This chapter describes how to configure and monitor IP security and how to use the IP security monitoring commands. For IPv4, "Using the Policy Feature" and Configuring and Monitoring the Policy Feature provide additional information about configuring and monitoring IP security policies. This chapter contains the following sections:
| Note: | If you create an IPSec tunnel to transport TN3270, APPN(R)-ISR, or APPN-HPR traffic and you plan to prioritize that traffic using BRS, you need to use the IPv4 precedence bit setting feature of BRS. See "Using IP Version 4 Precedence Bit Processing for SNA Traffic in IP Secure Tunnels and Secondary Fragments" for more information. |
This topic explains how to configure Internet Key Exchange (IKE).
Before establishing an IPSec tunnel, you must:
For details about doing these tasks, see "Using the Policy Feature", Configuring and Monitoring the Policy Feature and Configuring Public Key Infrastructure (IPv4).
This topic explains how to configure the Public Key Infrastructure (PKI) with IPv4.
Before establishing an IPSec tunnel, you must:
Before establishing an IPSec tunnel, you must select and register with a trusted Certificate Authority (CA) as described at "Using Public Key Infrastructure". The CA returns a signed X.509 digital certificate, which allows you to identify and authenticate yourself to other parties in the network. The certificate consists of an encoded digital ID (signature) and a public/private cryptographic key pair. Do the following:
Notes:
Use the PKI Talk 6 add command to configure the certificate repository server and its location.
Syntax:
Example 1: Adding a server
PKI config>add server Name ? (max 65 chars) []? myldap Enter server IP Address []? 8.8.8.9 Transport type (Choices: TFTP/LDAP) [TFTP]? ldap LDAP search timeout value [3]? LDAP retry interval (mins) [1]? LDAP server port number [389]? LDAP version [2]? Bind to the server anonymously? [No]: Enter your bind DN: []? c=us o=ibm Enter your bind PW: []? testldap
Use the PKI Talk 6 change command to change the certificate repository server and its location.
Syntax:
Example 1: Changing a server
PKI config>change server Name []? myldap Enter server IP Address []? 8.8.8.7 Server type will continue to be LDAP LDAP search timeout value [3]? LDAP retry interval (mins) [1]? LDAP server port number [389]? LDAP version [2]? Enter your bind DN: [c=us o=ibm]? Enter your bind PW: [testldap]?
Use the PKI Talk 6 delete command to delete a certificate record or a private key record from a router's SRAM, or to delete a server.
Syntax:
Example 1: deleting a certificate
PKI config>delete certificate Cert Name []? test Enter the type of the certificate: Choices: 1-Root CA Cert, 2-Router Cert Enter (1-2): [2]? Box Certificate [TEST] deleted successfully Corresponding private Key [TEST] deleted successfully
Example 2: Deleting private keys
PKI config>delete private-keys Private Key Name []? test Private Key [TEST] deleted successfully Corresponding box certificate [TEST] deleted successfully
Example 3: Deleting server records
PKI config>delete server Name []? myldap Server MYLDAP deleted successfully
Use the PKI Talk 6 list command to list certificate or key records in a router's SRAM, or to display the certificate revocation list (CRL--a list of ISAKMP-enabled parties whose certificates have been revoked). To obtain the current CRL, use the PKI Talk 6 load command.
Syntax:
Example: Listing certificates
PKI config>list certificates
Root CA certificate:
SRAM Name: B
Subject Name: /c=US/o=ibm/ou=nhd
Issuer Name: /c=US/o=ibm/ou=nhd
Validity: 1998/12/19 2:2:21 -- 2018/12/19 2:32:21
Default Root Cert: Yes
Router Certificate:
SRAM Name: W
Subject Name: /c=US/o=ibm/ou=nhd/cn=testip
Issuer Name: /c=US/o=ibm/ou=nhd
Subject alt Name: 1.1.1.1
Key Usuage: Sign & Encipherment
Validity: 1999/1/19 23:24:27 -- 2002/1/19 23:54:27
Default Cert: No
Example: Listing crl
PKI config>list crl
Example: Listing private keys
PKI config>list private-keys Private Keys In SRAM: 1) Name W
Example: Listing server records
PKI config>list servers
1) Name: SERVER1
Type: LDAP
IP addr: 1.1.1.2
LDAP search timeout (secs): 10
LDAP retry interval (mins): 3
LDAP server port number: 390
LDAP version: 2
Anonymous bind ?: y
2) Name: TEST
Type: TFTP
IP addr: 8.8.8.8
Use the PKI Talk 6 load command to retrieve the most current certificate revocation list (CRL) from the CA. You should do this on a regular, frequent basis to ensure the validity of your copy of the list. During authentication, the IPSec feature validates the certificate based on the contents of the CRL.
Syntax:
This section describes the configuration options available for manual IPSec with IPv4. All IPSec functions apply to IPv4.
Do the following steps to configure an IPSec manual tunnel:
You may configure tunnel policies with the algorithms shown in Table 42.
Table 42. Algorithms Configured with Various Tunnel Policies
| Tunnel Policy | Algorithms | ||
|---|---|---|---|
| AH, AH-ESP, or ESP-AH |
| ||
| ESP, AH-ESP, or ESP-AH |
|
A tunnel policy uses a local algorithm on outbound packets and a remote algorithm on inbound packets. The local algorithm for the router at the near end of a tunnel must match the remote algorithm for the router at the far end of the tunnel. The values for the remote algorithms are optional and they default to the value of the corresponding local algorithms. The local ESP authentication algorithm is optional because ESP authentication is optional.
For each local algorithm you configure, you must also configure a key that is identical to the key for the corresponding algorithm in the remote host. See the description of keys for the add tunnel command at Manual IP Security Configuration Commands.
