chtun Command

Purpose

Changes a tunnel definition.

Syntax

chtun -t tunnel_ID -v {4|6} [ -s src_host_IP_address] [ -d dst_host_IP_address] [ -m pkt_mode] [ -f fw_address [ -x dst_mask]] [ -e src_esp_algo] [ -a src_ah_algo]] [ -p src_policy] [ -E dst_esp_algo] [ -A dst_ah_algo]] [ -P dst_policy] [ -l lifetime] [ -k src_esp_key] [ -h src_ah_key] [ -K dst_esp_key] [ -H dst_ah_key] [ -n src_esp_spi] [ -u src_ah_spi] [ -N dst_esp_spi] [ -U dst_ah_spi] [ -b src_enc_mac_algo] [ -c src_enc_mac_key] [ -B dst_enc_mac_algo] [ -C dst_enc_mac_key]

Description

Use the chtun command to change a definition of a tunnel between a local host and a tunnel partner host. If a flag is not specified, then the value given for the gentun command should stay the value for that field. It may also change the auto-generated filter rules created for the tunnel by the gentun command.

Flags

Item Description
-A dst_ah_algo] (manual tunnel only) Authentication algorithm, which is used by the destination for IP packet encryption. The valid values for -A depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command.
-a src_ah_algo] Authentication algorithm, used by source host for IP packet authentication. The valid values for -a depend on which authentication algorithms have been installed on the host. The list of all authentication algorithms can be displayed by issuing the ipsecstat -A command.
-B dst_enc_mac_algo (manual tunnel only) Destination ESP Authentication Algorithm (New header format only). The valid values for -B depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command.
-b src_enc_mac_algo (manual tunnel only) Source ESP Authentication Algorithm (New header format only). The valid values for -b depend on which authentication algorithms have been installed on the host. The list of all the authentication algorithms can be displayed by issuing the ipsecstat -A command.
-C dst_enc_mac_key (manual tunnel only) Destination ESP Authentication Key (New header format only). It must be a hexadecimal string started with "0x".
-c src_enc_mac_key (manual tunnel only) Source ESP Authentication Key (New header format only). It must be a hexdecimal string started with "0x".
-d dst_host_IP_address Destination Host IP address. For a host-host tunnel, this value is the IP address of the destination host interface to be used by the tunnel. For a host-firewall-host tunnel, this is the IP address of a destination host behind the firewall. A host name is also valid and the first IP address returned by the name server for the host name will be used.
-E dst_esp_algo (manual tunnel only) Encryption algorithm, which is used by the destination for IP packet encryption. The valid values for -E depend on which encryption algorithms have been installed on the host. The list of all the encryption algorithms can be displayed by issuing the ipsecstat -E command.
-e src_esp_algo Encryption algorithm, used by source host for IP packet encryption. The valid values for -e depend on which encryption algorithms have been installed on the host. The list of all encryption algorithms can be displayed by issuing the ipsescstat -E command.
-f fw_address IP address of the firewall that is between source and destination hosts. A tunnel will be established between the source and the firewall. Therefore the corresponding tunnel definition must be made in the firewall host. A host name can also be specified with this flag, and the first IP address returned by name server for the host name will be used.

The -m flag is forced to use default value (tunnel) if -f is specified.

-H dst_ah_key The Key String for destination AH. The input must be a hexdecimal string started with "0x".
-h src_ah_key The Key String for source AH. The input must be a hexdecimal string started with "0x".
-K dst_esp_key The Key String for destination ESP. The input must be a hexdecimal string started with "0x".
-k src_esp_key The Key String for the source ESP. It is used by the source to create the tunnel. The input must be a hexdecimal string started with "0x".
-l lifetime Key Lifetime, specified in minutes.

For manual tunnels, the value of this flag indicates the time of operability before the tunnel expires.

The valid values for manual tunnels are 0 - 44640. Value 0 indicates that the manual tunnel will never expire.

-m pkt_mode Secure Packet Mode. This value must be specified as tunnel or transport.
-N dst_esp_spi (manual tunnel only) Security Parameter Index for the destination ESP.
-n src_esp_spi (manual tunnel only) Security Parameter Index for source ESP. This SPI and the destination IP address is used to determine which security association to use for ESP.
-P dst_policy (manual tunnel only) Destination policy, identifies how the IP packet authentication and/or encryption is to be used by destination. If the value of this flag is specified as ea, the IP packet gets encrypted before authentication. If specified as ae, it gets encrypted after authentication, whereas specifying e or a alone corresponds to the IP packet being encrypted only or authenticated only.
-p src_policy Source policy, identifies how the IP packet authentication and/or encryption is to be used by source. If the value of this flag is specified as ea, the IP packet gets encrypted before authentication. If specified as ae, it gets encrypted after authentication, whereas specifying e or a alone corresponds to the IP packet being encrypted only or authenticated only.
-s src_host_IP_address Source Host IP address, IP address of the local host interface to be used by the tunnel. A host name is also valid and the first IP address returned by name server for the host name will be used.
-t tunnel_ID The tunnel identifier (ID), a locally unique, numeric identifier for a particular tunnel definition. The value must match an existing tunnel ID.
-U dst_ah_spi (manual tunnel only) Security Parameter Index for the destination AH.
-u src_ah_spi (manual tunnel only) Security Parameter Index for source AH. This SPI and the destination IP address is used to determine which security association to use for AH.
-v The IP version for which the tunnel is created. For IP version 4 tunnels, use the value of 4. For IP version 6 tunnels, use the value of 6.
-x dst_mask This flag is used for host-firewall-host tunnels. The value is the network mask for the secure network behind a firewall. The Destination host specified with the -d flag is a member of the secure network. The combination of the -d and -x flags allows source host communications with multiple hosts in the secure network through the source-firewall tunnel, which must be in tunnel Mode.

This flag is valid only when -f is specified.

-y (manual tunnel only) Replay prevention flag. Replay prevention is valid only when the ESP or AH header is using the new header format (see the -z flag). The valid values for the -y flag are Y (yes) and N (no).
-z (manual tunnel only) New header format flag. The new header format reserves a field in ESP or AH header for replay prevention and also allows ESP authentication. The replay field is used only when the replay flag (-y) is set to Y. The valid values are Y (yes) and N (no).

Security

Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.