"Note: The information contained in this article is structured as help information for the System Management Interface Tool (SMIT) and is not intended for use as a procedural or conceptual article."
Select when the IP Security software is to be started. Press F4 to get a list of choices. The possible choices are:
Select the default action for filtering. Press F4 to get a list of selections. The possible selections are: yes, no. Press Enter to select one from the list.
Selecting yes will result in the rejection of any IP network traffic that does not go through an active security tunnel or does not match any user defined filter rules. Selecting no will result in the acceptance of network traffic that does not apply to user defined filter rules or tunnels. If configuring this host remotely, remember to add filter rules for this host before IP Security is enabled.
This will also indicate how traffic will be handled when filtering is deactivated.
IP address of the local host interface to be used by the tunnel. Press F4 to see the local address. Press Enter to add the local address to the field.
IP address of the destination host interface to be used by the tunnel. Enter dotted IP address or host name.
Algorithm used for IP packet encryption. Press F4 to see a list of installed encryption algorithms. Press Enter to add the algorithm to the field.
Allows you to enter a combination of encryption and authentication values. Press F4 to select a particular policy. Press Enter to add your selection to the field.
Time in minutes. Put a value in the entry field. The valid values are from 1-1440.
When using the Session Key Refresh Method, this value will indicate the time the current session key may be used. The value specified affects performance of the tunnel. For example, the smaller the value, the more often a new key is computed and exchanged with the tunnel partner. Generally, values used for CDMF will be smaller than those used for DES due to the strength of the encryption algorithms.
A new session key is automatically generated after every Session Key Life expires. The generated session keys are used by the encryption and message authentication algorithms. The old and new keys are valid for an overlapped period of time determined by the Session Key Refresh Time. This is so that messages generated with the old key, which are in-transit in the network, can be decrypted or validated on arrival even after a new key computation. If the Session Key Life is n minutes, both the old key and new key are valid during the last Session Key Refresh Time minutes of the n minutes.
Time in minutes. This field is used only when you use the Session Key Refresh Method. If the Session Key Refresh Method is used, then this field must be specified. Put a value in the entry field. The valid values range from 1 to 720.
The Session Key Refresh Time determines the amount of overlap time of the new key start and an old key expiration. The value specified will be the amount of time in minutes that a previous session key will still be valid after a key refresh has been done. The value specified can not be greater than the Session Key Life.
Initiator Flag, identifies which partner starts the session negotiations. This field is used only when the Session Key Refresh Method is used. Specifying a value of yes causes the local host to try to initiate a session with the target host. That session is used to run the session key exchange protocol. A value of no causes the local host to wait forever for the target host to initiate the session. If both partners are identified as the tunnel initiator, a deadlock resolution algorithm resolves the conflict. At least one of the partners must be set as the initiator in order for the tunnel to operate.
Press F4 to select either yes or no. Press Enter to add your selection to the field.
The identification number for the tunnel.
Network mask of the destination host. Specifying the mask lets the source host communicate with multiple hosts in the secure network behind the firewall through the Source-Firewall security tunnel. This is an optional field. An empty mask indicates that source host communicates with destination host only.
IP address of the firewall between source and destination hosts. The security tunnel will be established between the source host and the firewall.
This selection sets up a tunnel between two hosts. The parameters defining the tunnel will need to be exchanged and matching between the two hosts. For instance, the source IP address on one side must be the destination address on the other. The source AH SPI value on one side will need to match the destination SPI on the other system.
This selection sets up a tunnel between two hosts that have a firewall between the hosts. The information about the firewall must be specified so that the packets will be passed by the firewall to the final destination. A destination mask may be specified to allow packets to be sent to a group of hosts behind the firewall.
This selects the use of header formats described by IETF RFC 1826 for AH and RFC 1829 for ESP. These standards were adopted in August 1995 and do not include some of the newest features such as anti-replay prevention. The selection made must match the format used by the remote end of the tunnel. Use of this format type limits the authentication algorithm to Keyed MD5 and the encryption algorithms to DES_CBC_4, DES_CBC_8 and CDMF.
This selects the use of the header formats described by the IETF draft draft-ietf-ipsec-auth-04.txt for AH and draft-ietf-esp-03.txt for ESP. These new headers support the cryptographic algorithms HMAC MD5, HMAC SHA1 for authentication, and DES_CBC_8, CDMF and DES_ESP_CBC_MD5 for encryption. These new formats also allow the use of anti-replay service. If these algorithms are desired, the IETF Draft format must be selected. A selection must be made that matches the remote end of the tunnel.
