Security Guide

Configuring Internet Key Exchange Tunnels

This section provides information on how to configure Internet Key Exchange (IKE) tunnels using the Web-based System Manager interface, the System Management Interface Tool (SMIT), or the command line.

Using Web-based System Manager to Configure IKE Tunnels

The Using the Basic Configuration Wizard provides an easy way to define an IKE tunnel with preshared keys. For more advanced options, see Advanced IKE Tunnel Configuration.

Using the Basic Configuration Wizard

You can define an IKE tunnel through Web-based System Manager using preshared keys or certificates as the authentication method. The Web-based System Manager adds new key management and data management IKE tunnels to the IP Security subsystem, allows you to input minimal data and choose some options, and makes use of common default values for such parameters as tunnel lifetime.

When using the basic configuration wizard, keep the following in mind:

• The wizard can be used only for initial tunnel configuration. To modify, delete, or activate a tunnel, use the IKE Tunnel plug-in or task bar.
• The tunnel name must be unique on your system, but you can use the same name on the remote system. For example, on the local and remote systems, the tunnel name can be hostA_to_hostB, but the Local IP Address and the Remote IP Address fields (endpoints) are switched.
• Phase 1 and phase 2 tunnels are defined with the same encryption and authentication algorithms.
• The preshared key must be entered in hexadecimal form (without a leading 0x) or ASCII text.
• If digital certificates are chosen as the authentication method, you must use the Key Manager tool to create a digital certificate.
• The host ID type can only be IP Address.
• The transforms and proposals you create are assigned names that end with the user-defined tunnel name. You can view the transforms and proposals in Web-based System Manager through VPN and the IKE Tunnel plug-in.

Use the following procedure to configure a new tunnel using the wizard:

1. Open Web-based System Manager using the wsm command from the command line.
2. Select the Network plug-in.
3. Select Virtual Private Networks (IP Security).
4. From the Console area, select the Overview and Tasks folder.
5. Select Configure a Basic Tunnel Configuration wizard.
6. Click on Next on the Step 1 Introduction panel, then follow the steps to configure an IKE tunnel.

   Online help is available if you need it.

   After a tunnel is defined using the wizard, the tunnel definition displays in the Web-based System Manager IKE tunnels list and can be activated or modified.

Advanced IKE Tunnel Configuration

You can configure key management and data management tunnels separately, using the following procedures.

Configuring Key Management Tunnels

IKE tunnels are configured using Web-based System Manager. Use the following procedure to add a key management tunnel:

1. Open Web-based System Manager using the wsm command.
2. Select the Network plug-in.
3. Select Virtual Private Networks (IP Security).
4. From the Console area, select Overview and Tasks.
5. Select Start IP Security. This action loads the IP Security kernel extensions and starts the isakmpd, tmd, and cpsd daemons.

   A tunnel is created by defining the key management and data management endpoints and their associated security transforms and proposals.

   • Key management is the authentication phase. It sets up a secure channel between the negotiating parties needed before the final IP Security parameters and keys are computed.
   • Data management describes the type of traffic that will be using a particular tunnel. It can be configured for a single host or group of hosts (with the use of subnets or IP ranges) along with specified protocol and port numbers.

   The same key management tunnel can be used to protect multiple data management negotiations and key refreshes, as long as they take place between the same two endpoints; for example, between two gateways.

6. To define the key management tunnel endpoints, click Internet Key Exchange (IKE) Tunnels on the Identification tab.
7. Enter information to describe the identities of the systems taking part in the negotiations. In most cases, IP addresses are used, and a policy compatible with the remote side must be created.

   On the Transforms tab, use matching transforms on both sides, or contact the administrator on the remote end to define a matching transform. A transform containing several choices can be created to allow flexibility when proposing or matching on a transform.

8. If using preshared keys for authentication, enter the preshared key under the key tab. This value must match on both the remote and local machines.
9. Create a transform to be associated with this tunnel by using the Add button on the Transforms tab.

   To enable digital certificates and signature mode support, choose an authentication method of RSA Signature or RSA Signature with CRL Checking.

   For more information about digital certificates, see Working with Digital Certificates and the Key Manager.

Configuring Data Management Tunnels

To set up data management tunnel endpoints and proposals and to complete IKE tunnel setup, open Web-based System Manager, as described in Configuring Key Management Tunnels. A data management tunnel is created by doing the following:

1. Select a key management tunnel and define any unique options. Most data management options can remain as defined by the default.
2. Specify endpoint types (such as IP address, subnet, or IP address range) under the Endpoints tab. You can select a port number and protocol or accept the default.
3. On the Proposals panel, you can create a new proposal by clicking the Add button or clicking OK to create a proposal. If there are multiple proposals, you can use the Move Up or Move Down buttons to change the search order.

Group Support

Beginning with AIX 5.1, IP security supports grouping IKE IDs in a tunnel definition to associate multiple IDs with a single security policy without having to create separate tunnel definitions. Grouping is especially useful when setting up connections to several remote hosts, because you can avoid setting up or managing multiple tunnel definitions. Also, if changes must be made to a security policy, you do not need to change multiple tunnel definitions.

