Use
the IpManVpnAction statement to indicate how selected traffic between
two security endpoints should be protected utilizing manually established
security associations. An IpTimeCondition statement can be used to
identify when the manual tunnel is installed in the stack. Activation
of the manual tunnel is controlled by the Active parameter and the ipsec command
activate/deactivate function.
Syntax
>>-IpManVpnAction--name--| Put Braces and Parameters on Separate Lines |-><
Put Braces and Parameters on Separate Lines
|--+-{-----------------------------+----------------------------|
+-| IpManVpnAction Parameters |-+
'-}-----------------------------'
IpManVpnAction Parameters
.-Active Yes------.
|--+-----------------+------------------------------------------>
'-Active--+-Yes-+-'
'-No--'
>--+-LocalSecurityEndpointAddr -+-address-+-+------------------->
| +-Any-----+ |
| +-Any4----+ |
| '-Any6----' |
'-LocalSecurityEndpointAddrRef name------'
>--+-RemoteSecurityEndpointAddr-+-address-+-+------------------->
| +-Any-----+ |
| +-Any4----+ |
| '-Any6----' |
'-RemoteSecurityEndpointAddrRef name-----'
.-PassthroughDF Yes----------------.
>--+----------------------------------+------------------------->
| .-Clear-. |
'-PassthroughDF--+-No--+-------+-+-'
| +-Set---+ |
| '-Clear-' |
'-Yes-----------'
.-PassthroughDSCP Yes------.
>--+--------------------------+--------------------------------->
'-PassthroughDSCP--+-No--+-'
'-Yes-'
>--HowToAuth--+-AH--+--+-AES128_XCBC_96----+--| AuthOutboundSa |--| AuthInboundSa |-->
'-ESP-' +-HMAC_MD5----------+
+-HMAC_SHA----------+
+-HMAC_SHA1---------+
+-HMAC_SHA2_256_128-+
+-HMAC_SHA2_384_192-+
'-HMAC_SHA2_512_256-'
>--+-----------------------------------------------------------------------------------------+-->
'-HowToEncrypt--+-DES----------------------+--| EncryptOutboundSa |--| EncryptInboundSa |-'
+-3DES---------------------+
+-AES----------------------+
'-AES_CBC KeyLength keylen '
.-----------------------------.
V |
>--HowToEncap--+-Tunnel----+----+-------------------------+-+---|
'-Transport-' +-IpTimeCondition---------+
'-IpTimeConditionRef name-'
AuthOutboundSa
|--AuthOutboundSa--spi--key-------------------------------------|
AuthInboundSa
|--AuthInboundSa--spi--key--------------------------------------|
EncryptOutboundSa
|--EncryptOutboundSa--spi--key----------------------------------|
EncryptInboundSa
|--EncryptInboundSa--spi--key-----------------------------------|
Parameters
- name
- A string 1 - 32 characters in length specifying the name of this
IpManVpnAction statement. The name cannot start with a dash (-) or
contain any commas (,).
- Active
- An indication of whether the tunnel state is set to active or
inactive when the manual tunnel is installed in the stack. If a
Active value of No is specified, then the ipsec command
must be used to activate the manual tunnel.
Results: - If Active Yes is specified (default), the IpManVpnAction
statement is activated automatically when the policy is installed.
If an IpTimeCondition is present on the action, that controls when
the policy is installed.
- If Active No is specified, the IpManVpnAction statement
must be manually activated using the ipsec command
before it can be used to protect IP traffic. IP packets matching
on the associated IpFilterRule are dropped until the IpManVpnAction
statement is activated.
- LocalSecurityEndpointAddr name
-
- address
- The IP address of the local security endpoint.
Restriction: The
IPv6 unspecified address (::0) and IPv4 unspecified address (0.0.0.0)
are not allowed.
- Any
- Indicates that any local IPv4 address can be used for the local
security endpoint. Any and Any4 are interchangeable values.
Restriction: This
parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.
- Any4
- Indicates that any local IPv4 address can be used for the local
security endpoint.
