| -A
dst_ah_algo]
| (manual tunnel only) Authentication algorithm, which is used
by the destination for IP packet encryption. The valid values for
-A depend on which authentication algorithms have been installed on
the host. The list of all the authentication algorithms can be
displayed by issuing the ipsecstat -A command.
|
| -a
src_ah_algo]
| Authentication algorithm, used by source host for IP packet
authentication. The valid values for -a depend on which
authentication algorithms have been installed on the host. The list of
all authentication algorithms can be displayed by issuing the ipsecstat
-A command.
|
| -B
dst_enc_mac_algo
| (manual tunnel only) Destination ESP Authentication Algorithm
(New header format only). The valid values for -B depend on
which authentication algorithms have been installed on the host. The
list of all the authentication algorithms can be displayed by issuing the
ipsecstat -A command.
|
| -b
src_enc_mac_algo
| (manual tunnel only) Source ESP Authentication Algorithm (New
header format only). The valid values for -b depend on which
authentication algorithms have been installed on the host. The list of
all the authentication algorithms can be displayed by issuing the
ipsecstat -A command.
|
| -C
dst_enc_mac_key
| (manual tunnel only) Destination ESP Authentication Key (New
header format only). It must be a hexadecimal string started with
"0x".
|
| -c
src_enc_mac_key
| (manual tunnel only) Source ESP Authentication Key (New header
format only). It must be a hexdecimal string started with "0x".
|
| -d
dst_host_IP_address
| Destination Host IP address. For a host-host tunnel, this value is
the IP address of the destination host interface to be used by the
tunnel. For a host-firewall-host tunnel, this is the IP address of a
destination host behind the firewall. A host name is also valid and the
first IP address returned by the name server for the host name will be
used.
|
| -E
dst_esp_algo
| (manual tunnel only) Encryption algorithm, which is used by
the destination for IP packet encryption. The valid values for
-E depend on which encryption algorithms have been installed on the
host. The list of all the encryption algorithms can be displayed by
issuing the ipsecstat -E command.
|
| -e
src_esp_algo
| Encryption algorithm, used by source host for IP packet
encryption. The valid values for -e depend on which
encryption algorithms have been installed on the host. The list of all
encryption algorithms can be displayed by issuing the ipsescstat -E
command.
|
| -f fw_address
| IP address of the firewall that is between source and destination
hosts. A tunnel will be established between the source and the
firewall. Therefore the corresponding tunnel definition must be made in
the firewall host. A host name can also be specified with this flag,
and the first IP address returned by name server for the host name will be
used.
The -m flag is forced to use default value (tunnel)
if -f is specified.
|
| -H
dst_ah_key
| The Key String for destination AH. The input must be a hexdecimal
string started with "0x".
|
| -h src_ah_key
| The Key String for source AH. The input must be a hexdecimal
string started with "0x".
|
| -K
dst_esp_key
| The Key String for destination ESP. The input must be a hexdecimal
string started with "0x".
|
| -k src_esp_key
| The Key String for the source ESP. It is used by the source to
create the tunnel. The input must be a hexdecimal string started with
"0x".
|
| -l lifetime
| Key Lifetime, specified in minutes.
For manual tunnels, the value of this flag indicates the time of
operability before the tunnel expires.
The valid values for manual tunnels are 0 - 44640. Value
0 indicates that the manual tunnel will never expire.
|
| -m pkt_mode
| Secure Packet Mode. This value must be specified as
tunnel or transport.
|
| -N
dst_esp_spi
| (manual tunnel only) Security Parameter Index for the
destination ESP.
|
| -n src_esp_spi
| (manual tunnel only) Security Parameter Index for source
ESP. This SPI and the destination IP address is used to determine which
security association to use for ESP.
|
| -P
dst_policy
| (manual tunnel only) Destination policy, identifies how the IP
packet authentication and/or encryption is to be used by destination.
If the value of this flag is specified as ea, the IP packet gets
encrypted before authentication. If specified as ae, it gets
encrypted after authentication, whereas specifying e or
a alone corresponds to the IP packet being encrypted only or
authenticated only.
|
| -p
src_policy
| Source policy, identifies how the IP packet authentication and/or
encryption is to be used by source. If the value of this flag is
specified as ea, the IP packet gets encrypted before
authentication. If specified as ae, it gets encrypted after
authentication, whereas specifying e or a alone
corresponds to the IP packet being encrypted only or authenticated
only.
|
| -s
src_host_IP_address
| Source Host IP address, IP address of the local host interface to be used
by the tunnel. A host name is also valid and the first IP address
returned by name server for the host name will be used.
|
| -t
tunnel_ID
| The tunnel identifier (ID), a locally unique, numeric identifier for a
particular tunnel definition. The value must match an existing tunnel
ID.
|
| -U
dst_ah_spi
| (manual tunnel only) Security Parameter Index for the
destination AH.
|
| -u
src_ah_spi
| (manual tunnel only) Security Parameter Index for source
AH. This SPI and the destination IP address is used to determine which
security association to use for AH.
|
| -v
| The IP version for which the tunnel is created. For IP version 4
tunnels, use the value of 4. For IP version 6 tunnels, use
the value of 6.
|
| -x dst_mask
| This flag is used for host-firewall-host tunnels. The value is the
network mask for the secure network behind a firewall. The Destination
host specified with the -d flag is a member of the secure
network. The combination of the -d and -x flags
allows source host communications with multiple hosts in the secure network
through the source-firewall tunnel, which must be in tunnel Mode.
This flag is valid only when -f is specified.
|
| -y
| (manual tunnel only) Replay prevention flag. Replay
prevention is valid only when the ESP or AH header is using the new header
format (see the -z flag). The valid values for the
-y flag are Y (yes) and N (no).
|
| -z
| (manual tunnel only) New header format flag. The new
header format reserves a field in ESP or AH header for replay prevention and
also allows ESP authentication. The replay field is used only when the
replay flag (-y) is set to Y. The valid values are Y (yes)
and N (no).
|