To access the IP Security configuration environment, enter t 6 at the OPCON prompt (*), then enter the following sequence of commands at the Config> prompt:
Config> feature ipsec IP Security feature user configuration IPsec config>ipv4 IPV4-IPsec config>
This section describes the IP security configuration commands. Enter
these commands at the IPV4-IPsec config> prompt.
Table 43. IP Security Configuration Commands Summary
| Command | Function |
|---|---|
| ? (Help) | Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help". |
| Add tunnel | Adds a secure tunnel. |
| Change tunnel | Changes a secure tunnel configuration parameter values. |
| Delete tunnel | Deletes a secure tunnel. |
| Disable | Disables all IP Security processing in a secure manner (packets that match the packet filters are dropped), disables all IP Security processing in a nonsecure manner (packets that match the packet filters are passed), or disables a secure tunnel. |
| Enable | Enables all IP Security processing, or enables a secure tunnel. |
| List | Lists information about global IP Security information, or information about defined tunnels. |
| Set | Sets various IPSec options. |
| Exit | Returns you to the previous command level. See "Exiting a Lower Level Environment". |
Use the add tunnel command to add the parameters to define an IPSec tunnel.
Syntax:
Valid values: up to 15 characters; first character must be a letter; no blanks can be used.
Default value: none
Valid Values: 0 - 525600 (0 = no expiration; 525600 = 365 days)
Default Value: 46080 (32 days)
Valid Values: tunnel (TUNN) or translate (TRANS)
Default Value: tunnel (TUNN)
Valid Values: AH, ESP, AH-ESP, ESP-AH
Default Value: AH-ESP
Valid Values: a valid IP address that has been configured either for an interface or as the internal address of the 2210.
Default Value: one of the IP addresses configured for the router
Valid Values: any 32-bit value greater than 255
Default Value: 256
The ESP-NULL algorithm prevents ESP from performing encryption. This algorithm is available in all countries. If ESP-NULL is selected, ESP must be activated for authentication by selecting one of the authentication algorithms HMAC-MD5 or HMAC-SHA-1.
Valid Values: DES-CBC, CDMF, 3DES, or ESP-NULL
Default Value: DES-CBC
Valid Values:
Default Value: none
When the encryption algorithm is ESP-NULL, padding is not necessary because the ESP-NULL algorithm adds one byte to the original packet size. If padding for local encryption is configured, the value is ignored.
Valid Values: 0 - 120
Default Value: 0
Valid Values: Yes or No
Default Value: Yes
Valid Values: HMAC-MD5 or HMAC-SHA
Default Value: HMAC-MD5
Valid Values:
Default Value: none
Valid Values: a valid IP address
Default Value: none
Valid Values: any 32-bit value greater than 255
Default Value: 256
The ESP-NULL algorithm prevents ESP from performing encryption. If ESP-NULL is selected, ESP must be activated for authentication by selecting one of the authentication algorithms HMAC-MD5 or HMAC-SHA-1.
Valid Values: DES-CBC, CDMF, 3DES, or ESP-NULL
Default Value: value of the local encryption algorithm
Valid Values:
Default Value: none
Valid Values: Yes or No
Default Value: No
Valid Values: 0 - 120
Default Value: 0
Valid Values: Yes or No
Default Value: Yes
Valid Values: HMAC-MD5 or HMAC-SHA
Default Value: HMAC-MD5
Valid Values:
Default Value: none
In addition, if replay prevention is enabled and you reset IPSec using the reset ipsec command, you must make sure that IPSec is also reset on the router at the other end of the IPSec tunnel. This is necessary to re-initialize the sequence number at both ends of the tunnel. If IPSec is reset on one end of the tunnel and not on the other, it is possible that routers at each end of the tunnel will drop packets due to sequence number mismatch.
Valid Values: Yes or No
Default Value: No
If the DF bit is set and the packet cannot be fragmented, IPSec uses the Path MTU (PMTU) Discovery function. See Path Maximum Transmission Unit Discovery for more information.
Valid Values: Copy, Set, Clear
Default Value: Copy
Valid Values: Yes or No
Default Value: Yes
Use the change tunnel command to change an IPSec tunnel parameter previously configured by the add tunnel command.
Syntax:
Use the Talk 6 delete tunnel command to delete an IPSec tunnel.
Syntax:
Valid Values: 1 - 65535
Default Value: 1
Valid Values: any configured tunnel name
Default Value: none
Use the disable command to disable the IPSec tunnel or to disable all IPSec tunnels either in a secure manner (packets that match the IPSec filters are dropped) or an insecure manner (packets that match the IPSec filters are passed).
Syntax:
Valid Values: 1 - 65535
Default Value: 1
Valid Values: any configured tunnel name
Default Value: none
Use the enable command to enable the IP Security protocol on all interfaces or a single tunnel. You must enable IPSec globally on the router before the individually enabled IPSec tunnels become active.
Syntax:
Valid Values: 1 - 65535
Default Value: 1
Valid Values: any configured tunnel name
Default Value: none
Use the list command to display the current IP Security configuration. Global tunnels include all tunnels in the router, both active and defined. All tunnels include all tunnels configured on this interface, both active and defined. Active tunnels are those that are currently active; defined tunnels are defined but not active. For IPv4, the selected certificates in a router's SRAM are also listed.