Restriction: This parameter is valid
only for V1R10 and later releases. See General syntax rules for Policy Agent for details.
- Any6
- Indicates that any local IPv6 address can be used for the local
security endpoint.
- LocalSecurityEndpointAddrRef
- The name of a globally defined IpAddr statement for the local
security endpoint.
- RemoteSecurityEndpointAddr
-
- address
- The IP address of the remote security endpoint.
Restriction: The
IPv6 unspecified address (::0) and IPv4 unspecified address (0.0.0.0)
are not allowed.
- Any
- Indicates that any remote IPv4 address can be used for the remote
security endpoint. Any and Any4 are interchangeable values.
Restriction: This
parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.
- Any4
- Indicates that any remote IPv4 address can be used for the remote
security endpoint.
Restriction: This parameter is valid
only for V1R10 and later releases. See General syntax rules for Policy Agent for details
- Any6
- Indicates that any remote IPv6 address can be used for the remote
security endpoint.
- RemoteSecurityEndpointAddrRef name
- The name of a globally defined IpAddr statement for the remote
security endpoint.
- PassthroughDF
- When this value is set to No, the do not fragment bit is set to
0 (if the value Clear is specified) or 1 (if the value Set is specified)
on the outer IP header for an IPv4 tunnel mode SA. When this value
is set to Yes, the do not fragment bit is copied from the inner IP
header to the outer IP header for an IPv4 tunnel mode SA. This setting
is ignored for IPv6 or transport mode SAs.
Restriction: This
parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.
- PassthroughDSCP
- When this value is set to No, the Differentiated Services Code
Point (DSCP) field is set to 0 on the outer IP header for a tunnel
mode SA. When this value is set to Yes, the DSCP field is copied
from the inner IP header to the outer IP header for a tunnel mode
SA. This setting is ignored for transport mode SAs.
Restriction: This
parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.
- HowToAuth
- The authentication protocol and algorithm used to provide data
integrity. The following protocols can be specified.
- AH
- Use AH headers to carry authentication data.
- ESP
- Use ESP headers to carry authentication data.
The following algorithms can be specified. The algorithms
are ordered from least to most secure. - HMAC_MD5
- Computes the authentication checksum by combining a 128–bit
key, the Hash-based Message Authentication Code (HMAC) authentication
algorithm and the MD5 hash algorithm.
Restriction: HMAC_MD5
is not accepted when the TCP/IP stack is configured for FIPS 140 mode
on the IpFilterPolicy statement.
- AES128_XCBC_96
- Computes the authentication checksum using the AES128_XCBC keyed
hash algorithm with a 128-bit key and a 96-bit Integrity Check Value
(ICV).
Restriction: AES128_XCBC_96 is not accepted when
the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy
statement.
Restriction: This value is valid only for
V1R12 and later releases. See General syntax rules for Policy Agent for details
- HMAC_SHA
- Deprecated and treated as a synonym for HMAC_SHA1.
- HMAC_SHA1
- Computes the authentication checksum by combining a 160–bit
key, the HMAC authentication algorithm and the Secure Hash Algorithm
(SHA) hash algorithm.
Restriction: This value is valid
only for V1R12 and later releases. See General syntax rules for Policy Agent for details
- HMAC_SHA2_256_128
- Computes the authentication checksum using the HMAC_SHA2_256 keyed
hash algorithm with a 256-bit key and 128-bit ICV.
Restriction: This
value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
- HMAC_SHA2_384_192
- Computes the authentication checksum using the HMAC_SHA2_384 keyed
hash algorithm with a 384-bit key and a 192-bit ICV.
Restriction: This
value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
- HMAC_SHA2_512_256
- Computes the authentication checksum using the HMAC_SHA2_512 keyed
hash algorithm with a 512-bit key and a 256-bit ICV.
Restriction: This
value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
- AuthOutboundSa
- Specifies the SA parameters for authentication traffic transmitted
outbound to the remote security endpoint.
