The following procedures configure IP Security to use manual tunnels.
To set up a manual tunnel, it is not necessary to separately configure the filter rules. As long as all traffic between two hosts goes through the tunnel, the necessary filter rules are automatically generated. The process of setting up a tunnel is to define the tunnel on one end, import the definition on the other end, and activate the tunnel and filter rules on both ends. Then the tunnel is ready to use.
Information about the tunnel must be made to match on both sides if it is not explicitly supplied.
For instance, the encryption and authentication algorithms specified for the source will be used for the destination if the destination values are not specified. This makes creating the tunnel much simpler.
You can configure a tunnel using the Web-based System Manager Network application, the SMIT fast path ips4_basic (for IP Version 4) or ips6_basic (for IP version 6), or you can use the following procedure.
The following is a sample of the gentun command used to create a manual tunnel:
gentun -v 4 -t manual -s 5.5.5.19 -d 5.5.5.8 \ -a HMAC_MD5 -e DES_CBC_8 -N 23567
You can use the lstun -v 4command to list the characteristics of the manual tunnel created by the example above. The output looks similar to the following:
Tunnel ID : 1 IP Version : IP Version 4 Source : 5.5.5.19 Destination : 5.5.5.8 Policy : auth/encr Tunnel Mode : Tunnel Send AH Algo : HMAC_MD5 Send ESP Algo : DES_CBC_8 Receive AH Algo : HMAC_MD5 Receive ESP Algo : DES_CBC_8 Source AH SPI : 300 Source ESP SPI : 300 Dest AH SPI : 23576 Dest ESP SPI : 23576 Tunnel Life Time : 480 Status : Inactive Target : - Target Mask : - Replay : No New Header : Yes Snd ENC-MAC Algo : - Rcv ENC-MAC Algo : -
The tunnel is activated when the following command is used:
mktun -v 4 -t1
The filter rules associated with the tunnel are automatically generated and output (using lsfilt -v 4) looks similar to the following:
Rule 4: Rule action : permit Source Address : 5.5.5.19 Source Mask : 255.255.255.255 Destination Address : 5.5.5.8 Destination Mask : 255.255.255.255 Source Routing : yes Protocol : all Source Port : any 0 Destination Port : any 0 Scope : both Direction : outbound Logging control : no Fragment control : all packets Tunnel ID number : 1 Interface : all Auto-Generated : yes Rule 5: Rule action : permit Source Address : 5.5.5.8 Source Mask : 255.255.255.255 Destination Address : 5.5.5.19 Destination Mask : 255.255.255.255 Source Routing : yes Protocol : all Source Port : any 0 Destination Port : any 0 Scope : both Direction : inbound Logging control : no Fragment control : all packets Tunnel ID number : 1 Interface : all Auto-Generated : yes
These filter rules, in addition to the default filter rules, are activated by the mktun -v 4 -t 1 command.
To set up the other side (when it is another machine using this operating system), the tunnel definition can be exported on host A then imported to host B.
exptun -v 4 -t 1 -f /tmp
exports the tunnel definition into a file named ipsec_tun_manu.exp and any associated filter rules to the file ipsec_fltr_rule.exp in the directory indicated by the -f flag.
To create the matching end of the tunnel, the export files are copied and imported into the remote machine by using the following command:
imptun -v 4 -t 1 -f /tmp
The tunnel number is system generated. You can obtain it from the output of the gentun command or by using the lstun command to list the tunnels and determine the correct tunnel number to import. If there is only one tunnel in the import file, or if all the tunnels are to be imported, then the -t option is not needed.
If the remote machine is not running this operating system, the export file can be used as a reference for setting up the algorithm, keys, and security parameters index (SPI) values for the other end of the tunnel.
Export files from an IBM firewall product can be imported to create tunnels. To do this, use the -n option when importing the file, as shown below:
imptun -v 4 -f /tmp -n