Syntax:
Example 1: Listing all IPSec tunnels
IPsec config>list all
IPsec is ENABLED
IPsec Path MTU Aging Timer is 20 minutes
Defined Manual Tunnels:
ID Name Local IP Addr Remote IP Addr Mode State
------ --------------- --------------- --------------- ----- --------
1 test 1.1.1.1 2.1.1.1 TUNN Enabled
2 test2 1.1.1.1 1.1.1.3 TRANS Enabled
Tunnel Cache:
ID Local IP Addr Remote IP Addr Mode Policy Tunnel Expiration
----- --------------- --------------- ----- ------ ------------------
2 1.1.1.1 1.1.1.3 TRANS ESP *****************
1 1.1.1.1 2.1.1.1 TUNN AH *****************
Example 2: Listing an IPSec tunnel with the ESP policy and the ESP-NULL algorithm
IPsec config>li tun 1000
Tunnel Name Mode Policy Life Replay Rcv IPsec State
ID Prev Win Vers
------ --------------- ----- ------ ------ ------ --- ----- --------
1000 t1000 TUNN ESP 46080 No --- V2 Enabled
Handling of DF bit in outer header: COPY
Local Information:
IP Address: 10.11.12.10
Authentication: SPI: ----- Algorithm: ----------
Encryption: SPI: 1234 Encryption Algorithm: NULL
Extra Pad: 0
ESP Authentication Algorithm: HMAC-MD5
Remote Information:
IP Address: 10.11.12.11
Authentication: SPI: ----- Algorithm: ----------
Encryption: SPI: 1234 Encryption Algorithm: NULL
Verify Pad?: No
ESP Authentication Algorithm: HMAC-MD5
Use the set command to control the tunnel PMTU value.
Syntax:
Default Value: 10 (0 means disabled)
This topic provides information about configuring a manual IPv4 tunnel for the network shown in Figure 27.
The following example shows how to configure an IPSec manual tunnel for router A in the network shown in Figure 27 using IPv4.
Config> feature ipsec IP Security feature user configuration IPsec config>ipv4 IPV4-IPsec config>add tunnel Adding tunnel 1 Tunnel Name (optional)? tunnelone Tunnel Lifetime, in minutes (0-525600)[46080]? Tunnel Encapsulation Mode (TUNN or TRANS) [TUNN]? Tunnel Policy (AH, ESP, AH-ESP, ESP-AH) [AH-ESP]? AH Local IP Address [1.1.1.1]? 223.252.252.216 Local Authentication SPI (256-65535)[256]? Local Authentication Algorithm (HMAC-MD5, HMAC-SHA)[HMAC-MD5]? Local Authentication Key (32 characters) in Hex (0-9,a-f,A-F): Enter Local Authentication Key again (32 characters) in Hex (0-9,a-f,A-F): Remote IP Address [0.0.0.0]? 223.252.252.210 Remote Authentication SPI (1-65535) [256]? Remote Authentication Algorithm (HMAC-MD5, HMAC-SHA)[HMAC-MD5]? Remote Authentication Key (32 characters) in Hex (0-9,a-f,A-F): Enter Remote Authentication Key again (32 characters) in Hex (0-9,a-f,A-F): Enable replay prevention? [No]: Copy, set, or clear DF bit in outer header (COPY,SET,CLEAR) [COPY]? Do you wish to enable this tunnel? [Yes]: IPV4-Ipsec config>
As you can see from this example, you are prompted for the parameters that you need to provide. The configuration of an ESP, AH-ESP, or ESP-AH secure tunnel calls for similar parameters.
| Note: | The values of the keys are not displayed when they are entered. Therefore, they are not visible in this example. If the keys for HMAC-MD5 authentication were visible, you would see 32 hexadecimal characters. For example, a key could have the value: X'1234567890ABCDEF1234567890ABCDEF'. |
Within router B, you must configure the same IPSec manual tunnel that was configured for router A, IPSec tunnel 1. The local IP address of this tunnel in router B is 223.252.252.210 and the remote IP address is 223.252.252.216. All other IPSec tunnel parameters must match the parameters that were configured for router A.
Note that you are prompted to set the DF bit when the tunnel is in tunnel mode and the tunnel policy is ESP. This example shows only the configuration of the IPSec tunnel, not of the packet filters.
IPV4-IPsec config>add tunnel Adding tunnel 2 Tunnel Name (optional)? tunneltwo Tunnel Lifetime, in minutes (0-525600) [46080]? Tunnel Encapsulation Mode (TUNN or TRANS) [TUNN]? Tunnel Policy (AH,ESP,AH-ESP,ESP-AH) [AH-ESP]? ESP Local IP Address [1.1.1.1]? Local Encryption SPI (256-65535) [256]? Local Encryption Algorithm (DES-CBC,CDMF,3DES, NULL) [DES-CBC]? Do you wish to change the Local Encryption Key? [No]: Additional Padding for Local Encryption (0-120) [0]? Do you wish to use local ESP authentication? [Yes]: Remote IP Address [0.0.0.0]? Remote Encryption SPI (1-65535) [256]? Remote Encryption Algorithm (DES-CBC,CDMF) [DES-CBC]? Do you wish to change the Remote Encryption Key? [No]: Do you wish to perform verification of remote encryption padding? [No]: Do you wish to use remote ESP authentication? [No]: Copy, set or clear DF bit in outer header (COPY,SET,CLEAR) [COPY]? Do you wish to enable this tunnel? [Yes]: IPV4-IPsec config>
Note that authentication is required.
IPV4-IPsec config>add tunnel Adding tunnel 3 Tunnel Name (optional)? tunnel3 Tunnel Lifetime, in minutes (0-525600) [46080]? Tunnel Encapsulation Mode (TUNN or TRANS) [TUNN]? Tunnel Policy (AH,ESP,AH-ESP,ESP-AH) [AH-ESP]? ESP Local IP Address [1.1.1.1]? Local Encryption SPI (256-65535) [256]? 1234 Local Encryption Algorithm (DES-CBC,CDMF,3DES,NULL) [DES-CBC]? null Additional Padding for Local Encryption (0-120) [0]? Local ESP Authentication Algorithm (HMAC-MD5,HMAC-SHA) [HMAC-MD5]? Local ESP Authentication Key (32 characters) in Hex (0-9,a-f,A-F): Enter Local ESP Authentication Key again (32 characters) in Hex (0-9,a-f,A-F): Remote IP Address [0.0.0.0]? 10.11.12.11 Remote Encryption SPI (1-65535) [1234]? Remote Encryption Algorithm (DES-CBC,CDMF,3DES,NULL) [NULL]? Do you wish to perform verification of remote encryption padding? [No]: Remote ESP Authentication Algorithm (HMAC-MD5,HMAC-SHA) [HMAC-MD5]? Remote ESP Authentication Key (32 characters) in Hex (0-9,a-f,A-F): Enter Remote ESP Authentication Key again (32 characters) in Hex (0-9,a-f,A-F): Enable replay prevention? [No]: Copy, set or clear DF bit in outer header (COPY,SET,CLEAR) [COPY]? Do you wish to enable this tunnel? [Yes]: IPV4-IPsec config>
This section describes the configuration options available for manual IPSec with IPv6. All IPSec functions apply to IPv6. Observe the following changes to the IPSec configuration questions when you are configuring IPSec for IPv6:
Do the following steps to configure an IPSec manual tunnel:
You may configure tunnel policies with the algorithms shown in Table 44.
