This section provides information on how to configure Internet Key Exchange (IKE) tunnels using the Web-based System Manager interface, the System Management Interface Tool (SMIT), or the command line.
The Using the Basic Configuration Wizard provides an easy way to define an IKE tunnel with preshared keys. For more advanced options, see Advanced IKE Tunnel Configuration.
You can define an IKE tunnel through Web-based System Manager using preshared keys or certificates as the authentication method. The Web-based System Manager adds new key management and data management IKE tunnels to the IP Security subsystem, allows you to input minimal data and choose some options, and makes use of common default values for such parameters as tunnel lifetime.
When using the basic configuration wizard, keep the following in mind:
Use the following procedure to configure a new tunnel using the wizard:
Online help is available if you need it.
After a tunnel is defined using the wizard, the tunnel definition displays in the Web-based System Manager IKE tunnels list and can be activated or modified.
You can configure key management and data management tunnels separately, using the following procedures.
IKE tunnels are configured using Web-based System Manager. Use the following procedure to add a key management tunnel:
A tunnel is created by defining the key management and data management endpoints and their associated security transforms and proposals.
The same key management tunnel can be used to protect multiple data management negotiations and key refreshes, as long as they take place between the same two endpoints; for example, between two gateways.
On the Transforms tab, use matching transforms on both sides, or contact the administrator on the remote end to define a matching transform. A transform containing several choices can be created to allow flexibility when proposing or matching on a transform.
To enable digital certificates and signature mode support, choose an authentication method of RSA Signature or RSA Signature with CRL Checking.
For more information about digital certificates, see Working with Digital Certificates and the Key Manager.
To set up data management tunnel endpoints and proposals and to complete IKE tunnel setup, open Web-based System Manager, as described in Configuring Key Management Tunnels. A data management tunnel is created by doing the following:
Beginning with AIX 5.1, IP security supports grouping IKE IDs in a tunnel definition to associate multiple IDs with a single security policy without having to create separate tunnel definitions. Grouping is especially useful when setting up connections to several remote hosts, because you can avoid setting up or managing multiple tunnel definitions. Also, if changes must be made to a security policy, you do not need to change multiple tunnel definitions.
A group must be defined before using that group name in tunnel definition. The group's size is limited to 1 Kbyte. A group name can be used in both key management tunnel and data management tunnel definitions, but it can be used only as a remote ID.
A group is composed of a group name and a list of IKE IDs and ID types. The IDs can all be the same type or a mix of the following:
During a Security Association negotiation, the IDs in a group are searched linearly for the first match.
Web-based System Manager can be used to define a group that is to be used for the remote endpoint of a Key Management tunnel. Refer to the Command Line Interface for IKE Tunnel Configuration section for information on defining groups from the command line. To define a group using Web-based System Manager, use the following procedure:
You can use the SMIT interface to configure IKE tunnels and perform basic IKE database functions. SMIT uses underlying XML command functions to perform additions, deletions, and modifications to the IKE tunnel definitions. IKE SMIT is used in configuring IKE tunnels quickly and provides examples of the XML syntax used to create IKE tunnel definitions. The IKE SMIT menus also allow you to back up, restore, and initialize the IKE database.
To configure an IPv4 IKE tunnel, use the smitty ike4 fast path. To configure an IPv6 IKE tunnel, use the smitty ike6 fast path. The IKE database functions can be found in the Advanced IP Security Configuration menu.
All IKE database entries added through SMIT can be viewed or modified through the Web-based System Manager tool.
The ikedb command, available in AIX 5.1 and later, allows a user to retrieve, update, delete, import, and export information in the IKE database. using an XML interface. The ikedb command allows the user to write to (put) or read from (get) the IKE database. The input and output format is an Extensible Markup Language (XML) file. The format of an XML file is specified by its Document Type Definition (DTD). The ikedb command allows the user to see the DTD that is used to validate the XML file when doing a put. While entity declarations can be added to the DTD using the -e flag, this is the only modification to the DTD that can be made. Any external DOCTYPE declaration in the input XML file will be ignored and any internal DOCTYPE declaration might result in an error. The rules followed to parse the XML file using the DTD are specified in the XML standard. The /usr/samples/ipsec file has a sample of a typical XML file that defines common tunnel scenarios. See the ikedb command description in the AIX 5L Version 5.2 Commands Reference for syntax details.
You can use the ike command to start, stop, and monitor IKE tunnels. The ike command can also be used to activate, remove, or list IKE and IP Security tunnels. See the ike command description in the AIX 5L Version 5.2 Commands Reference for syntax details.