This selects the use of the header formats described by the IETF draft draft-ietf-ipsec-auth-04.txt for AH and draft-ietf-esp-03.txt for ESP. These new headers support the cryptographic algorithms HMAC MD5, HMAC SHA1 for authentication, and DES_CBC_8, CDMF and DES_ESP_CBC_MD5 for encryption. These new formats also allow the use of anti-replay service. If these algorithms are desired, the IETF Draft format must be selected. A selection must be made that matches the remote end of the tunnel.
This option is for users who only want network data to be authenticated. It will build the packet with the AH header. Using authentication by itself ensures packet integrity and verifies the sender of the packet Selecting this menu will prompt the user for authentication parameters.
This option is for users who want network data authenticated and encrypted. It will build the packet using both the AH header and the ESP header. Selecting this menu will prompt the user for authentication and encryption parameters.
Authentication only using the IP header AH.
Authentication is provided by a separate AH header. Encryption is provided with an ESP header, optional authentication on ESP is not selected.
Encryption and authentication are provided by using the new ESP header format defined in 1997. DES_CBC_8 and HMAC_MD5 (also known as DES CBC MD5) are the only valid choices for the encryption and authentication algorithms, respectively.
Algorithm used for IP packet authentication. Press F4 to see a list of installed authentication algorithms. Press Enter to add the algorithm to the field. This must be consistent with the remote host. The default is HMAC_MD5.
The authentication key used by Destination. If you leave it blank, the system will automatically generate an authentication key for you.
The encryption key used by Destination. If you leave it blank, the system will automatically generate an encryption key for you. Encryption key must be at least 8 bytes.
Destination Security Parameter Index (SPI) for Destination AH. Use Destination SPI For AH and the destination IP address to determine which security association to use for the destination AH. The valid values are any 32bit integer starting at 256. This field must match the remote system value for source SPI.
Destination Security Parameter Index (SPI) for Destination ESP. Use Destination SPI For ESP and the destination IP address to determine which security association to use for the destination ESP. The valid values are any 32-bit integer starting at 256. If you leave it empty, the system will use Destination SPI For AH as Destination SPI For ESP.
Replay prevention uses a sequence counter in the AH header to prevent old packets from being replayed as a form of attack. Choices include AH, ESP, both or neither. Not recommend for Manual Tunnels. Must match with remote end of the tunnel. This field is only available with HMAC MD5 or HMAC SHA authentication.
The secure packet mode used to send out secure packets to the destination host. Press F4 to select from Tunnel Mode or Transport Mode. The default is tunnel mode. This must be consistent with the remote host.
Time in minutes. Put a value in the entry field. This value indicates the time of operability before the tunnel expires. Default is 0, meaning the tunnel will not expire. This is a 32 bit value.
The authentication key used by Source. If you leave it empty, the system will automatically generate an authentication key for you.
The encryption key used by Source. If you leave it empty, the system will automatically generate a master key for you.
Source Security Parameter Index (SPI) for source AH. Use Source SPI For AH and the source IP address to determine which security association to use for the source AH. The valid values are any 32bit integer starting at 256. The default action will cause the system to generate an SPI value.
Source Security Parameter Index (SPI) for source ESP. Use Source SPI For ESP and the source IP address to determine which security association to use for the source ESP. The valid values are any 32bit integer starting at 256. If you leave it empty, system will use Source SPI For AH as Source SPI For ESP.
The identification number for the tunnel. Press F4 on Tunnel ID to bring up a list of all the IBM tunnel definitions which have tunnel type of Host-Host. Move cursor to the desired tunnel definition and press Enter to pull up the definition to the screen.
The identification number for the tunnel. Press F4 on Tunnel ID to bring up a list of all the IBM tunnel definitions which have tunnel type of Host-Firewall-Host. Move cursor to the desired tunnel definition and press Enter to pull up the definition to the screen.
Press F4 to get a list of tunnel IDs.
Possible values are as follows:
This attribute will be compared with the source address of the IP packet. The IP Source Mask is used in the comparison.
This mask is used in comparing source addresses. The bits marked in this mask (set to one) will represent which bits of the source addresses will be compared.
This attribute will be compared with the destination address of the IP packet. The IP Destination Mask is used in the comparison.
This mask is used in comparing destination addresses. The bits marked in this mask (set to one) will represent which bits of the destination addresses will be compared.