Table 44. Algorithms Configured with Various Tunnel Policies
| Tunnel Policy | Algorithms | ||
|---|---|---|---|
| AH, AH-ESP, or ESP-AH |
| ||
| ESP, AH-ESP, or ESP-AH |
|
A tunnel policy uses a local algorithm on outbound packets and a remote algorithm on inbound packets. The local algorithm for the router at the near end of a tunnel must match the remote algorithm for the router at the far end of the tunnel. The values for the remote algorithms are optional and they default to the value of the corresponding local algorithms. The local ESP authentication algorithm is optional because ESP authentication is optional.
For each algorithm you configure, you must also configure a key that is identical to the key for the corresponding algorithm in the remote host. See the description of keys for the add tunnel command at Manual IP Security Configuration Commands.
To access the IP Security configuration environment, enter t 6 at the OPCON prompt (*), then enter the following sequence of commands at the Config> prompt:
Config> feature ipsec IP Security feature user configuration IPsec config>ipv6 IPV6-IPsec config>
See Manual IP Security Configuration Commands for a description of the IP Security configuration commands available for IPv6. The commands for IPv6 are the same as those used for IPv4 unless indicated otherwise. Enter the commands at the IPV6-IPsec config> prompt.
Refer to the example network in Figure 27 while reading this topic. IPSec tunnel 1 has an endpoint on interface 1 in router A. Router A will be configured for IPSec. Do the following steps to configure router A manually:
The following example shows how to create IPSec tunnel 1 for router A. The following example shows how to create IPSec tunnel 1 for router A.
Config> feature ipsec IP Security feature user configuration IPsec config> ipv6 IPV6-IPsec config> add tunnel IPsec Tunnel ID (1 - 65535) [1] Tunnel Name (optional)? tunnelone Tunnel Lifetime, in minutes (0-525600)[46080]? Tunnel Encapsulation Mode (TUNN or TRANS) [TUNN]? Tunnel Policy (AH, ESP, AH-ESP, ESP-AH) [AH-ESP]? AH Local IP Address [1000:1::1]? 2000::A Local Authentication SPI (256-65535)[256]? Local Authentication Algorithm (HMAC-MD5, HMAC-SHA)[HMAC-MD5]? Local Authentication Key (32 characters) in Hex (0-9,a-f,A-F): Enter Local Authentication Key again (32 characters) in Hex (0-9,a-f,A-F): Remote IP Address [0::0]? 2000::B Remote Authentication SPI (1-65535) [256]? Remote Authentication Algorithm (HMAC-MD5, HMAC-SHA)[HMAC-MD5]? Remote Authentication Key (32 characters) in Hex (0-9,a-f,A-F): Enter Remote Authentication Key again (32 characters) in Hex (0-9,a-f,A-F): Enable replay prevention? [No]: Do you wish to enable this tunnel? [Yes]: IPV6-IPsec config>
As you can see from this example, you are prompted for the parameters that you need to provide. The configuration of an ESP, AH-ESP, or ESP-AH secure tunnel calls for similar parameters.
| Note: | The values of the keys are not displayed when they are entered. Therefore, they are not visible in this example. If the keys for HMAC-MD5 authentication were visible, you would see 32 hex characters. For example, a key could have a value such as X'1234567890ABCDEF1234567890ABCDEF'. |
After you have created the IPSec tunnel for router A, you must set up one IP packet filter. The creation of the packet filter out-router-A is shown in the following example. Refer to the sections IPv6 Filtering and Access Control in the chapter Using IPv6 in Protocol Configuration and Monitoring Reference Volume 1 for more information about configuring IPv6 packet filters and access control rules.
*talk 6 Config> Protocol IPv6 Internet protocol user configuration IPv6 Config> set access-control on IPv6 Config> add packet-filter Packet-filter name [ ]? out-router-A Filter incoming or outgoing traffic? [IN]? OUT Which interface is this filter for [0]? 1 IPv6 Config> update packet-filter Packet-filter name [ ]? out-router-A Packet-filter 'out-router-A' Config>
The next step is to configure the packet filter access control rules. Create two access control rules on the outbound packet filter out-router-A.
The access control rules on the outbound packet filter perform these functions:
Configure the first access control rule for packet filter out-router-A. This access control rule passes packets from network 1000:1:: to the destination network 3000:1:: attached to Router B.
IPv6 Config> update packet-filter Packet-filter name [ ]? out-router-A Packet-filter 'out-router-A' Config> add access Enter type [E]? IS Internet source [0::0]? 1000:1:: Prefix Length [64]? 64 Internet destination [0::0]? 3000:1:: Prefix Length [64]? 64 Enter IPsec Tunnel ID [1]? 2 Packet-filter 'out-router-A' Config>
The second access control rule for out-router-A allows secured packets to pass between the two ends of the IPSec tunnel.
Packet-filter 'out-router-A' Config> add access Enter type [E]? I Internet source [0::0]? 2000::A Prefix Length [64]? 64 Internet destination [0::0]? 2000::B Prefix Length [64]? 64 Packet-filter 'out-router-A' Config>
As with the other packet filters, you may want to configure a wildcard access control rule for out-router-A to pass traffic that does not match any access control rules.
