wiki

User Tools

Site Tools

Trace: network_cdp aix_netservices aix_vpn
aix:aix_vpn

Table of Contents

IPsec Tunneling

Manual Tunneling

Check IPSec devices

[root@labo_1]/root# lsdev -Cc ipsec
[root@labo_1]/root#

Prepare IPSec logging

Add a line in the /etc/syslog.conf and refresh the daemon : 

[root@labo_1]/root# vi /etc/syslog.conf
[root@labo_1]/root# grep ipsec /etc/syslog.conf
local4.debug  /var/adm/syslog/ipsec.log 100k files 4 compress
[root@labo_1]/root# touch /var/adm/syslog/ipsec.log
[root@labo_1]/root# refresh -s syslogd
0513-095 The request for subsystem refresh was completed successfully.
[root@labo_1]/root#

Activating IPSec Service

[root@labo_1]/root# /usr/sbin/mkdev -c ipsec -t 4
ipsec_v4 Available

[root@labo_1]/root# /usr/sbin/mkfilt -v 4 -u -z p
Default rule for IPv4 in ODM has been changed.
Successfully set default action to PERMIT

[root@labo_1]/root#

List filters

  • -d option list the defined rules
  • -a option list the active rules
[root@labo_1]/root# lsfilt -d -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule

[root@labo_1]/root# lsfilt -a -v4 -O
1|*** Dynamic filter placement rule for IKE tunnels ***|no
2|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||
[root@labo_1]/root#

Removing filters

[root@labo_1]/root# rmfilt -v4 -n all
Filter rule 3 for IPv4 has been removed successfully.
Filter rule 4 for IPv4 has been removed successfully.

Creating manual tunnel

The procedure used in setting up manual tunnels, depends on whether you are setting up the first host of the tunnel or setting up the second host, which must have parameters matching the first host setup. When setting up the first host, the keys can be autogenerated, and the algorithms can be defaulted. When setting up the second host, import the tunnel information from the remote end, if possible.

List the available encryption algorithms : 

[root@labo_1]/root# ipsecstat -E
3DES_CBC
AES_CBC_128
AES_CBC_192
AES_CBC_256
DES_CBC_4
DES_CBC_8
NULL

List the available authentication algorithms : 

[root@labo_1]/root# ipsecstat -A
CMAC_AES_XCBC
HMAC_MD5
HMAC_SHA
KEYED_MD5

On the first host

Define the tunnel
[root@labo_1]/root# gentun -v 4 -t manual -s 10.10.11.72 -d 10.10.11.98 -a HMAC_MD5 -e DES_CBC_8 -N 12345
Tunnel 1 for IPv4 has been added successfully.
Filter rule 5 automatically generated for this tunnel.
Filter rule 6 automatically generated for this tunnel.

[root@labo_1]/root# lstun -v4

Start list IBM tunnel for IPv4


No IBM tunnel found for IPv4

End of IBM tunnel for IPv4

Start list manual tunnel for IPv4

Tunnel ID        : 1
IP Version       : IPv4
Source           : 10.10.11.72
Destination      : 10.10.11.98
Policy           : eaea
Tunnel Mode      : Tunnel
Source AH Algo   : HMAC_MD5
Source ESP Algo  : DES_CBC_8
Dest AH Algo     : HMAC_MD5
Dest ESP Algo    : DES_CBC_8
Source AH SPI    : 257
Source ESP SPI   : 257
Dest AH SPI      : 12345
Dest ESP SPI     : 12345
Tunnel Life Time : 480
Status           : Inactive
Target           : -
Target Mask      : -
Replay           : No
New Header       : Yes
Snd ENC-MAC Algo : -
Dst ENC-MAC Algo : -

End of manual tunnel for IPv4

[root@labo_1]/root#

Note: 

      -g
            System auto-generated filter rule flag. If this flag is not used, the command will generate two filter rules
            for the tunnel automatically. The auto-generated filter rules will allow IP traffic between the two end
            points of the tunnel to go through the tunnel. If the -g flag is specified, the command will only create the
            tunnel definition, and the user will have to add user defined filter rules to let the tunnel work.
Activate the tunnel
[root@labo_1]/root# mktun -v4 -t1
Filter rules for IPv4 has been updated.
Tunnel 1 for IPv4 activated.
[root@labo_1]/root# lstun -v4