A group must be defined before using that group name in tunnel definition. The group's size is limited to 1 Kbyte. A group name can be used in both key management tunnel and data management tunnel definitions, but it can be used only as a remote ID.

A group is composed of a group name and a list of IKE IDs and ID types. The IDs can all be the same type or a mix of the following:

• IPv4 addresses
• IPv6 addresses
• FQDN
• user@FQDN
• X500 DN types.

During a Security Association negotiation, the IDs in a group are searched linearly for the first match.

Web-based System Manager can be used to define a group that is to be used for the remote endpoint of a Key Management tunnel. Refer to the Command Line Interface for IKE Tunnel Configuration section for information on defining groups from the command line. To define a group using Web-based System Manager, use the following procedure:

1. Selecting a Key Management tunnel in the IKE Tunnel container.
2. Open the properties dialog.
3. Select the Identification tab.
4. Select group ID definition for the remote host identity type.
5. Select the Configure Group Definition button and enter the group members in the window.

Using the SMIT Interface for IKE Tunnel Configuration

You can use the SMIT interface to configure IKE tunnels and perform basic IKE database functions. SMIT uses underlying XML command functions to perform additions, deletions, and modifications to the IKE tunnel definitions. IKE SMIT is used in configuring IKE tunnels quickly and provides examples of the XML syntax used to create IKE tunnel definitions. The IKE SMIT menus also allow you to back up, restore, and initialize the IKE database.

To configure an IPv4 IKE tunnel, use the smitty ike4 fast path. To configure an IPv6 IKE tunnel, use the smitty ike6 fast path. The IKE database functions can be found in the Advanced IP Security Configuration menu.

All IKE database entries added through SMIT can be viewed or modified through the Web-based System Manager tool.

Command Line Interface for IKE Tunnel Configuration

The ikedb command, available in AIX 5.1 and later, allows a user to retrieve, update, delete, import, and export information in the IKE database. using an XML interface. The ikedb command allows the user to write to (put) or read from (get) the IKE database. The input and output format is an Extensible Markup Language (XML) file. The format of an XML file is specified by its Document Type Definition (DTD). The ikedb command allows the user to see the DTD that is used to validate the XML file when doing a put. While entity declarations can be added to the DTD using the -e flag, this is the only modification to the DTD that can be made. Any external DOCTYPE declaration in the input XML file will be ignored and any internal DOCTYPE declaration might result in an error. The rules followed to parse the XML file using the DTD are specified in the XML standard. The /usr/samples/ipsec file has a sample of a typical XML file that defines common tunnel scenarios. See the ikedb command description in the AIX 5L Version 5.2 Commands Reference for syntax details.

You can use the ike command to start, stop, and monitor IKE tunnels. The ike command can also be used to activate, remove, or list IKE and IP Security tunnels. See the ike command description in the AIX 5L Version 5.2 Commands Reference for syntax details.

The following examples show how to use ike, ikedb, and several other commands to configure and check the status of your IKE tunnel:

1. To start a tunnel negotiation (activate a tunnel) or to allow the incoming system to act as a responder (depending on the role that is specified), use the ike command with a tunnel number, as follows:

   # ike cmd=activate numlist=1

   You can also use remote id or IP addresses, as shown in the following examples:

   # ike cmd=activate remid=9.3.97.256
   # ike cmd=activate ipaddr=9.3.97.100, 9.3.97.256

   Since it may take several seconds for the commands to complete, the command returns after the negotiation is started.

2. To display the tunnel status, use the ike command, as follows:

   # ike cmd=list

   The output looks similar to the following:

   Phase 1 Tunnel ID       [1]
   Phase 2 Tunnel ID       [1]

   The output shows phase 1 and phase 2 tunnels that are currently active.

3. To get a verbose listing of the tunnel, use the ike command, as follows:

   # ike cmd=list verbose

   The output looks similar to the following:

   Phase 1 Tunnel ID       1
   Local ID Type:          Fully_Qualified_Domain_Name
   Local ID:               bee.austin.ibm.com
   Remote ID Type:         Fully_Qualified_Domain_Name
   Remote ID:              ipsec.austin.ibm.com
   Mode:                   Aggressive
   Security Policy:        BOTH_AGGR_3DES_MD5
   Role:                   Initiator
   Encryption Alg:         3DES-CBC
   Auth Alg:               Preshared Key
   Hash Alg:               MD5
   Key Lifetime:           28800 Seconds
   Key Lifesize:           0 Kbytes
   Key Rem Lifetime:       28737 Seconds
   Key Rem Lifesize:       0 Kbytes
   Key Refresh Overlap:    5%
   Tunnel Lifetime:        2592000 Seconds
   Tunnel Lifesize:        0 Kbytes
   Tun Rem Lifetime:       2591937 Seconds
   Status:                 Active
   