After you finish configuring the policy, use the Talk 5 reset ipsec command to reload SRAM with the new IPSec configuration. The reset ipsec command does not affect any IP configuration. Then, use the Talk 5 reset ipv6 command to dynamically reset IPv6 within the router. Alternatively, to reset each component, you can restart the router. You must either reset IPSec and IPv6 or restart the router to ensure that the filter rules are reloaded. Otherwise, your configuration may not be correctly supported on the interface. See "Configuring and Monitoring IP Security" and the reset ipv6 command in Protocol Configuration and Monitoring Reference Volume 2 for more information.
As shown in Figure 27, IPSec tunnel 2 has an endpoint on interface 1 in Router B. Do the following steps to configure router B manually.
Within router B, the same IPSec tunnel that was created for router A, IPSec tunnel 2, must be created. The local IP address of this tunnel in router B is 2000::B and the remote IP address is 2000::A. All other IPSec tunnel parameters must match the parameters that were specified for router A.
As you did for router A, configure an outbound packet filter (out-router-B) on interface 1, which is the interface in router B that is the endpoint of IPSec tunnel 1.
Configure an access control rule on out-router-B to pass outbound packets from network 3000:1:: to IPSec for processing and transmission through IPSec tunnel 2. This access control rule is type I and S.
Packet-filter name [ ]? out-router-B Packet-filter 'out-router-B' Config> add access Enter type [E]? IS Internet source [0::0]? 3000:1:: Prefix Length [64]? 64 Internet destination [0::0]? 1000:1:: Prefix Length [64]? 64 Enter IPsec Tunnel ID [1]? 2 Packet-filter 'out-router-B' Config>
Now, for out-router-B, create an inclusive access control rule to let packets that have been processed by IPSec pass through IPSec tunnel 2.
Packet-filter 'out-router-B' Config> add access Enter type [E]? I Internet source [0::0]? 2000::B Prefix Length [64]? 64 Internet destination [0::0]? 2000::A Prefix Length [64]? 64 Packet-filter 'out-router-B' Config>
For out-router-B, create an inclusive wildcard access control rule if you wish to pass rather than drop packets that do not match either of the two access control rules, for example, traffic not destined for IPSec tunnel 2.
Before the IPSec function will work and the filters are activated, you must reset IPSec and IPv6. Use the talk 5 reset IPSec command to reset IPSec and IPv6. See Resetting IP Security and IP on Router A for information about resetting IPSec. After you reset IPSec, use the talk 5 reset IPv6 command to reset IPv6. Alternatively, to reset each component, you can restart the router.
Note that this example shows only the configuration of the IPSec tunnel, not of the packet filters.
IPV6-IPsec config>add tun Tunnel ID or Tunnel Name [ ]? 2 Tunnel Lifetime, in minutes (0-525600) [46080]? Tunnel Encapsulation Mode (TUNN or TRANS) [TUNN]? Tunnel Policy (AH,ESP,AH-ESP,ESP-AH) [ESP]? Local IP Address [0::0]? 2000::A Local Encryption SPI (256-65535) [256]? Local Encryption Algorithm (DES-CBC,CDMF,3DES, NULL) [DES-CBC]? Do you wish to change the Local Encryption Key? (Yes or [No]): Additional Padding for Local Encryption (0-120) [0]? Do you wish to use local ESP authentication? [Yes]: Remote IP Address [0::0]? 2000::B Remote Encryption SPI (1-65535) [256]? Remote Encryption Algorithm (DES-CBC,CDMF) [DES-CBC]? Do you wish to change the Remote Encryption Key? (Yes or [No]): Do you wish to perform verification of remote encryption padding? [No]: Do you wish to use remote ESP authentication? [No][No]: Do you wish to enable this tunnel? [Yes]: IPV6-IPsec config>
Note that authentication is required.
IPV6-IPsec config>add tun Tunnel ID or Tunnel Name [ ]? 2 Tunnel Lifetime, in minutes (0-525600) [46080]? Tunnel Encapsulation Mode (TUNN or TRANS) [TUNN]? Tunnel Policy (AH,ESP,AH-ESP,ESP-AH) [ESP]? Local IP Address [0::0]? 2000::A Local Encryption SPI (256-65535) [256]? Local Encryption Algorithm (DES-CBC,CDMF,3DES,NULL) [DES-CBC]? null Additional Padding for Local Encryption (0-120) [0]? Local ESP Authentication Algorithm (HMAC-MD5,HMAC-SHA) [HMAC-MD5]? Local ESP Authentication Key (32 characters) in Hex (0-9,a-f,A-F): Enter Local ESP Authentication Key again (32 characters) in Hex (0-9,a-f,A-F): Remote IP Address [0::0]? 2000::B Remote Encryption SPI (1-65535) [1234]? Remote Encryption Algorithm (DES-CBC,CDMF,3DES,NULL) [NULL]? Do you wish to perform verification of remote encryption padding? [No]: Remote ESP Authentication Algorithm (HMAC-MD5,HMAC-SHA) [HMAC-MD5]? Remote ESP Authentication Key (32 characters) in Hex (0-9,a-f,A-F): Enter Remote ESP Authentication Key again (32 characters) in Hex (0-9,a-f,A-F): Enable replay prevention? [No]: Do you wish to enable this tunnel? [Yes]: IPV6-IPsec config>
This section explains how to monitor manual IPSec with IPv4. It describes how to access the Internet Key Exchange environment and the available commands.
This section explains how to use the Internet Key Protocol (IKE) with IPv4.
To access the IP Security IKE monitoring environment, enter the following sequence of commands at the + prompt:
+ feature ipsec IPSP>ike IKE>
This section describes the IKE monitoring commands.
