[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]
Commands Reference, Volume 3
ike Command
Purpose
Starts, stops, and monitors IP Security dynamic tunnels which use the Internet
Key Exchange Protocol (ISAKMP/Oakley).
Syntax
ike cmd=Subcommand [ parameter ... ]
Description
The ike is used to start, stop, and monitor IP Security
dynamic tunnels using the Internet Key Exchange (IKE) protocol. IP Security
tunnels protect IP traffic by authenticating and/or encrypting IP data. The ike command performs several functions. It can activate,
remove, or list IKE and IP Security tunnels. For an overview of IP Security
and IKE tunnels, see IP Security in the AIX 5L Version 5.2 Security Guide.
Note: You must have root access to use the ike command.
The IKE negotiation occurs in two phases. The first phase authenticates
the two parties and sets up a Key Management (also
known as phase 1) Security Association for protecting
the data that is passed during the negotiation. In this phase the key management
policy is used to secure the negotiation messages. The second phase negotiates Data Management (also known as the phase 2) Security Association, which uses the data management policy to set up
IP Security tunnels in the kernel for encapsulating and decapsulating data
packets. The secure channel established in phase 1 can be used to protect
multiple data management negotiations between 2 hosts.
The ike command is used to activate tunnels with
identification and policy information which has already been entered using
the Web-based System Manager Graphical User Interface (GUI) under Virtual
Private Networks (IP Security) in the Network application. The parameters
to be used during the negotiation are entered by the user and stored in a
database. The ike command allows the activation, removal
and listing of tunnels that have been started using the security parameters
stored in the database.
In most uses of the ike command, activation and deletion
occurs for both phases, however the command allows these operations to be
done separately.
Subcommands
- activate
-
Purpose |
Start the negotiation of an IKE tunnel. If phase is not specified,
both a phase 1 and phase 2 tunnel are started. If IP addresses are supplied,
the tunnel is setup using those IP addresses. If the IDs used during the negotiation
are not IP addresses, the local and remote host IDs must be entered using
the Virtual Private Networks Web-based System Manager Graphical User Interface
(GUI) panels. A unique tunnel number is created. The tunnel can then be referenced
by the tunnel number in the ike command to indicate
the particular tunnel to be started. |
Syntax |
ike cmd=activate [ phase=1|2 ] [numlist=tunnel_num_list] [ remid=remote_id ] [ipaddr=src_addr,dst_addr] [autostart] |
Description |
The activate subcommand works using a two phase
paradigm. A phase 1 tunnel must be established before a phase 2 tunnel can
be started. If a phase 1 tunnel is specified, then only the phase 1 tunnel
negotiation take place. If a phase 2 tunnel is specified, then the system
checks for the existence of the corresponding phase 1 tunnel before creating
the phase 2 tunnel. If the phase 1 negotiation has not been started, it is
started automatically.
Upon successful completion of a phase 2 tunnel,
the tunnel definition and corresponding filter rules are inserted into the
IP Security kernel, and the new tunnel is activated. Traffic described by
the tunnel definition passing between the designated endpoints are protected
by the encryption and authentication algorithms indicated by the associated
IKE security policy.
Multiple phase 2 tunnels can be started under
the same phase 1 tunnel. A situation where this may be desired is if different
types of traffic between two endpoints need different levels of security protection.
The Security Association used for the phase 1 tunnel can be shared by multiple
phase 2 tunnels. The phase 2 tunnels would specify the type of traffic (by
protocol and port, or subnet mask, for instance) and could have different
security policies protecting them.
The ike command
returns if either a negotiation has been initiated, an error returns, or the
tunnel already exists. Since the remote host must be contacted during the
negotiation and the amount of time needed to complete the negotiation is uncertain,
the list subcommand should be used to determine if the
negotiation was successful.
Errors that are detected during the negotiation
process can be captured by using syslog. |
Flags |
- phase
- Specifies the type of negotiation desired. If omitted, the activate subcommand activates both a phase 1 and phase 2 tunnel. The phase flag is an optional flag.
