Changes a tunnel definition.
chtun -t tunnel_ID -v {4|6} [ -s src_host_IP_address] [ -d dst_host_IP_address] [ -m pkt_mode] [ -f fw_address [ -x dst_mask]] [ -e src_esp_algo] [ -a src_ah_algo]] [ -p src_policy] [ -E dst_esp_algo] [ -A dst_ah_algo]] [ -P dst_policy] [ -l lifetime] [ -k src_esp_key] [ -h src_ah_key] [ -K dst_esp_key] [ -H dst_ah_key] [ -n src_esp_spi] [ -u src_ah_spi] [ -N dst_esp_spi] [ -U dst_ah_spi] [ -b src_enc_mac_algo] [ -c src_enc_mac_key] [ -B dst_enc_mac_algo] [ -C dst_enc_mac_key]
Use the chtun command to change a definition of a tunnel between a local host and a tunnel partner host. If a flag is not specified, then the value given for the gentun command should stay the value for that field. It may also change the auto-generated filter rules created for the tunnel by the gentun command.
| Item | Description |
|---|---|
| -A dst_ah_algo] | (manual tunnel only) Authentication algorithm, which is used by the destination for IP packet encryption. The valid values for -A depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command. |
| -a src_ah_algo] | Authentication algorithm, used by source host for IP packet authentication. The valid values for -a depend on which authentication algorithms have been installed on the host. The list of all authentication algorithms can be displayed by issuing the ipsecstat -A command. |
| -B dst_enc_mac_algo | (manual tunnel only) Destination ESP Authentication Algorithm (New header format only). The valid values for -B depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command. |
| -b src_enc_mac_algo | (manual tunnel only) Source ESP Authentication Algorithm (New header format only). The valid values for -b depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command. |
| -C dst_enc_mac_key | (manual tunnel only) Destination ESP Authentication Key (New header format only). It must be a hexadecimal string started with "0x". |
| -c src_enc_mac_key | (manual tunnel only) Source ESP Authentication Key (New header format only). It must be a hexdecimal string started with "0x". |
| -d dst_host_IP_address | Destination Host IP address. For a host-host tunnel, this value is the IP address of the destination host interface to be used by the tunnel. For a host-firewall-host tunnel, this is the IP address of a destination host behind the firewall. A host name is also valid and the first IP address returned by the name server for the host name will be used. |
| -E dst_esp_algo | (manual tunnel only) Encryption algorithm, which is used by the destination for IP packet encryption. The valid values for -E depend on which encryption algorithms have been installed on the host. The list of all the encryption algorithms can be displayed by issuing the ipsecstat -E command. |
| -e src_esp_algo | Encryption algorithm, used by source host for IP packet encryption. The valid values for -e depend on which encryption algorithms have been installed on the host. The list of all encryption algorithms can be displayed by issuing the ipsescstat -E command. |
| -f fw_address | IP address of the firewall that is between source and destination
hosts. A tunnel will be established between the source and the firewall.
Therefore the corresponding tunnel definition must be made in the
firewall host. A host name can also be specified with this flag, and
the first IP address returned by name server for the host name will
be used. The -m flag is forced to use default value (tunnel) if -f is specified. |
| -H dst_ah_key | The Key String for destination AH. The input must be a hexdecimal string started with "0x". |
| -h src_ah_key | The Key String for source AH. The input must be a hexdecimal string started with "0x". |
| -K dst_esp_key | The Key String for destination ESP. The input must be a hexdecimal string started with "0x". |
| -k src_esp_key | The Key String for the source ESP. It is used by the source to create the tunnel. The input must be a hexdecimal string started with "0x". |
| -l lifetime | Key Lifetime, specified in minutes. For manual tunnels, the value of this flag indicates the time of operability before the tunnel expires. The valid values for manual tunnels are 0 - 44640. Value 0 indicates that the manual tunnel will never expire. |
| -m pkt_mode | Secure Packet Mode. This value must be specified as tunnel or transport. |
| -N dst_esp_spi | (manual tunnel only) Security Parameter Index for the destination ESP. |
| -n src_esp_spi | (manual tunnel only) Security Parameter Index for source ESP. This SPI and the destination IP address is used to determine which security association to use for ESP. |
| -P dst_policy | (manual tunnel only) Destination policy, identifies how the IP packet authentication and/or encryption is to be used by destination. If the value of this flag is specified as ea, the IP packet gets encrypted before authentication. If specified as ae, it gets encrypted after authentication, whereas specifying e or a alone corresponds to the IP packet being encrypted only or authenticated only. |
| -p src_policy | Source policy, identifies how the IP packet authentication and/or encryption is to be used by source. If the value of this flag is specified as ea, the IP packet gets encrypted before authentication. If specified as ae, it gets encrypted after authentication, whereas specifying e or a alone corresponds to the IP packet being encrypted only or authenticated only. |
| -s src_host_IP_address | Source Host IP address, IP address of the local host interface to be used by the tunnel. A host name is also valid and the first IP address returned by name server for the host name will be used. |
| -t tunnel_ID | The tunnel identifier (ID), a locally unique, numeric identifier for a particular tunnel definition. The value must match an existing tunnel ID. |
| -U dst_ah_spi | (manual tunnel only) Security Parameter Index for the destination AH. |
| -u src_ah_spi | (manual tunnel only) Security Parameter Index for source AH. This SPI and the destination IP address is used to determine which security association to use for AH. |
| -v | The IP version for which the tunnel is created. For IP version 4 tunnels, use the value of 4. For IP version 6 tunnels, use the value of 6. |
| -x dst_mask | This flag is used for host-firewall-host tunnels. The value
is the network mask for the secure network behind a firewall. The
Destination host specified with the -d flag is a member of
the secure network. The combination of the -d and -x flags allows source host communications with multiple hosts in
the secure network through the source-firewall tunnel, which must
be in tunnel Mode. This flag is valid only when -f is specified. |
| -y | (manual tunnel only) Replay prevention flag. Replay prevention is valid only when the ESP or AH header is using the new header format (see the -z flag). The valid values for the -y flag are Y (yes) and N (no). |
| -z | (manual tunnel only) New header format flag. The new header format reserves a field in ESP or AH header for replay prevention and also allows ESP authentication. The replay field is used only when the replay flag (-y) is set to Y. The valid values are Y (yes) and N (no). |
Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.