Table 45. IKE Monitoring Commands Summary
| Command | Function |
|---|---|
| ? (Help) | Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help". |
| Delete | Dynamically deletes a specific tunnel's ISAKMP Phase 1 SAs, or all Phase 1 SAs. |
| List | Lists information about a specific tunnel's Phase 1 SAs or all Phase 1 SAs. |
| Stats | Displays statistics for a tunnel. |
| Exit | Returns you to the previous command level. See "Exiting a Lower Level Environment". |
Use the IKE delete command to dynamically delete a Phase 1 SA for a tunnel or all Phase 1 SAs.
Syntax:
Example: Deleting a Tunnel
PKI config>delete tunnel Peer address [10.0.0.3]?
Use the IKE list command to display information about a specific tunnel's Phase 1 SAs, or all SAs.
Syntax:
Example: Listing Information for all SAs
IKE>list all
Phase 1 ISAKMP Tunnels for IPv4:
----------------------------------------------------------
Peer Address I/R Mode Auto State Auth
--------------- --- ---- ---- ---------- ------------
10.0.0.3 R Aggr N QM_IDLE pre-shared
IKE>list tunnel 10.0.0.3
Peer IKE address: 10.0.0.3
Local IKE address: 10.0.0.1
Role: Responder
Exchange: Aggr
Autostart: No
Oakley State: QM_IDLE
Authentication Method: Pre-shared Key
Encryption algorithm: des3
Hash function: md5
Diffie-Hellman group: 1
Refresh threshold: 85
Lifetime (secs): 15000
Use the IKE stats command to display tunnel statistics.
Syntax:
Valid Values: any configured tunnel-name or tunnel-id.
Example: Displaying a Tunnel's SA Statistics
IKE>stats
Peer address [10.0.0.3]?
Peer IP address......: 10.0.0.3
Active time (secs)...: 187
In Out
--- ---
Octets...............: 1229 1248
Packets..............: 14 16
Drop pkts............: 0 1
Notifys..............: 6 0
Deletes..............: 0 0
Phase 2 Proposals....: 16 18
Invalid Proposals....: 0
Rejected Proposals...: 0 0
This section explains how to use the Public Key Infrastructure (PKI) with IPv4.
To access the IP Security PKI monitoring environment, enter the following sequence of commands at the + prompt:
+ feature ipsec IPSP>pki PKI>
This section describes the Public Key Infrastructure (PKI) monitoring
commands.
Table 46. PKI Monitoring Commands Summary
| Command | Function |
|---|---|
| ? (Help) | Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help". |
| Cert-load | Loads a certificate into a router's SRAM. |
| Cert-req | Submits a certificate request to a CA. |
| Cert-save | Saves a certificate into cache for possible future use. |
| List certificate | Lists information about a certificate. |
| List configured-servers | Displays information about the configured servers. |
| Load certificate | Loads a record containing the certificate from SRAM into the run time cache. |
| Exit | Returns you to the previous command level. See "Exiting a Lower Level Environment". |
Use the PKI cert-load command to load a record containing the certificate and private key from SRAM into the run time certificate cache.
Syntax:
Example: Loading a Certificate Record from SRAM into Cache
Enter type of certificate to be stored into SRAM:
1)Root certificate;
2)Box certificate with private key;
Select the certificate type (1-2) [2]?
Name []? test
mystr=1.1.1.1
Box certificate and private key saved into cache successfully
Use the PKI cert-req command to request a certificate from a CA.
Syntax:
Example: Requesting a Certificate from a CA
Enter the following part for the subject name Country Name(Max 16 characters) []? us Organization Name(Max 32 characters) []? ibm Organization Unit Name(Max 32 characters) []? nhd Common Name(Max 32 characters) []? Key modulus size (512|768|1024) [512]? Certificate subject-alt-name type: 1--IPv4 Address 2--User FQDN 3--FQDN Select choice [1]? Enter an IPv4 addr) []? 1.1.1.1 Generating a key pair. This may take some time. Please wait ... PKCS10 message successfully generated Enter tftp server IP Address []? test Bad address, try again Enter tftp server IP Address []? 8.8.8.8 Remote file name (max 63 chars) [/tmp/tftp_pkcs10_file]? Certificate request TFTP to remote host successfully.
Use the PKI cert-save command to save a record containing the certificate and private key into SRAM.
Syntax:
Example: Saving a Certificate Record into SRAM
Enter type of certificate to be stored into SRAM:
1)Root certificate;
2)Box certificate with private key;
Select the certificate type (1-2) [2]?
SRAM Name for certificate and private key []? test
Load as default router certificate at initialization? [No]:
Private key TEST written into SRAM
Both Certificate and private key saved into SRAM successfully
Use the PKI list certificate command to display information about an X.509 digital certificate.
Syntax:
Example: Listing certificate information
Router certificate
Serial Number: 914034877
Subject Name: /c=US/o=ibm/ou=nhd/cn=testip
Issuer Name: /c=US/o=ibm/ou=nhd
Subject alt Name: 1.1.1.1
Key Usuage: Sign & Encipherment
Validity: 1999/1/19 23:24:27 -- 2002/1/19 23:54:27
Use the PKI list configured-servers command to display information about the configured servers.
Syntax:
Example: Listing Information about Configured Servers
1) Name: SERVER1
Type: LDAP
IP addr: 0.0.0.0
LDAP search timeout (secs): 0
LDAP retry interval (mins): 0
LDAP server port number: 0
LDAP version: 0
LDAP version: 0
Anonymous bind ?: y
2) Name: TEST
Type: TFTP
IP addr: 9.9.9.9
3) Name: TFTP
Type: TFTP
IP addr: 2.2.2.2
Use the PKI load certificate command to load a certificate from SRAM into the run time cache.
