[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 2


gentun Command

Purpose

Creates a tunnel definition in the tunnel database.

Syntax

gentun -s src_host_IP_address -d dst_host_IP_address -v 4|6 [-t tun_type] [-m pkt_mode] [-t IBM] [-t manual] [-m tunnel] [-m transport] [-f fw_address] [-x dst_mask]] [-e [src_esp_algo]] [-a [src_ah_algo]] [-p src_policy] [-A [dst_ah_algo]] [-P dst_policy] [-k src_esp_key] [-h src_ah_key] [-K dst_esp_key] [-H dst_ah_key] [-n src_esp_spi] [-u src_ah_spi] [-N dst_esp_spi] [-U dst_ah_spi] [-b src_enc_mac_algo] [-c src_enc_mac_key] [-B dst_enc_mac_algo] [-C dst_enc_mac_key] [-g] [-z] [-E]

Description

The gentun command creates a definition of a tunnel between a local host and a tunnel partner host. The associated auto-generated filter rules for the tunnel can be optionally generated by this command.

Flags


-a Authentication algorithm, used by source for IP packet authentication. The valid values for -a depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command. The default value is HMAC_MD5 for manual tunnels.
-A (manual tunnel only) Authentication algorithm, used by destination for IP packet authentication. The valid values for -A depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command. If this flag is not used, the value used by the -a flag is used.
-b (manual tunnel only) Source ESP Authentication Algorithm (New header format only). The valid values for -b depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command.
-B (manual tunnel only) Destination ESP Authentication Algorithm (New header format only). The valid values for -B depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command. If this flag is not used, it is set to the same value as the -b flag.
-c (manual tunnel only) Source ESP Authentication Key (New header format only). It must be a hexdecimal string started with "0x". If this flag is not used, the system will generate one for you.
-C (manual tunnel only) Destination ESP Authentication Key (New header format only). It must be a hexdecimal string started with "0x". If this flag is not used, it is set to the same value as the -c flag.
-d Destination Host IP address. In host-host case, this is the IP address of the destination host interface to be used by the tunnel. In host-firewall-host case, this is the IP address of the destination host behind the firewall. A host name is also valid and the first IP address returned by name server for the host name will be used.
-e Encryption algorithm, used by source for IP packet encryption. The valid values for -e depend on which encryption algorithms have been installed on the host. The list of all the encryption algorithms can be displayed by issuing the ipsecstat -E command.
-E (manual tunnel only) Encryption algorithm, used by destination for IP packet encryption. The valid values for -E depend on which encryption algorithms have been installed on the host. The list of all the encryption algorithms can be displayed by issuing the ipsecstat -E command. If this flag is not used, the value used by the -e flag is used.
-f IP address of the firewall that is between the source and destination hosts. A tunnel will be established between this host and the firewall. Therefore the corresponding tunnel definition must be made on the firewall host. A host name may also be used for this flag and the first IP address returned by the name server for that host name will be used.
-g System auto-generated filter rule flag. If this flag is not used, the command will generate two filter rules for the tunnel automatically. The auto-generated filter rules will allow IP traffic between the two end points of the tunnel to go through the tunnel. If the -g flag is specified, the command will only create the tunnel definition, and the user will have to add user defined filter rules to let the tunnel work.
-h This is the AH Key String for a manual tunnel. The input must be a hexdecimal string started with "0x". If this flag is not used, the system will generate a key using a random number generator.
-H (manual tunnel only) The Key String for destination AH. The input must be a hexdecimal string started with "0x". If this flag is not used, the system will generate a key using a random number generator.
-k This is the ESP Key String for a manual tunnel. It is used by the source to create the tunnel. The input must be a hexdecimal string started with "0x". If this flag is not used, the system will generate a key using a random number generator.
-K (manual tunnel only) The Key String for destination ESP. The input must be a hexdecimal string started with "0x". If this flag is not used, the system will generate a key using a random number generator.
-l Key Lifetime, specified in minutes.

For manual tunnels, this value indicates the time of operability before the tunnel expires.