The following examples show how to use ike, ikedb, and several other commands to configure and check the status of your IKE tunnel:
# ike cmd=activate numlist=1
You can also use remote id or IP addresses, as shown in the following examples:
# ike cmd=activate remid=9.3.97.256 # ike cmd=activate ipaddr=9.3.97.100, 9.3.97.256
Since it may take several seconds for the commands to complete, the command returns after the negotiation is started.
# ike cmd=list
The output looks similar to the following:
Phase 1 Tunnel ID [1] Phase 2 Tunnel ID [1]
The output shows phase 1 and phase 2 tunnels that are currently active.
# ike cmd=list verbose
The output looks similar to the following:
Phase 1 Tunnel ID 1 Local ID Type: Fully_Qualified_Domain_Name Local ID: bee.austin.ibm.com Remote ID Type: Fully_Qualified_Domain_Name Remote ID: ipsec.austin.ibm.com Mode: Aggressive Security Policy: BOTH_AGGR_3DES_MD5 Role: Initiator Encryption Alg: 3DES-CBC Auth Alg: Preshared Key Hash Alg: MD5 Key Lifetime: 28800 Seconds Key Lifesize: 0 Kbytes Key Rem Lifetime: 28737 Seconds Key Rem Lifesize: 0 Kbytes Key Refresh Overlap: 5% Tunnel Lifetime: 2592000 Seconds Tunnel Lifesize: 0 Kbytes Tun Rem Lifetime: 2591937 Seconds Status: Active Phase 2 Tunnel ID 1 Local ID Type: IPv4_Address Local ID: 10.10.10.1 Local Subnet Mask: N/A Local Port: any Local Protocol: all Remote ID Type: IPv4_Address Remote ID: 10.10.10.4 Remote Subnet Mask: N/A Remote Port: any Remote Portocol: all Mode: Oakley_quick Security Policy: ESP_3DES_MD5_SHA_TUNNEL_NO_PFS Role: Initiator Encryption Alg: ESP_3DES AH Transform: N/A Auth Alg: HMAC-MD5 PFS: No SA Lifetime: 600 Seconds SA Lifesize: 0 Kbytes SA Rem Lifetime: 562 Seconds SA Rem Lifesize: 0 Kbytes Key Refresh Overlap: 15% Tunnel Lifetime: 2592000 Seconds Tunnel Lifesize: 0 Kbytes Tun Rem Lifetime: 2591962 Seconds Assoc P1 Tunnel: 0 Encap Mode: ESP_tunnel Status: Active
# lsfilt -dThe output looks similiar to the following:
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all packets 0 all 2 *** Dynamic filter placement rule *** no 0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both no all packets 0 all *** Dynamic table *** 0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 500 eq 500 local both no all packets 0 0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no ah any 0 any 0 both inbound no all packets 0 0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no esp any 0 any 0 both inbound no all packets 0 1 permit 10.10.10.1 255.255.255.255 10.10.10.4 255.255.255.255 no all any 0 any 0 both outbound yes all packets 1 1 permit 10.10.10.4 255.255.255.255 10.10.10.1 255.255.255.255 no all any 0 any 0 both inbound yes all packets 1
This example shows a machine that has one IKE tunnel and no other tunnels. The dynamic filter placement rule (rule #2 in this example output of the static table) can be moved by the user to control placement relative to all other user-defined rules. The rules in the dynamic table are constructed automatically as tunnels are negotiated and corresponding rules are inserted into the filter table. These rules can be displayed, but not edited.
# chfilt -v 4 -n 2 -l y
For more details on logging of IKE traffic, see Logging Facilities.
# ike cmd=remove numlist=1
# ikedb -g
# ikedb -pFs peer_tunnel_conf.xml
The peer_tunnel_conf.xml is the XML file generated on a peer machine.
# ikedb -gr -t IKETunnel -n tunnel_sys1_and_sys2
# ikedb -d -t IKEPresharedKey
For general information on IKE tunnel group support, see the Group Support section. You can use the ikedb command to define groups from the command line.
To configure an AIX IKE tunnel using Linux configuration files (AIX 5.1 and later), use the ikedb command with the -c flag (conversion option), which lets you use the /etc/ipsec.conf and /etc/ipsec.secrets Linux configuration files as IKE tunnel definitions. The ikedb command parses the Linux configuration files, creates an XML file, and optionally adds the XML tunnel definitions to the IKE database. You can then view the tunnel definitions by using either the ikedb -g command or the Web-based System Manager.
The following scenarios describe the type of situations most customers encounter when trying to set up tunnels. These scenarios can be described as the branch office, business partner, and remote access cases.
In the first phase of the IKE negotiation, the IKE security association is created between the two gateways. The traffic that passes in the IP Security tunnel is the traffic between the two subnets, and the subnet IDs are used in the phase 2 negotiation. After the security policy and tunnel parameters are entered for the tunnel, a tunnel number is created. Use the ike command to start the tunnel.