- numlist
- Initiates the ike tunnel number which corresponds
to the desired phase 1 or phase 2 tunnel(s) to be started. The , (comma) and - (dash) characters can be used to
delimit values and indicate ranges. The list subcommand
with the database option db can be used to determine
the tunnel number for a particular tunnel. An example using tunnel numbers
is shown below:
ike cmd=activate numlist=1,3,5-7
This
would start tunnels 1, 3, 5, 6 and 7.
- remid
- Starts phase1 or phase2 tunnel(s) from local ID to the specified remote
ID. remid could be phase1 ID (such as IP address, FQDN,
user FQDN and X500DN), phase2 ID (such as IP address, subnet and IP address
range) or group ID. The , (comma) is used to delimit
subnet id/subnet mask, and starting IP address/ending IP address. If remid is a group name, a tunnel is initiated for each group member. remid is a optional flag. It can only be used with activate
subcommand, it cannot be used in conjunction with ipaddr or numlist flag.
- To activate a phase1 tunnel to remote IP address 9.3.97.100, type:
ike cmd=activate phase=1 remid=9.3.97.100
- To activate a phase2 tunnel to remote subnet ID 9.3.97.100,255.255.255.0,
type:
ike cmd=activate phase=2 remid=9.3.97.100,255.255.255.0
- ip_addr
- Starts a phase 1 or phase 2 tunnel between the specified IP Addresses.
- autostart
- Causes the activation of all phase 1 and phase 2 tunnel database entries
which were created with the autostart parameter set.
The autostart flag does not work in conjunction with
any other flags pertaining to the activate subcommand.
- namelist
- Specifies a tunnel name or comma-separated list of tunnel names to be
activated. This flag requires the use of the phase flag.
|
Examples |
- To activate a phase 2 tunnel between source IP address x.x.x.x and destination
IP address y.y.y.y, enter:
ike cmd=activate phase=2 ipaddr=x.x.x.x,y.y.y.y
The security policy indicated in the database for the IP addresses
x.x.x.x and y.y.y.y is used for activating the tunnel.
- To activate phase 1 tunnels for tunnels 1 and 2, enter:
ike cmd=activate phase=1 numlist=1,2
- To activate phase 2 tunnels for inactive tunnels 3, 4, 5, and 8 from the
database enter:
ike cmd=activate phase=2 numlist=3-5,8
Note: Because each phase 2 tunnel must have an associated
phase 1 tunnel, a phase 1 tunnel is automatically activated before the phase
2 tunnel is activated. |
- list
-
Purpose |
Monitors the status of IP Security tunnels by phase. It is also used
to view tunnel entries defined in the IKE database. |
Syntax |
ike cmd=list [phase=1|1+|2] [numlist= tunnel_num_list] [db | role=i|r] [verbose] |
Description |
The list subcommand queries the Tunnel Manager
and lists phase 1 and phase 2 tunnel status and information according to the
result of the query. This command can also be used to view information in
the Tunnel Definition database. The default behavior is to list the tunnels
currently active. To list the tunnels in the database, the db option must be used. |
Flags |
- phase
- Indicates the type and order of the tunnel(s) to be listed. A phase
value of 1 results in only the requested phase 1 tunnel information being
displayed. A phase value of 2 results in the information for the requested
phase 2 tunnel(s) and their associated phase 1 tunnel(s) should be displayed.
A phase value of 1+ means that the requested phase 1 tunnel and all associated
phase 2 tunnels should be displayed. The default phase value is 1+.
- numlist
- Lists of the tunnel numbers which you would like to view. If omitted,
the information from all tunnels is displayed. The , (comma)
and - (dash) characters can be used to delimit values
and indicate ranges. For example:
ike cmd=list numlist=1,3,5-7
When used in conjunction with db, tunnels from the IKE
Security Policy database are shown.
Note: Active
tunnel numbers and tunnel numbers from the IKE Tunnel Definitions database
do not necessarily match up. This is due to the fact that active tunnel numbers
must reflect tunnels from the initiator and responder mode.
- db
- Shows the entries in the database. If this flag is omitted, only active
tunnels are displayed. This cannot be used in conjunction with role. Supply the list of tunnel numbers which you would like to view.