The valid values for manual tunnels are 0 - 44640. Value 0 indicates that the manual tunnel will never expire. The default value for manual tunnels is 480.

-m Secure Packet Mode. This value must be specified as tunnel or transport. The default value is tunnel. Tunnel mode will encapsulate the entire IP packet, while the transport mode only encapsulates the data portion of the IP packet. When generating a host-firewall-host tunnel (for host behind a firewall), the value of tunnel must be used for this flag.

The -m flag is forced to use default value (tunnel) if the -f flag is specified.

-n (manual tunnel only) Security Parameter Index for source ESP. This is a numeric value that, along with the destination IP address, identifies which security association to use for packets using ESP. If this flag is not used, the system will generate an SPI for you.
-N (manual tunnel only) Security Parameter Index for the destination ESP. It must be entered for a manual tunnel if the policy specified in the -P flag includes ESP. This flag does not apply to IBM tunnels.
-p Source policy, identifies how the IP packet authentication and/or encryption is to be used by this host. If specified as ea, the IP packet gets encrypted before authentication. If specified as ae, it gets encrypted after authentication, whereas specifying e alone or a alone corresponds to the IP packet being encrypted only or authenticated only. The default value for this flag will depend on if the -e and -a flags are supplied. The default policy will be ea if either both or neither the -e and -a flags are supplied. Otherwise the policy will reflect which of the -e and -a flags were supplied.
-P (manual tunnel only) Destination policy, identifies how the IP packet authentication and/or encryption is to be used by destination. If specified as ea, the IP packet gets encrypted before authentication. If specified as ae, it gets encrypted after authentication, whereas specifying e or a corresponds to the IP packet being encrypted only or authenticated only. The default policy will be ea if either both or neither the -E and -A flags are supplied. Otherwise, the policy will reflect which of the -E and -A flags were specified.
-s Source Host IP address, IP address of the local host interface to be used by the tunnel. A host name is also valid and the first IP address returned by name server for the host name will be used.
-t Type of the tunnel. Must be specified as manual.

The initial tunnel key and any subsequent key updates need to be performed manually when using the manual tunnel. Once a key is installed manually, that same key is used for all tunnel operations until it is changed manually.

The manual tunnel value should be selected when you want to construct a tunnel with a non-IBM IP Security host or any IP version 6 end-point, where the end-point either supports RFCs 1825-1829 or the IETF drafts for the new IP Security encapsulation formats for IP tunnels.

-u (manual tunnel only) Security Parameter Index for source AH. Use SPI and the destination IP address to determine which security association to use for AH. If this flag is not used, the value of the -n SPI will be used.
-U (manual tunnel only) Security Parameter Index for the destination AH. If this flag is not used, the -N spi will be used.
-v The IP version for which the tunnel is created. For IP version 4 tunnels, use the value of 4. For IP version 6 tunnels, use the value of 6.
-x Network mask for the secure network behind a firewall. The Destination host is a member of the secure network. The combination of -d and -x allows the source host to communicate with multiple hosts in the secure network through the source-firewall tunnel, which must be in tunnel mode.

This flag is valid only when the -f flag is used.

-y (manual tunnel only) Replay prevention flag. Replay prevention is valid only when the ESP or AH header is using the new header format (see the -z flag). The valid values for the -y flag are Y (yes) and N (no). All encapsulations that are used in this tunnel (AH, ESP, sending, and receiving) will use the replay field if the value of this flag is Y. The default value is N.
-z (manual tunnel only) New header format flag. The new header format preserves a field in the ESP and AH headers for replay prevention and also allows ESP authentication. The replay field will only be used when the replay flag (-y) is set to Y. The valid values for the -z flag are Y (yes) and N (no). The default value when the -z flag is not used depends on the algorithms you've chosen for the tunnel. It will default to N unless either an algorithm other than KEYED_MD5 is used for either the -a or -A flags, or if the -b or -B flags are used.

Related Information

The chtun command, exptun command, imptun command, lstun command, mktun command, and rmtun command.


[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]