The following procedures configure IP Security to use manual tunnels.
To set up a manual tunnel, it is not necessary to separately configure the filter rules. As long as all traffic between two hosts goes through the tunnel, the necessary filter rules are automatically generated. The process of setting up a tunnel is to define the tunnel on one end, import the definition on the other end, and activate the tunnel and filter rules on both ends. The tunnel is then ready to use.
Information about the tunnel must be made to match on both sides if it is not explicitly supplied. For instance, the encryption and authentication algorithms specified for the source will be used for the destination if the destination values are not specified.
You can configure a tunnel using the Web-based System Manager Network application, the SMITips4_basic fast path (for IP Version 4) or the SMIT ips6_basic fast path (for IP version 6). You can also create the tunnel manually use the following procedure.
The following is a sample of the gentun command used to create a manual tunnel:
gentun -v 4 -t manual -s 5.5.5.19 -d 5.5.5.8 \ -a HMAC_MD5 -e DES_CBC_8 -N 23567
You can use the lstun -v 4 command to list the characteristics of the manual tunnel created by the previous example. The output looks similar to the following:
Tunnel ID : 1 IP Version : IP Version 4 Source : 5.5.5.19 Destination : 5.5.5.8 Policy : auth/encr Tunnel Mode : Tunnel Send AH Algo : HMAC_MD5 Send ESP Algo : DES_CBC_8 Receive AH Algo : HMAC_MD5 Receive ESP Algo : DES_CBC_8 Source AH SPI : 300 Source ESP SPI : 300 Dest AH SPI : 23576 Dest ESP SPI : 23576 Tunnel Life Time : 480 Status : Inactive Target : - Target Mask : - Replay : No New Header : Yes Snd ENC-MAC Algo : - Rcv ENC-MAC Algo : -
To activate the tunnel, type the following:
mktun -v 4 -t1
The filter rules associated with the tunnel are automatically generated.
To view the filter rules, use the lsfilt -v 4 command. The output looks similar to the following:
Rule 4: Rule action : permit Source Address : 5.5.5.19 Source Mask : 255.255.255.255 Destination Address : 5.5.5.8 Destination Mask : 255.255.255.255 Source Routing : yes Protocol : all Source Port : any 0 Destination Port : any 0 Scope : both Direction : outbound Logging control : no Fragment control : all packets Tunnel ID number : 1 Interface : all Auto-Generated : yes Rule 5: Rule action : permit Source Address : 5.5.5.8 Source Mask : 255.255.255.255 Destination Address : 5.5.5.19 Destination Mask : 255.255.255.255 Source Routing : yes Protocol : all Source Port : any 0 Destination Port : any 0 Scope : both Direction : inbound Logging control : no Fragment control : all packets Tunnel ID number : 1 Interface : all Auto-Generated : yes
To activate the filter rules, including the default filter rules, use the mktun -v 4 -t 1 command.
To set up the other side (when it is another machine using this operating system), the tunnel definition can be exported on host A and then imported to host B.
The following command exports the tunnel definition into a file named ipsec_tun_manu.exp and any associated filter rules to the file ipsec_fltr_rule.exp in the directory indicated by the -f flag:
exptun -v 4 -t 1 -f /tmp
To create the matching end of the tunnel, the export files are copied and imported into the remote machine by using the following command:
imptun -v 4 -t 1 -f /tmp
where
The tunnel number is generated by the system. You can obtain it from the output of the gentun command or by using the lstun command to list the tunnels and determine the correct tunnel number to import. If there is only one tunnel in the import file, or if all the tunnels are to be imported, the -t option is not needed.
If the remote machine is not running this operating system, the export file can be used as a reference for setting up the algorithm, keys, and security parameters index (SPI) values for the other end of the tunnel.
Export files from a firewall product can be imported to create tunnels. To do this, use the -n option when importing the file, as follows:
imptun -v 4 -f /tmp -n