Syntax:
Example: Loading a Certificate into Cache
Enter the type of the certificate: Choices: 1-Root CA Cert, 2-Router Cert Enter (1-2): [2]? Encoding format: Choices: 1-DER 2-PEM Enter (1-2): [1]? Server info name []? test Remote file name on tftp server (max 63 chars) [/tmp/default_file]? /tmp/test.cert Attempting to load certificate file. Please wait ... Router Certificate loaded into run-time cache
To access the IPv4 IP Security monitoring environment type t 5 at the OPCON prompt (*):
* t 5
Then, enter the following sequence of commands at the + prompt:
+ feature ipsec IPSP>ipv4 IPV4-IPsec>
This section describes the IP Security monitoring commands.
Table 47. IP Security Monitoring Commands Summary
| Command | Function |
|---|---|
| ? (Help) | Displays all the commands available for this command level or lists the options for specific commands (if available). See "Getting Help". |
| Change tunnel | Dynamically changes a secure tunnel configuration parameter values. |
| Delete tunnel | Dynamically deletes a secure tunnel. |
| Disable | Dynamically disables all IP Security processing in a secure manner (matching packets are dropped), disables all IP Security processing in a nonsecure manner (matching packets are forwarded), or disables a particular secure tunnel. |
| Enable | Dynamically enables all IP Security processing, or enables a secure tunnel. |
| Itp | IP Security tunnel ping. Determines whether the party at the far end of an IPSec tunnel can be contacted. |
| List | Lists global information about IP Security, about active and defined tunnels. |
| Reset | Resets IP Security or resets a secure tunnel. This command reloads the configuration that was created in Talk 6. Resetting will override the values of parameters configured using Talk 5 with those that were configured using Talk 6. |
| Set | Dynamically sets the Path MTU (PMTU) aging timer. |
| Stats | Displays statistics for all tunnels or for an active tunnel. |
| Exit | Returns you to the previous command level. See "Exiting a Lower Level Environment". |
Dynamically changes a secure tunnel.
Syntax:
See the description of the add tunnel command under Manual IP Security Configuration Commands for a description of the parameters.
Use the delete command to dynamically delete a secure tunnel or all secure tunnels.
Syntax:
Valid Values: 1 - 65535
Default Value: 1
Valid Values: any configured tunnel name
Default Value: none
Use the disable command to dynamically disable the IP Security protocol on all interfaces or a single tunnel.
Syntax:
Valid Values: 1 - 65535
Default Value: 1
Use the enable command to dynamically enable the IP Security protocol on all interfaces or a single tunnel. You must enable IPSec globally on the router before the individually enabled IPSec tunnels become active.
| Note: | IPSec cannot be dynamically enabled if the router was restarted with IPSec disabled. |
Syntax:
Valid Values: 1 - 65535
Default Value: 1
Use the itp command (IPSec tunnel ping) to create and send a special IP packet over an IPSec tunnel, which verifies that the router at the far end of the tunnel can respond by returning the packet. The packet is sent repeatedly at the frequency specified by the rate argument until you terminate the command by pressing Enter. When you press Enter, itp prints its status for all packets that it has sent.
| Note: | The itp command works only for tunnels that are operating in tunnel mode. Also, the other router must have IP forwarding capability and be enabled. |
Syntax:
Default Value: 1
Use the list command to display the current IP Security configuration. Global tunnels include all tunnels in the router, both active and defined. All tunnels include all tunnels configured on this interface, both active and defined. Active tunnels are those that are currently active; defined tunnels are defined but not active.
Syntax:
Example: Listing all defined tunnels
IPV4-IPsec>LIST TUNNEL DEFINED
Enter the Tunnel ID, Tunnel Name, or 'ALL' [ALL]?
Defined Tunnels for IPv4:
----------------------------------------------------------------------------
ID Type Local IP Addr Remote IP Addr Mode State
------ ------ --------------- --------------- ----- --------
3 ISAKMP 211.0.1.17 211.0.5.2 TUNN Enabled
4 ISAKMP 211.0.1.17 211.0.5.3 TUNN Enabled
5 ISAKMP 211.0.1.17 211.0.5.4 TUNN Enabled
Defined Manual Tunnels for IPv6:
----------------------------------------------------------------------------
IPV4-IPsec>
Example: Listing one defined tunnel
IPV4-IPsec>LIST TUNNEL DEFINED
Enter the Tunnel ID, Tunnel Name, or 'ALL' [ALL]? 1
Tunnel Type Mode Policy Life Replay State
ID Prev
------ ------ ----- ------ ----- ------- --------- -----------
1 ISAKMP TUNN ESP 0 No Enabled
Tunnel Name: ---------------
Local (Outbound) Information:
IP Address: 211.0.1.17
Authentication: SPI: ---------- Algorithm: --------
Encryption: SPI: 2305164930 Encryption Algorithm: DES-CBC
Extra Pad: 0
ESP Authentication Algorithm: HMAC-MD5
Remote (Inbound) Information:
IP Address: 211.0.5.3
Authentication: SPI: ---------- Algorithm: --------
Encryption: SPI: 2661613010 Encryption Algorithm: DES-CBC
Verify Pad?: No
ESP Authentication Algorithm: HMAC-MD5
IPV4-IPsec>
Example: Listing all active tunnels
IPV4-IPsec>LIST TUNNEL ACTIVE Enter the Tunnel ID, Tunnel Name, or 'ALL' [ALL]? Tunnel Cache for IPv4: ----------------------------------------------------------------------------- ID Local IP Addr Remote IP Addr Mode Policy Tunnel Expiration ---- ------------- -------------- ---- -------- ------------------ 1 211.0.1.17 211.0.5.214 TUNN ESP none 2 211.0.1.17 211.0.5.215 TUNN ESP none 3 211.0.1.17 211.0.5.41 TUNN ESP none Tunnel Cache for IPv6: ------------------------------------------------------------------------------- IPV4-IPsec>
Example: Listing one active tunnel
IPV4-IPsec>LIST TUNNEL ACTIVE 1
Tunnel ID: 1
Tunnel Name: ---------------
Type: ISAKMP
Mode: TUNN
Policy: ESP
Replay Prevention: No
Tunnel LifeTime: 0 secs
Tunnel Expiration: None
PMTU: n/a
Tunnel State: Enabled
DF bit handling: COPY
SA State: Working
SA LifeTime: 360 secs
SA LifeSize: 50000 KBytes
SA Threshold: 85 percent
Local (Outbound) Information:
IP Address: 211.0.1.17
Authentication: SPI: ---------- Algorithm: --------
Encryption: SPI: 2861614221 Encryption Algorithm: DES-CBC
Extra Pad: 0
ESP Authentication Algorithm: HMAC-MD5
Remote (Inbound) Information:
IP Address: 211.0.5.41
Authentication: SPI: ---------- Algorithm: --------
Encryption: SPI: 2266666369 Encryption Algorithm: DES-CBC
Verify Pad?: No
ESP Authentication Algorithm: HMAC-MD5
IPV4-IPsec>
(2) This is an IPv6 address. If the IP version is IPv4, a message is displayed that defines the handling of the DF bit: COPY, SET, or CLEAR.
