure a tunnel using the Web-based System Manager Network application, the SMIT fast path ips4_basic (for IP Version 4) or ips6_basic (for IP version 6), or you can use the following procedure.

The following is a sample of the gentun command used to create a manual tunnel:

gentun -v 4 -t manual -s 5.5.5.19 -d 5.5.5.8 \
   -a HMAC_MD5 -e DES_CBC_8 -N 23567 

You can use the lstun -v 4command to list the characteristics of the manual tunnel created by the example above. The output looks similar to the following:

Tunnel ID            : 1
IP Version           : IP Version 4
Source               : 5.5.5.19
Destination          : 5.5.5.8
Policy               : auth/encr
Tunnel Mode          : Tunnel
Send AH Algo         : HMAC_MD5
Send ESP Algo        : DES_CBC_8
Receive AH Algo      : HMAC_MD5
Receive ESP Algo     : DES_CBC_8
Source AH SPI        : 300
Source ESP SPI       : 300
Dest AH SPI          : 23576
Dest ESP SPI         : 23576
Tunnel Life Time     : 480
Status               : Inactive
Target               : -
Target Mask          : -
Replay               : No
New Header           : Yes
Snd ENC-MAC Algo     : -
Rcv ENC-MAC Algo     : -

The tunnel is activated when the following command is used:

mktun -v 4 -t1

The filter rules associated with the tunnel are automatically generated and output (using lsfilt -v 4) looks similar to the following:

Rule 4:
Rule action           : permit
Source Address        : 5.5.5.19
Source Mask           : 255.255.255.255
Destination Address   : 5.5.5.8
Destination Mask      : 255.255.255.255
Source Routing        : yes
Protocol              : all
Source Port           : any 0
Destination Port      : any 0
Scope                 : both
Direction             : outbound
Logging control       : no
Fragment control      : all packets
Tunnel ID number      : 1
Interface             : all
Auto-Generated        : yes
 
Rule 5:
Rule action           : permit
Source Address        : 5.5.5.8
Source Mask           : 255.255.255.255
Destination Address   : 5.5.5.19
Destination Mask      : 255.255.255.255
Source Routing        : yes
Protocol              : all
Source Port           : any 0
Destination Port      : any 0
Scope                 : both
Direction             : inbound
Logging control       : no
Fragment control      : all packets
Tunnel ID number      : 1
Interface             : all
Auto-Generated        : yes 

These filter rules, in addition to the default filter rules, are activated by the mktun -v 4 -t 1 command.

To set up the other side (when it is another machine using this operating system), the tunnel definition can be exported on host A then imported to host B.

The following command:

 exptun -v 4 -t 1 -f /tmp

exports the tunnel definition into a file named ipsec_tun_manu.exp and any associated filter rules to the file ipsec_fltr_rule.exp in the directory indicated by the -f flag.

Creating a Manual Tunnel on Host B

To create the matching end of the tunnel, the export files are copied and imported into the remote machine by using the following command:

 imptun -v 4 -t 1 -f /tmp

where

1
Is the tunnel to be imported

/tmp
Is the directory where the import files reside

The tunnel number is system generated. You can obtain it from the output of the gentun command or by using the lstun command to list the tunnels and determine the correct tunnel number to import. If there is only one tunnel in the import file, or if all the tunnels are to be imported, then the -t option is not needed.

If the remote machine is not running this operating system, the export file can be used as a reference for setting up the algorithm, keys, and security parameters index (SPI) values for the other end of the tunnel.

Export files from an IBM firewall product can be imported to create tunnels. To do this, use the -n option when importing the file, as shown below:

 imptun -v 4 -f /tmp -n


[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]