- spi
- Specifies the remote Security Parameter Index. Valid values for spi are
in the range 1 - 4 294 967 294. The set of SPI values
in the range 1 - 255 are reserved to the Internet Assigned Numbers
Authority (IANA) for future use.
- key
- Specifies the authentication key. The key must be specified in
hexadecimal prefixed with ’0x’. Each byte of the key represents
a value in the range 00 - FF. The length of the key is determined
by the associated algorithm. The key length (in bytes) for each algorithm
type is:
- HMAC_MD5 (16)
- AES128_XCBC_96 (16)
- HMAC_SHA1 (20)
- HMAC_SHA2_256_128 (32)
- HMAC_SHA2_384_192 (48)
- HMAC_SHA2_512_256 (64)
- AuthInboundSa
- Specifies the SA parameters for authentication traffic received
inbound from the remote security endpoint.
- spi
- Specifies the local Security Parameter Index. Valid values for spi are
in the range 1 - 4 294 967 294.
Guidelines: - The set of SPI values in the range 1 - 255 is reserved to the
Internet Assigned Numbers Authority (IANA) for future use.
- Consider choosing an inbound SPI value in the range 256 - 4096.
These values are reserved by TCP/IP for use by manual tunnels and
do not conflict with any dynamic tunnels.
- key
- Specifies the authentication key. The key must be specified in
hexadecimal prefixed with ’0x’. Each byte of the key represents
a value in the range 00-FF. The length of the key is determined by
the associated algorithm. The key length (in bytes) for each algorithm
type is:
- HMAC_MD5 (16)
- AES128_XCBC_96 (16)
- HMAC_SHA1 (20)
- HMAC_SHA2_256_128 (32)
- HMAC_SHA2_384_192 (48)
- HMAC_SHA2_512_256 (64)
- HowToEncrypt
- Encryption is done using the ESP protocol. Specify the encryption
algorithm used to provide data confidentiality. The algorithms are
ordered from least to most secure.
- DES
- DES encryption is used with a 56–bit key and a 64–bit
initialization vector.
Restriction: DES is not accepted
when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy
statement.
- 3DES
- Triple DES runs the DES encryption algorithm three times and uses
192-bits, including 24 parity bits.
Rule: If 3DES is specified
but is not supported by the system, then the Policy Agent fails the
policy.
- AES
- Deprecated and treated as a synonym for AES_CBC KeyLength 128.
Rule: If
AES is specified but AES encryption in CBC mode is not supported by
TCP/IP, Policy Agent fails the policy.
- AES_CBC KeyLength keylen
- The AES algorithm is used in Cipher Block Chaining (CBC) mode
with a key length length, either 128 or
256 bits.
Rule: If AES_CBC is specified but AES encryption
in CBC mode is not supported by TCP/IP, Policy Agent fails the policy.
Restriction: This
value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
- EncryptOutboundSa
- Specifies the SA parameters for encryption traffic transmitted
outbound to the remote security endpoint.
- spi
- Specifies the remote Security Parameter Index. Valid values for spi are
in the range 1 - 4 294 967 294. The set of SPI values
in the range 1 - 255 are reserved to the Internet Assigned Numbers
Authority (IANA) for future use.
- key
- Specifies the encryption key. The key must be specified in hexadecimal
prefixed with ’0x’. Each byte of the key represents a
value 00-FF. The length of the key is determined by the associated
algorithm. The key length (in bytes) for each algorithm type is:
- DES (8)
- 3DES_CBC (24)
- AES_CBC KeyLength 128 (16)
- AES_CBC KeyLength 256 (32)
- EncryptInboundSa
- Specifies the SA parameters for encryption traffic received inbound
from the remote security endpoint.
- spi
- Specifies the local Security Parameter Index. Valid values for spi are
in the range 1 - 4 294 967 294.
Guidelines: - The set of SPI values in the range 1 - 255 is reserved to the
Internet Assigned Numbers Authority (IANA) for future use.
- Consider choosing an inbound SPI value in the range 256 - 4 096.
These values are reserved by TCP/IP for use by manual tunnels and
do not conflict with any dynamic tunnels.