Use the reset command to dynamically reset IP security on the router or on a single tunnel. After you reset IPSec or the tunnels, be sure to use the reset IP command to reset the IP configuration. This is necessary to reload the access control information, such as packet filters and their access control rules. If you do not reset IP, the packet filters and access control rules may not support your new IPSec configuration.
Rebooting the router is an alternative to using the reset commands. However, rebooting the router takes it off the network for a time, whereas the reset commands interrupt only IP functions.
Syntax:
Valid Values: 1 - 65535
Default Value: 1
Valid Values: any configured tunnel name
Default Value: none
Dynamically sets the Path MTU (PMTU) aging timer.
Syntax:
Default Value: 10 (0 means disabled)
Use the stats command to display statistics about a specific tunnel or all tunnels. For example, the stats command shows packets sent and received.
Syntax:
Valid Values: 1 - 65535
Default Value: 1
Valid Values: any configured tunnel name
Default Value: none
Example:
IPV6-IPsec>stats
Enter the Tunnel ID, Tunnel Name, or 'ALL' [ALL]? all
Global IPSec Statistics
Received:
total pkts AH packets ESP packets total bytes AH bytes ESP bytes
---------- ---------- ----------- ----------- ---------- ----------
0 0 0 0 0 0
Sent:
total pkts AH packets ESP packets total bytes AH bytes ESP bytes
---------- ---------- ----------- ----------- ---------- ----------
0 0 0 0 0 0
Receive Packet Errors:
total errs AH errors AH bad seq ESP errors ESP bad seq
---------- ---------- ---------- ---------- -----------
0 0 0 0 0
Send Packet Errors:
total errs AH errors ESP errors
---------- ---------- ----------
0 0 0
This section explains how to monitor manual IPSec with IPv6. It describes how to access the IP security environment and the available commands.
To access the IP Security monitoring environment type t 5 at the OPCON prompt (*):
* t 5
Then, enter the following sequence of commands at the + prompt:
+ feature ipsec IPSP>ipv6 IPV6-IPsec>
The IP Security monitoring commands for IPv6 are the same as those used for IPv4 unless indicated otherwise. See IP Security Monitoring Commands (IPv4) for a description of the commands. Enter the commands at the IPV6-IPsec> prompt.
This section describes dynamic reconfiguration (DR) as it affects Talk 6 and Talk 5 commands.
IP Security (IPSec) does not support the CONFIG (Talk 6) delete interface command.
The GWCON (Talk 5) activate interface command is not applicable for IPSec. IPSec is independent from a particular interface.
The GWCON (Talk 5) reset interface command is not applicable for IPSec. IPSec is independent from a particular interface.
IPSec supports the following IPSec-specific GWCON (Talk 5) reset commands:
The following table summarizes the IP Security Feature configuration
changes that are activated when the GWCON, feature IPSec, ipv4, reset
IPSec command is invoked:
| Commands whose changes are activated by the GWCON, feature ipsec, ipv4, reset ipsec command |
| CONFIG, feature ipsec, ipv4, enable tunnel |
| CONFIG, feature ipsec, ipv4, disable tunnel |
| CONFIG, feature ipsec, ipv4, disable ipsec |
| CONFIG, feature ipsec, ipv4, add tunnel |
| CONFIG, feature ipsec, ipv4, delete tunnel |
| CONFIG, feature ipsec, ipv4, change tunnel |
The following table summarizes the IP Security Feature configuration
changes that are activated when the GWCON, feature IPSec, ipv4, reset
tunnel command is invoked:
| Commands whose changes are activated by the GWCON, feature ipsec, ipv4, reset tunnel command |
| CONFIG, feature ipsec, ipv4, add tunnel |
| CONFIG, feature ipsec, ipv4, delete tunnel |
| CONFIG, feature ipsec, ipv4, change tunnel |
| CONFIG, feature ipsec, ipv4, disable tunnel |
IPSec supports the following GWCON commands that temporarily change the
operational state of the device. These changes are lost whenever the
device is reloaded, restarted, or you execute any dynamically reconfigurable
command.
| Commands | ||
GWCON, feature ipsec, ipv4, change tunnel
| ||
GWCON, feature ipsec, ipv4, disable tunnel
| ||
GWCON, feature ipsec, ipv4, disable IPSec pass
| ||
GWCON, feature ipsec, ipv4, disable IPSec stop
| ||
GWCON, feature ipsec, ipv4, delete tunnel
| ||
GWCON, feature ipsec, ipv4, enable tunnel
| ||
GWCON, feature ipsec, ipv4, enable IPSec
| ||
GWCON, feature ipsec, ipv4, set path-MTU-age-timer
|
The following table describes the IP Security Feature configuration
commands that cannot be dynamically changed. To activate these
commands, you need to reload or restart the device.
| Commands | ||
CONFIG, enable ipsec
|