- role
- Allows the display of tunnels by the point of initiation. If i is specified, then the tunnels that were initiated by the local host
are displayed. If r is specified, then the tunnels where
the local host acted as a responder are displayed. If this flag is omitted,
both initiator and responder tunnels are shown. This flag cannot be used in
conjunction with db.
- verbose
- Shows extended information about the specified tunnels. If this flag
is not specified, then only a concise entry for each tunnel is shown.
|
Examples |
Note: Tunnel numbers from the database and tunnel
numbers from the tunnel manager do not necessarily reflect the same tunnel.
- To perform a concise (short form) listing of phase 1 tunnels with entries
in the tunnel manger, enter:
ike cmd=list phase=1 numlist=1,2,3
These tunnels are either being negotiated, in the active state , or have expired.
Only tunnels 1, 2, and 3 are listed. Tunnels can be either initiator or responder
role.
- To perform a concise (short form) listing of of the specified phase 2
tunnels in the database with each preceded by the associated phase 1 tunnel,
enter:
ike cmd=list phase=2 numlist=1-3 db
These are
tunnels defined in the database which may or may not be currently active in
the tunnel manager. All tunnels in the database are used in the initiator
role only.
- To perform a verbose (long form) listing of a phase 1 tunnel followed
by all of its associated phase 2 tunnels from the tunnel manager, enter:
ike cmd=list phase=1+ role=r verbose
Only tunnels which were
activated in the responder role are listed. All available tunnel numbers are
listed since no numlist was specified. |
-
-
- remove
-
Purpose |
Deactivates specified phase 1 or phase 2 tunnel(s) and optionally removes
an entry from the IKE Tunnel Definition database. |
Syntax |
ike cmd=remove [phase=1|2] [numlist= tunnel_num_list] [all] |
Description |
The remove subcommand requests the deactivation
of phase 1 or phase 2 tunnel(s). Because phase 2 tunnels are associated with
a phase 1 tunnel, if a phase 1 tunnel is removed, all phase 2 tunnels under
the phase 1 tunnel are not refreshed when the phase 2 tunnel lifetime expires. |
Flags |
- phase
-
- Indicates the phase of the tunnel to be deactivated and must be specified.
A phase value of 1 refers to a phase 1 tunnel and a phase value of 2 refers
to a phase 2 tunnel.
- numlist
- List the tunnel numbers you would like to remove. The , (comma) and - (dash) characters can be used to
delimit values and indicate ranges. For example:
ike cmd=remove numlist=1,3,5-7
When numlist is omitted, all tunnels are
deactivated or removed from the database.
-
- Removes entries from the IKE Tunnel Definition database.
- all
- Removes all entries from the IKE Tunnel Definition database. This parameter
does not work in conjunction with numlist.
|
Examples |
- To deactivate phase 1 tunnels numbered 1, 2, and 3, enter:
ike cmd=remove phase=1 numlist=1-3
- To remove all phase 1 and phase 2 tunnels, enter:
ike cmd=remove all
- To remove all phase 2 tunnels but keep all phase 1 tunnels active, enter:
ike cmd=remove phase=2 all
- To deactivate all phase 1 tunnels (corresponding phase 2 tunnels will
not be refreshed), enter:
ike cmd=remove phase=1 all |
- log
-
Purpose |
Read the ISAKMP daemon log level from
the /etc/syslog.conf file and start logging at that
level. The log output is sent to the file specified in the /etc/syslog.conf file. |
Syntax |
ike cmd=log
Note
If the log level or the output file name in /etc/syslog.conf are changed, the refresh -s syslogd command must
also be run. |
Description |
The log subcommand
reads the log level and a path and filename from the /etc/isakmpd.conf file.
The logging level specified is set and the log output is placed in the path
and filename specified. |
Note |
There are four valid logging levels for
the ISAKMP daemon. They are none, errors, events, and information. none means no logging, errors means logging of only ISAKMP daemon errors will occur, events means errors and other ISAKMP daemon events will be logged, and information is the highest level of logging which is all
inclusive. |
Files
/usr/sbin |
Location of the ike admin commands. |
[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home |
Legal |
Search ]