- key
- Specifies the encryption key. The key must be specified in hexadecimal
prefixed with ’0x’. Each byte of the key represents a
value in the range 00 - FF. The length of the key is determined by
the associated algorithm. The key length (in bytes) for each algorithm
type is:
- DES (8)
- 3DES_CBC (24)
- AES_CBC KeyLength 128 (16)
- AES_CBC KeyLength 256 (32)
- HowToEncap
- An indication of whether IPSec-protected packets should be created
using tunnel mode encapsulation or transport mode encapsulation.
Transport
mode provides protection for the transport-layer headers and data
(for example, TCP or UDP packet) inside an IP packet. This mode is
used when the endpoints of the secure tunnel are the two communicating
systems.
Tunnel mode provides protection for the entire IP
packet. This mode is usually used for a secure tunnel between two
gateways or between a gateway and a remote system.
- IpTimeCondition
- An inline specification of an IpTimeCondition statement. There
is a limit of 25 IpTimeCondition specifications and references on
the IpManVpnAction statement.
- IpTimeConditionRef
- The name of a globally defined IpTimeCondition statement. There
is a limit of 25 IpTimeCondition specifications and references on
the IpManVpnAction statement.
Rules: - If ESP authentication is being used with encryption, the SPI values
on the EncryptInboundSa and AuthInboundSa parameters must be the same
value. Also, the SPI values on EncryptOutboundSa and AuthOutboundSa
parameters must be the same value.
- The combination of inbound SPI value, LocalSecurityEndpointAddr,
and RemoteSecurityEndpointAddr that you specify for ESP encapsulation
must be unique across the entire set of IpManVpnAction statements.
The following values are ESP encapsulation SPI values:
- SPI value specified on the EncryptInboundSa parameter
- SPI value specified on the AuthInboundSa parameter, if HowToAuth
ESP is specified
- The combination of inbound SPI value, LocalSecurityEndpointAddr,
and RemoteSecurityEndpointAddr that you specify for AH encapsulation
must be unique across the entire set of IpManVpnAction statements.
The following value is the AH encapsulation SPI value:
- SPI value specified on the AuthInboundSa parameter, if HowToAuth
AH is specified
- If ESP authentication is being used without encryption, the ESP
header is present, but the payload is not encrypted (ESP_NULL).
- Replay prevention is not supported for manual security associations.
- All IpManVpnAction addresses must be in the same address family
(IPv4 or IPv6).
- The addresses for the IpFilterRule statement associated with this
action must be in the same address family as the addresses for this
action.
Results: - The setting of the Active parameter is applied each time the manual
tunnel is installed in the stack. A change to any parameter on the
IpManVpnAction statement (including the Active parameter) results
in the manual tunnel being reinstalled in the stack and the Active
parameter being applied. For example, in the case where the Active
parameter is set to No and the manual tunnel has been activated
with the ipsec -m activate command, a change
to the encryption key results in the tunnel being reinstalled and
the state being set to inactive.
- If both HowToAuth and HowToEncrypt are specified, the semantic
is that encryption is always applied to the payload before authentication.
- If you specify Any, Any4, or Any6 for the LocalSecurityEndpointAddr
or RemoteSecurityEndpointAddr parameters, and you set HowToEncap to
Transport, then encapsulation preserves the original source or destination
address in the IP header.
- If you specify Any, Any4, or Any6 for the LocalSecurityEndpointAddr
or RemoteSecurityEndpointAddr parameters, and you set HowToEncap to
Tunnel, then encapsulation preserves the original source or destination
address in the IP header, if possible. If necessary, the source address
is changed to an appropriate source address on the local stack.
Tips: - Use the ipsec command to activate and deactivate
manual tunnels.
- Manual tunnels must be activated at both security endpoints. Unlike
dynamic tunnels, there is no responder mode activation for manual
tunnels.
- Because multicast traffic is one-to-many but can be used both
for sending and receiving, using manual tunnels for multicast requires
the same SPI and keys for inbound and outbound traffic.