Start list IBM tunnel for IPv4


No IBM tunnel found for IPv4

End of IBM tunnel for IPv4

Start list manual tunnel for IPv4

Tunnel ID        : 1
IP Version       : IPv4
Source           : 10.10.11.72
Destination      : 10.10.11.98
Policy           : eaea
Tunnel Mode      : Tunnel
Source AH Algo   : HMAC_MD5
Source ESP Algo  : DES_CBC_8
Dest AH Algo     : HMAC_MD5
Dest ESP Algo    : DES_CBC_8
Source AH SPI    : 257
Source ESP SPI   : 257
Dest AH SPI      : 12345
Dest ESP SPI     : 12345
Tunnel Life Time : 480
Status           : Active
Target           : -
Target Mask      : -
Replay           : No
New Header       : Yes
Snd ENC-MAC Algo : -
Dst ENC-MAC Algo : -

End of manual tunnel for IPv4

In the same time, new filter rules have been defined and activated : 

[root@labo_1]/root# lsfilt -v4 -d -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|ah|any|0|any|0|both|both|no|all packets|0|all|0|||
4|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|esp|any|0|any|0|both|both|no|all packets|0|all|0|||
5|permit|10.10.11.72|255.255.255.255|10.10.11.98|255.255.255.255|yes|all|any|0|any|0|both|outbound|no|all packets|1|all|0|||
6|permit|10.10.11.98|255.255.255.255|10.10.11.72|255.255.255.255|yes|all|any|0|any|0|both|inbound|no|all packets|1|all|0|||
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule

[root@labo_1]/root# lsfilt -v4 -a -O
1|*** Dynamic filter placement rule for IKE tunnels ***|no
2|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|ah|any|0|any|0|both|both|no|all packets|0|all|0|||
3|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|esp|any|0|any|0|both|both|no|all packets|0|all|0|||
4|permit|10.10.11.72|255.255.255.255|10.10.11.98|255.255.255.255|yes|all|any|0|any|0|both|outbound|no|all packets|1|all|0|||
5|permit|10.10.11.98|255.255.255.255|10.10.11.72|255.255.255.255|yes|all|any|0|any|0|both|inbound|no|all packets|1|all|0|||
6|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||

From now until the other tunnel end-point is activated, no communication can be established with the other host: 

[root@labo_1]/root# ping 10.10.11.98
PING 10.10.11.98: (10.10.11.98): 56 data bytes

----10.10.11.98 PING Statistics----
1 packets transmitted, 0 packets received, 100% packet loss
[root@labo_1]/root#
Export the tunnel definition
[root@labo_1]/root# exptun -v4 -t1 -f /tmp
Manual tunnel(s) has been exported to /tmp/ipsec_tun_manu.exp successfully.
[root@labo_1]/root# ls -l /tmp/ipsec_tun_manu.exp
-rw-r--r--    1 root     system          299 Jan 05 10:11 /tmp/ipsec_tun_manu.exp
[root@labo_1]/root# cat /tmp/ipsec_tun_manu.exp
#--------------------------------------
4
10.10.11.72
10.10.11.98
1
12345
12345
257
257
DES_CBC_8
8
0x000a697700094bf6
DES_CBC_8
8
0x0007473f0001d660
HMAC_MD5
16
0x000a7f710009e60d00025fb4000029a1
HMAC_MD5
16
0x000687c600070b540007ce320005a862
0
28800
tunnel
tunnel
eaea
0
1
NONE
0

NONE
0

0
-
-

On the second host

Import the tunnel definition
[root@labo_2]/root# imptun -v4 -t1 -f /tmp
IBM tunnels not found.
IPv4 tunnel 1 imported as 1.
Filter rule 5 automatically generated for tunnel 1.
Filter rule 6 automatically generated for tunnel 1.
[root@labo_2]/root# lstun -v4