For an incoming IP packet only, this rule will allow a source routed packet if this field is set to yes and all the other attributes match the IP packet.
This is the value that will be matched with the protocol field of the IP packet header.
For either the ICMP protocol or protocols that have ports, this is the operand used in the comparison of the source port (or ICMP code). The default value of any will match all values.
This is the value/type that will be used in the comparison of the Source Port (or ICMP type).
For either the ICMP protocol or protocols that have port identifications, this is the operand used in the comparison of the destination port (or ICMP code). The default value of any will match all values.
This is the value/code that will be used in the comparison of the destination port (or ICMP code).
This specifies whether the rule will apply to forwarded packets, local packets, or both.
This specifies whether the rule will apply to incoming packets, outgoing packets, or both.
This specifies whether a log entry in syslog will be created when an IP packet matches this rule.
Specifies how this rule will apply to whole packets, fragment headers, and fragments.
For incoming packets, this specifies the tunnel that the packet must have come in on for it to match the rule. For outgoing packets, this specifies which tunnel the packet must go out on if it matches this rule (and if the rule is a permit rule).
The name of the IP interface on which the filter rule applies. The examples of the name are: any, tr0, lo0, pp0. The default value is any.
The name of the directory to which the filter rules are to be exported. The directory will be created if it does not exist.
The IDs of the filter rules you want to export. Press F4 to list all the filter rules. Use F7 to select filter rules from the list and press Enter to bring the selections to this field.
The name of the directory from which the filter rules will be imported. The directory must contain the exported files created by the exptun command or the Export IP Security Filter Rules SMIT panel.
The IDs of the filter rules you want to import. Press F4 to list all the filter rules in the export files. Use F7 to select filter rules from the list and press Enter to bring the selections to this field.
The HMAC MD5 authentication key used by ESP. If you leave it blank, the system will automatically generate an authentication key for you. This value must match the remote system ESP Authentication Key.
The DES CBC 8 encryption key used by ESP. If you leave it blank, the system will automatically generate an encryption key for you. This value must match the remote system ESP Encryption Key
This selects the header formats to be used over this tunnel. Choices are:
Press F4 to select from a list of Trace Hooks.
Specifying the trace hooks control the level and amount of tracing. Tracing can be done on only IP Security errors, on a specific IP Security component, or on information messages for a component. Information messages do not indicate errors, but are used to give helpful information such as which filter rule was used to allow or deny a particular packet.
Press F4 for a list of selections. The possible selections are: yes, no. Select yes to save the formatted trace data to file.
Enter the path of the file to which formatted trace data is to be saved.
Press F4 for a list of selections. The possible selections are: yes, no. Select yes to stop IP Security but leave the definition for IP Security in the database. IP Security will reinitialize on the next system boot. Select no to stop IP security and remove its definition from the database.
Algorithm used for IP packet authentication. This is a read-only field.
Algorithm used for IP packet encryption. This is a read-only field.
Algorithm used for IP packet encryption. This is a read-only field.
Causes the filter rule table to be activated.
Activating the filters will turn on the IP Security filter and load the filter table from the filter database to the IP Security filter.
Loads the tunnel definition into the IP Security subsystem and activates it. The associated filter rules for that tunnel will also be activated.
Causes the filter rule table to be activated or deactivated.
Deactivating the filters will turn off the IP Security filter and alter the state of the filter rules in the filter database, but the filter rules will still exist and can be activated at a later time.
Activating the filters will turn on the IP Security filter and load the filter table from the filter database to the IP Security filter.
Creates a new filter rule definition for the filter rule database. Filter rules can be defined to permit or deny IP traffic based on certain criteria. The filter rule table stored in the database must be activated before any new rule will take effect.
Allows the manipulation of the IP Security Filter rules, lists the supported encryption algorithms, and allows the use of the IP Security Diagnostic facilities such as tracing and logging.
Allows the configuration of tunnels with a minimum of required parameters. Simple filter rules to control all traffic through the tunnel will be automatically generated. A tunnel definition must match the corresponding tunnel definition on the remote host.
Allows the user to change the filter fields for a particular filter rule. The filter rule table will need to be activated before any changes will take effect.
Allows the tunnel properties to be changed, such as encryption and authentication keys and algorithms, source and destination IP addresses and masks, SPI values, tunnel lifetimes, and so forth.
Allows the configuration of the IP Security tunnels and filter for Internet Protocol Version 4.
Allows the configuration of the IP Security tunnels and filter for Internet Protocol Version 6.
Allows the manipulation of the IP Security filter rules.
Causes the filter rule table to be deactivated.
Deactivating the filters will turn off the IP Security filter and alter the state of the filter rules in the filter database, but the filter rules will still exist and can be activated at a later time.
Deactivates the tunnel in the IP Security subsystem, but keeps the tunnel definition in the tunnel database. The tunnel may be activated at a later time. Deactivating the tunnel will prevent any network traffic from using that tunnel.
Deletes one or more filter rules from the filter rule database. This change will not take effect in the IP Security subsystem until the filter rule table is activated.
Export IP Security Filter Rules will export one or more filter rules from the filter rule database to a file. This file may be used for configuration backup purposes, or to import the rules to another machine.
Exports the desired tunnel definitions to a specified file. This file may be used to define similar tunnels on another machine by moving the file to the other host and importing it.
Appends the current filter rules to the bottom of the current filter rule table in the filter rule database. This change will not take effect in the IP Security subsystem until the filter rule table is activated.
Imports the tunnel definitions from a file that was created when exporting tunnel definitions.
Provides a summary of the current filter status, along with any active filter rules.
Lists all the currently installed cryptographic encapsulation modules.
Lists the filter rules currently active in the IP Security filter. Network traffic will be filtered through the list from top to bottom, and the first matching rule will determine what tunnel, if any, the network traffic will use. Filtering can also be used without tunnels, to deny or permit traffic on specific criteria such as IP address, protocol or interface.
Displays all the IP Security tunnel definitions and their status in the tunnel definitions database.
Allows users to reorder the filter rules in the filter rule database. The filtering function scans the rules from top to bottom, and searches for the first match. The reordering will not take effect until the filter rule table is activated.
Changing the order of the filter rules will alter the behavior of the IP Security filter and should be done with caution.
Allows deactivation of a tunnel if it is active, and the removal of the tunnel definition from the tunnel definitions database.
Turns on filter rule logging.
Logs are routed to the syslog output file specified in /etc/syslog.conf. The syslog daemon must be running for this function to work. If logging is enabled, it will be re-enabled if the system is rebooted.
Turns on filter rule logging.
Allows the starting and stopping of the Internet Protocol Security software.
Allows filter rule logging to be turned on or off. Logs will be routed to the syslog output file specified in /etc/syslog.conf. The syslog daemon must be running for this function to work. If logging is enabled, it will be re-enabled if the system is rebooted.
Turns off filter rule logging.
Disables the use of the IP Security filter and tunnels. All network traffic to and from this host will be in the clear (not encrypted or authenticated).
Activates the IP Security subsystem. The IP Security filter will control the flow of packets in and out of the machine according to criteria configured in the filter rules. The IP Security tunnels can control the use of authentication and encryption on IP network traffic to specific hosts.
Tunnels using the IBM Session Key Refresh Method will automatically refresh the session keys during the lifetime of the tunnel. The remote side must be either a host with the operating system configured with IP Security or an IBM Secure Network Gateway (IBM Firewall) and have a matching IBM tunnel configured. IBM tunnels are available for IP Version 4 only.
Allows the definition of tunnels that use manual key exchanges. Keys must be manually distributed to each end of the tunnel. Tunnels that use the HMAC_MD5, HMAC_SHA authentication algorithms, or the combined DES CBC HMAC MD5 transform must use manual tunnels.
Allows the starting and stopping of specific IP Security subsystem traces using the operating system's trace facility.
Enables system trace of specified IP Security components.
Disables system trace of IP Security components.
Disables system trace of IP Security components.
Algorithm used for Source IP packet authentication. Press F4 to see a list of installed authentication algorithms. Press Enter to add the algorithm to the field. This must be consistent with the remote host. The default is HMAC_MD5.
Algorithm used for Destination IP packet authentication. Press F4 to see a list of installed authentication algorithms. Press Enter to add the algorithm to the field. This must be consistent with the remote host. The default is HMAC_MD5.
Algorithm used for Source IP packet encryption. Press F4 to see a list of installed encryption algorithms. Press Enter to add the algorithm to the field.
Algorithm used for Destination IP packet encryption. Press F4 to see a list of installed encryption algorithms. Press Enter to add the algorithm to the field.
Algorithm used for Destination IP packet encryption. Press F4 to see a list of installed encryption algorithms. Press Enter to add the algorithm to the field.
Specifies how this rule will apply to whole packets, fragment headers, fragments only, or no fragments.
Select when the IP Security software is to be started. Press F4 to get a list of choices. The possible choices are: now and after-reboot, after-reboot. Press Enter to select one from the list.
Tunnels using the IBM Session Key Refresh Method will automatically refresh the session keys during the lifetime of the tunnel. The remote side must be either a host configured with IP Security or an IBM Secure Network Gateway (IBM Firewall) and have a matching IBM tunnel configured. IBM tunnels are available for IP Version 4 only.
Allows the starting and stopping of specific IP Security subsystem traces using the operating system's trace facility.
If direction is to be reversed, select yes. If direction is to be preserved, select no. Direction would be reversed if applying filter rules to the partner machine. Traffic would not be reversed if rules are to be replicated as is to other machines, or for use by this machine for later use, such as backup purposes.
Allows the definition of tunnels that use IKE key exchanges. Security parameters and keys will be renegotiated after the specified refresh period threshold is reached. Use Websm Virtual Private networking to configure IKE tunnels.
On the command line, type wsm to invoke Web based system management console. Select the network plug in, then Virtual Private Networking to configure IKE tunnels.
Defines a new manual IP Security tunnel to a remote host. This is used to specify how network traffic between the local and remote hosts is to be authenticated and/or encrypted.
To use Internet Key Exchange tunnels, use the Web based system management tool, in the networking plugin under Virtual Private Networking.
Allows the user to enter a short description text for this filter.
Allows the definition of tunnels that use IKE key exchanges. Security parameters and keys will be renegotiated after the specified refresh threshold is reached. You also can use ikedb command or Websm Virtual Private Networking to configure IKE tunnels.
Displays everything stored in IKE database, in XML format.
Allows user to edit an IKE XML template file for this specific tunnel setup. User needs to save the changes before exiting the editor. The defined tunnels will be stored in the IKE database after you exit the editor.
You can obtain the DTD for IKE XML database by running the 'ikedb -o' command.
Edit or remove an IKE XML template file for a specific tunnel setup. You need to save the changes before exiting the editor. The defined tunnels are stored in the IKE database after you exit the editor.
Allows user to change or remove tunnel definitions by editing the current values. User needs to save the changes before exiting the editor. The new values will be stored into IKE database after exiting editor.
You can obtain the DTD for IKE XML database by running the 'ikedb -o' command.
Converts Linux's IKE tunnel definitions to IKE database.
Activates the specified IKE tunnels. This tunnel should be already defined in the IKE database. The default is activating all defined tunnels.
Deactivates the specified IKE tunnels. You need to specify which of current the active tunnels to remove. The default is deactivating all active tunnels.
Extracts the IKE tunnel definitions into an XML file. You can transfer this file to a peer machine for importing.
Imports IKE tunnel definitions from a peer. The local and remote identities will be swapped automatically. You may need to modify the remote identity of preshared key before importing.
Imports IKE tunnel definitions from a peer. The local and remote identities will be swapped automatically. You may need to modify the remote identity of preshared key before importing.
The full path and name of Linux ipsec configuration file. The default is ipsec.conf in current directory.
The full path and name of Linux ipsec secret file. The default is ipsec.secrets in current directory.
The name of IKE tunnel. This tunnel should be already defined in IKE database. The default is all tunnel names.
The identity number of the active tunnel. You can also specify tunnel number range(e.g, 1,2,3 or 1-3). The default is all active tunnels.
The full path and name of export file. The default is /tmp/ipsec_ike_tun.xml.
The full path and name of import file. The default is /tmp/ipsec_ike_tun.xml.
Allows user to write current IKE database entries to an XML file.
Allows user to restore IKE database entries from a previously backed up XML file.
Initialize or reinitialize IKE Database. This action remove all entries and reformat the database. All current data in database will be lost.
Browse the XML DTD file of IKE database in a SMIT window.
The full path and name of database backup file. The default is /tmp/ipsec_ike_tun.xml.
The full path and name of database restore file. The default is /tmp/ipsec_ike_tun.xml.
Type an integer that indicates the number of seconds that must elapse before the chosen action defined in the Rules Action field is no longer attempted. The maximum value would be 9999999 seconds.
Select one of the following:
Type the pattern or the name of the file that contains the pattern. A pattern is characters or hex value patterns that occur in the data. Search starts at the beginning of the data.