   Phase 2 Tunnel ID       1
   Local ID Type:          IPv4_Address
   Local ID:               10.10.10.1
   Local Subnet Mask:      N/A
   Local Port:             any
   Local Protocol:         all
   Remote ID Type:         IPv4_Address
   Remote ID:              10.10.10.4
   Remote Subnet Mask:     N/A
   Remote Port:            any
   Remote Portocol:        all
   Mode:                   Oakley_quick
   Security Policy:        ESP_3DES_MD5_SHA_TUNNEL_NO_PFS
   Role:                   Initiator
   Encryption Alg:         ESP_3DES
   AH Transform:           N/A
   Auth Alg:               HMAC-MD5
   PFS:                    No
   SA Lifetime:            600 Seconds
   SA Lifesize:            0 Kbytes
   SA Rem Lifetime:        562 Seconds
   SA Rem Lifesize:        0 Kbytes
   Key Refresh Overlap:    15%
   Tunnel Lifetime:        2592000 Seconds
   Tunnel Lifesize:        0 Kbytes
   Tun Rem Lifetime:       2591962 Seconds
   Assoc P1 Tunnel:        0
   Encap Mode:             ESP_tunnel
   Status:                 Active

4. To display the filter rules in the dynamic filter table for the newly activated IKE tunnel, use the lsfilt command, as follows:

   # lsfilt -d

   The output looks similiar to the following:

   1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all
     packets 0 all
   2 *** Dynamic filter placement rule *** no
   0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both no all
     packets 0 all
   
   *** Dynamic table ***
   
   0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 500 eq 500 local both no all
     packets 0
   0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no ah any 0 any 0 both inbound no all
     packets 0
   0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no esp any 0 any 0 both inbound no all
     packets 0
   1 permit 10.10.10.1 255.255.255.255 10.10.10.4 255.255.255.255 no all any 0 any
     0 both outbound yes all packets 1
   1 permit 10.10.10.4 255.255.255.255 10.10.10.1 255.255.255.255 no all any 0 any
     0 both inbound yes all packets 1

   This example shows a machine that has one IKE tunnel and no other tunnels. The dynamic filter placement rule (rule #2 in this example output of the static table) can be moved by the user to control placement relative to all other user-defined rules. The rules in the dynamic table are constructed automatically as tunnels are negotiated and corresponding rules are inserted into the filter table. These rules can be displayed, but not edited.

5. To turn on logging of the dynamic filter rules, set the logging option for rule #2 to yes, use the chfilt command, as shown in the following example:

   # chfilt -v 4 -n 2 -l y

   For more details on logging of IKE traffic, see Logging Facilities.

6. To deactivate the tunnel, use the ike command, as follows:

   # ike cmd=remove numlist=1

7. To view tunnel definitions, use the ikedb command, as follows:

   # ikedb -g

8. To put definitions to the IKE database from an XML file that has been generated on a peer machine and overwrite any existing objects in the database with the same name, use the ikedb command, as follows:

   # ikedb -pFs peer_tunnel_conf.xml

   The peer_tunnel_conf.xml is the XML file generated on a peer machine.

9. To get the definition of the phase 1 tunnel named tunnel_sys1_and_sys2 and all dependent phase 2 tunnels with respective proposals and protections, use the ikedb command, as follows:

   # ikedb -gr -t IKETunnel -n tunnel_sys1_and_sys2

10. To delete all preshared keys from the database, use the ikedb command, as follows:

    # ikedb -d -t IKEPresharedKey

For general information on IKE tunnel group support, see the Group Support section. You can use the ikedb command to define groups from the command line.

AIX IKE and Linux Affinity

To configure an AIX IKE tunnel using Linux configuration files (AIX 5.1 and later), use the ikedb command with the -c flag (conversion option), which lets you use the /etc/ipsec.conf and /etc/ipsec.secrets Linux configuration files as IKE tunnel definitions. The ikedb command parses the Linux configuration files, creates an XML file, and optionally adds the XML tunnel definitions to the IKE database. You can then view the tunnel definitions by using either the ikedb -g command or the Web-based System Manager.

IKE Tunnel Configuration Scenarios

The following scenarios describe the type of situations most customers encounter when trying to set up tunnels. These scenarios can be described as the branch office, business partner, and remote access cases.

• In the branch office case, the customer has two trusted networks that they want to connect together--the engineering group of one location to the engineering group of another. In this example, there are gateways that connect to each other and all the traffic passing between the gateways use the same tunnel. The traffic at either end of the tunnel is decapsulated and passes in the clear within the company intranet.

  In the first phase of the IKE negotiation, the IKE security association is created between the two gateways. The traffic that passes in the IP Security tunnel is the traffic between the two subnets, and the subnet IDs are used in the phase 2 negotiation. After the security policy and tunnel parameters are entered for the tunnel, a tunnel number is created. Use the ike command to start the tunnel.

• In the business partner scenario, the networks are not trusted, and the network administrator may want to restrict access to a smaller number of hosts behind the security gateway. In this case, the tunnel between the hosts carries traffic protected by IP Security for use between two particular hosts. The protocol of the phase 2 tunnel is AH or ESP. This host-to-host tunnel is secured within a gateway-to-gateway tunnel.
• In the remote access case, the tunnels are set up on demand and a high level of security is applied. The IP addresses may not be meaningful, therefore, fully qualified domain names or user@ fully qualified domain names are preferred. Optionally, you can use KEYID to relate a key to a host ID.