Start list IBM tunnel for IPv4


No IBM tunnel found for IPv4

End of IBM tunnel for IPv4

Start list manual tunnel for IPv4

Tunnel ID        : 1
IP Version       : IPv4
Source           : 10.10.11.98
Destination      : 10.10.11.72
Policy           : eaea
Tunnel Mode      : Tunnel
Source AH Algo   : HMAC_MD5
Source ESP Algo  : DES_CBC_8
Dest AH Algo     : HMAC_MD5
Dest ESP Algo    : DES_CBC_8
Source AH SPI    : 12345
Source ESP SPI   : 12345
Dest AH SPI      : 257
Dest ESP SPI     : 257
Tunnel Life Time : 480
Status           : Inactive
Target           : -
Target Mask      : -
Replay           : No
New Header       : Yes
Snd ENC-MAC Algo : -
Dst ENC-MAC Algo : -

End of manual tunnel for IPv4
Activate the tunnel
[root@labo_2]/root# cat > /tmp/ipsec_tun_manu.exp
#--------------------------------------
4
10.10.11.72
10.10.11.98
1
12345
12345
257
257
DES_CBC_8
8
0x000a697700094bf6
DES_CBC_8
8
0x0007473f0001d660
HMAC_MD5
16
0x000a7f710009e60d00025fb4000029a1
HMAC_MD5
16
0x000687c600070b540007ce320005a862
0
28800
tunnel
tunnel
eaea
0
1
NONE
0

NONE
0

0
-
-

[root@labo_2]/root# mktun -v4 -t1
Filter rules for IPv4 has been updated.
Tunnel 1 for IPv4 activated.

[root@labo_2]/root# lsfilt -v4 -d -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|ah|any|0|any|0|both|both|no|all packets|0|all|0|||
4|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|esp|any|0|any|0|both|both|no|all packets|0|all|0|||
5|permit|10.10.11.72|255.255.255.255|10.10.11.98|255.255.255.255|yes|all|any|0|any|0|both|inbound|no|all packets|1|all|0|||
6|permit|10.10.11.98|255.255.255.255|10.10.11.72|255.255.255.255|yes|all|any|0|any|0|both|outbound|no|all packets|1|all|0|||
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule

[root@labo_2]/root# lsfilt -v4 -a -O
1|*** Dynamic filter placement rule for IKE tunnels ***|no
2|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|ah|any|0|any|0|both|both|no|all packets|0|all|0|||
3|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|esp|any|0|any|0|both|both|no|all packets|0|all|0|||
4|permit|10.10.11.72|255.255.255.255|10.10.11.98|255.255.255.255|yes|all|any|0|any|0|both|inbound|no|all packets|1|all|0|||
5|permit|10.10.11.98|255.255.255.255|10.10.11.72|255.255.255.255|yes|all|any|0|any|0|both|outbound|no|all packets|1|all|0|||
6|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||
[root@labo_2]/root# lstun -v4

Start list IBM tunnel for IPv4


No IBM tunnel found for IPv4

End of IBM tunnel for IPv4

Start list manual tunnel for IPv4

Tunnel ID        : 1
IP Version       : IPv4
Source           : 10.10.11.98
Destination      : 10.10.11.72
Policy           : eaea
Tunnel Mode      : Tunnel
Source AH Algo   : HMAC_MD5
Source ESP Algo  : DES_CBC_8
Dest AH Algo     : HMAC_MD5
Dest ESP Algo    : DES_CBC_8
Source AH SPI    : 12345
Source ESP SPI   : 12345
Dest AH SPI      : 257
Dest ESP SPI     : 257
Tunnel Life Time : 480
Status           : Active
Target           : -
Target Mask      : -
Replay           : No
New Header       : Yes
Snd ENC-MAC Algo : -
Dst ENC-MAC Algo : -

End of manual tunnel for IPv4

From now, the both ends of the tunnel are activated, the communication between the two hosts can be established: 

[root@labo_2]/root# ping labo_1
PING labo_1.dom.com: (10.10.11.72): 56 data bytes
64 bytes from 10.10.11.72: icmp_seq=0 ttl=255 time=0 ms
64 bytes from 10.10.11.72: icmp_seq=1 ttl=255 time=0 ms
64 bytes from 10.10.11.72: icmp_seq=2 ttl=255 time=0 ms

----labo_1.dom.com PING Statistics----
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0/0/0 ms

IPSec filter Logging

IKE Tunneling

aix/aix_vpn.txt · Last modified: 2021/01/01 21:21 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki