IpManVpnAction statement

Use the IpManVpnAction statement to indicate how selected traffic between two security endpoints should be protected utilizing manually established security associations. An IpTimeCondition statement can be used to identify when the manual tunnel is installed in the stack. Activation of the manual tunnel is controlled by the Active parameter and the ipsec command activate/deactivate function.

Syntax

Read syntax diagramSkip visual syntax diagram
>>-IpManVpnAction--name--| Put Braces and Parameters on Separate Lines |-><

Put Braces and Parameters on Separate Lines

|--+-{-----------------------------+----------------------------|
   +-| IpManVpnAction Parameters |-+   
   '-}-----------------------------'   

IpManVpnAction Parameters

   .-Active Yes------.   
|--+-----------------+------------------------------------------>
   '-Active--+-Yes-+-'   
             '-No--'     

>--+-LocalSecurityEndpointAddr -+-address-+-+------------------->
   |                            +-Any-----+ |   
   |                            +-Any4----+ |   
   |                            '-Any6----' |   
   '-LocalSecurityEndpointAddrRef name------'   

>--+-RemoteSecurityEndpointAddr-+-address-+-+------------------->
   |                            +-Any-----+ |   
   |                            +-Any4----+ |   
   |                            '-Any6----' |   
   '-RemoteSecurityEndpointAddrRef name-----'   

   .-PassthroughDF Yes----------------.   
>--+----------------------------------+------------------------->
   |                      .-Clear-.   |   
   '-PassthroughDF--+-No--+-------+-+-'   
                    |     +-Set---+ |     
                    |     '-Clear-' |     
                    '-Yes-----------'     

   .-PassthroughDSCP Yes------.   
>--+--------------------------+--------------------------------->
   '-PassthroughDSCP--+-No--+-'   
                      '-Yes-'     

>--HowToAuth--+-AH--+--+-AES128_XCBC_96----+--| AuthOutboundSa |--| AuthInboundSa |-->
              '-ESP-'  +-HMAC_MD5----------+                                          
                       +-HMAC_SHA----------+                                          
                       +-HMAC_SHA1---------+                                          
                       +-HMAC_SHA2_256_128-+                                          
                       +-HMAC_SHA2_384_192-+                                          
                       '-HMAC_SHA2_512_256-'                                          

>--+-----------------------------------------------------------------------------------------+-->
   '-HowToEncrypt--+-DES----------------------+--| EncryptOutboundSa |--| EncryptInboundSa |-'   
                   +-3DES---------------------+                                                  
                   +-AES----------------------+                                                  
                   '-AES_CBC KeyLength keylen '                                                  

                              .-----------------------------.   
                              V                             |   
>--HowToEncap--+-Tunnel----+----+-------------------------+-+---|
               '-Transport-'    +-IpTimeCondition---------+     
                                '-IpTimeConditionRef name-'     

AuthOutboundSa

|--AuthOutboundSa--spi--key-------------------------------------|

AuthInboundSa

|--AuthInboundSa--spi--key--------------------------------------|

EncryptOutboundSa

|--EncryptOutboundSa--spi--key----------------------------------|

EncryptInboundSa

|--EncryptInboundSa--spi--key-----------------------------------|

Parameters

name
A string 1 - 32 characters in length specifying the name of this IpManVpnAction statement. The name cannot start with a dash (-) or contain any commas (,).
Active
An indication of whether the tunnel state is set to active or inactive when the manual tunnel is installed in the stack. If a Active value of No is specified, then the ipsec command must be used to activate the manual tunnel.
Results:
  • If Active Yes is specified (default), the IpManVpnAction statement is activated automatically when the policy is installed. If an IpTimeCondition is present on the action, that controls when the policy is installed.
  • If Active No is specified, the IpManVpnAction statement must be manually activated using the ipsec command before it can be used to protect IP traffic. IP packets matching on the associated IpFilterRule are dropped until the IpManVpnAction statement is activated.
LocalSecurityEndpointAddr name
address
The IP address of the local security endpoint.

Restriction: The IPv6 unspecified address (::0) and IPv4 unspecified address (0.0.0.0) are not allowed.

Any
Indicates that any local IPv4 address can be used for the local security endpoint. Any and Any4 are interchangeable values.

Restriction: This parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.

Any4
Indicates that any local IPv4 address can be used for the local security endpoint.

Restriction: This parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.

Any6
Indicates that any local IPv6 address can be used for the local security endpoint.
LocalSecurityEndpointAddrRef
The name of a globally defined IpAddr statement for the local security endpoint.
RemoteSecurityEndpointAddr
address
The IP address of the remote security endpoint.

Restriction: The IPv6 unspecified address (::0) and IPv4 unspecified address (0.0.0.0) are not allowed.

Any
Indicates that any remote IPv4 address can be used for the remote security endpoint. Any and Any4 are interchangeable values.

Restriction: This parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.

Any4
Indicates that any remote IPv4 address can be used for the remote security endpoint.

Restriction: This parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details

Any6
Indicates that any remote IPv6 address can be used for the remote security endpoint.
RemoteSecurityEndpointAddrRef name
The name of a globally defined IpAddr statement for the remote security endpoint.
PassthroughDF
When this value is set to No, the do not fragment bit is set to 0 (if the value Clear is specified) or 1 (if the value Set is specified) on the outer IP header for an IPv4 tunnel mode SA. When this value is set to Yes, the do not fragment bit is copied from the inner IP header to the outer IP header for an IPv4 tunnel mode SA. This setting is ignored for IPv6 or transport mode SAs.

Restriction: This parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.

PassthroughDSCP
When this value is set to No, the Differentiated Services Code Point (DSCP) field is set to 0 on the outer IP header for a tunnel mode SA. When this value is set to Yes, the DSCP field is copied from the inner IP header to the outer IP header for a tunnel mode SA. This setting is ignored for transport mode SAs.

Restriction: This parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.

HowToAuth
The authentication protocol and algorithm used to provide data integrity. The following protocols can be specified.
AH
Use AH headers to carry authentication data.
ESP
Use ESP headers to carry authentication data.
The following algorithms can be specified. The algorithms are ordered from least to most secure.
HMAC_MD5
Computes the authentication checksum by combining a 128–bit key, the Hash-based Message Authentication Code (HMAC) authentication algorithm and the MD5 hash algorithm.

Restriction: HMAC_MD5 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.

AES128_XCBC_96
Computes the authentication checksum using the AES128_XCBC keyed hash algorithm with a 128-bit key and a 96-bit Integrity Check Value (ICV).

Restriction: AES128_XCBC_96 is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.

Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details

HMAC_SHA
Deprecated and treated as a synonym for HMAC_SHA1.
HMAC_SHA1
Computes the authentication checksum by combining a 160–bit key, the HMAC authentication algorithm and the Secure Hash Algorithm (SHA) hash algorithm.

Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details

HMAC_SHA2_256_128
Computes the authentication checksum using the HMAC_SHA2_256 keyed hash algorithm with a 256-bit key and 128-bit ICV.

Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details

HMAC_SHA2_384_192
Computes the authentication checksum using the HMAC_SHA2_384 keyed hash algorithm with a 384-bit key and a 192-bit ICV.

Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details

HMAC_SHA2_512_256
Computes the authentication checksum using the HMAC_SHA2_512 keyed hash algorithm with a 512-bit key and a 256-bit ICV.

Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details

AuthOutboundSa
Specifies the SA parameters for authentication traffic transmitted outbound to the remote security endpoint.
spi
Specifies the remote Security Parameter Index. Valid values for spi are in the range 1 - 4 294 967 294. The set of SPI values in the range 1 - 255 are reserved to the Internet Assigned Numbers Authority (IANA) for future use.
key
Specifies the authentication key. The key must be specified in hexadecimal prefixed with ’0x’. Each byte of the key represents a value in the range 00 - FF. The length of the key is determined by the associated algorithm. The key length (in bytes) for each algorithm type is:
  • HMAC_MD5 (16)
  • AES128_XCBC_96 (16)
  • HMAC_SHA1 (20)
  • HMAC_SHA2_256_128 (32)
  • HMAC_SHA2_384_192 (48)
  • HMAC_SHA2_512_256 (64)
AuthInboundSa
Specifies the SA parameters for authentication traffic received inbound from the remote security endpoint.
spi
Specifies the local Security Parameter Index. Valid values for spi are in the range 1 - 4 294 967 294.
Guidelines:
  • The set of SPI values in the range 1 - 255 is reserved to the Internet Assigned Numbers Authority (IANA) for future use.
  • Consider choosing an inbound SPI value in the range 256 - 4096. These values are reserved by TCP/IP for use by manual tunnels and do not conflict with any dynamic tunnels.
key
Specifies the authentication key. The key must be specified in hexadecimal prefixed with ’0x’. Each byte of the key represents a value in the range 00-FF. The length of the key is determined by the associated algorithm. The key length (in bytes) for each algorithm type is:
  • HMAC_MD5 (16)
  • AES128_XCBC_96 (16)
  • HMAC_SHA1 (20)
  • HMAC_SHA2_256_128 (32)
  • HMAC_SHA2_384_192 (48)
  • HMAC_SHA2_512_256 (64)
HowToEncrypt
Encryption is done using the ESP protocol. Specify the encryption algorithm used to provide data confidentiality. The algorithms are ordered from least to most secure.
DES
DES encryption is used with a 56–bit key and a 64–bit initialization vector.

Restriction: DES is not accepted when the TCP/IP stack is configured for FIPS 140 mode on the IpFilterPolicy statement.

3DES
Triple DES runs the DES encryption algorithm three times and uses 192-bits, including 24 parity bits.

Rule: If 3DES is specified but is not supported by the system, then the Policy Agent fails the policy.

AES
Deprecated and treated as a synonym for AES_CBC KeyLength 128.

Rule: If AES is specified but AES encryption in CBC mode is not supported by TCP/IP, Policy Agent fails the policy.

AES_CBC KeyLength keylen
The AES algorithm is used in Cipher Block Chaining (CBC) mode with a key length length, either 128 or 256 bits.

Rule: If AES_CBC is specified but AES encryption in CBC mode is not supported by TCP/IP, Policy Agent fails the policy.

Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details

EncryptOutboundSa
Specifies the SA parameters for encryption traffic transmitted outbound to the remote security endpoint.
spi
Specifies the remote Security Parameter Index. Valid values for spi are in the range 1 - 4 294 967 294. The set of SPI values in the range 1 - 255 are reserved to the Internet Assigned Numbers Authority (IANA) for future use.
key
Specifies the encryption key. The key must be specified in hexadecimal prefixed with ’0x’. Each byte of the key represents a value 00-FF. The length of the key is determined by the associated algorithm. The key length (in bytes) for each algorithm type is:
  • DES (8)
  • 3DES_CBC (24)
  • AES_CBC KeyLength 128 (16)
  • AES_CBC KeyLength 256 (32)
EncryptInboundSa
Specifies the SA parameters for encryption traffic received inbound from the remote security endpoint.
spi
Specifies the local Security Parameter Index. Valid values for spi are in the range 1 - 4 294 967 294.
Guidelines:
  • The set of SPI values in the range 1 - 255 is reserved to the Internet Assigned Numbers Authority (IANA) for future use.
  • Consider choosing an inbound SPI value in the range 256 - 4 096. These values are reserved by TCP/IP for use by manual tunnels and do not conflict with any dynamic tunnels.
key
Specifies the encryption key. The key must be specified in hexadecimal prefixed with ’0x’. Each byte of the key represents a value in the range 00 - FF. The length of the key is determined by the associated algorithm. The key length (in bytes) for each algorithm type is:
  • DES (8)
  • 3DES_CBC (24)
  • AES_CBC KeyLength 128 (16)
  • AES_CBC KeyLength 256 (32)
HowToEncap
An indication of whether IPSec-protected packets should be created using tunnel mode encapsulation or transport mode encapsulation.

Transport mode provides protection for the transport-layer headers and data (for example, TCP or UDP packet) inside an IP packet. This mode is used when the endpoints of the secure tunnel are the two communicating systems.

Tunnel mode provides protection for the entire IP packet. This mode is usually used for a secure tunnel between two gateways or between a gateway and a remote system.

IpTimeCondition
An inline specification of an IpTimeCondition statement. There is a limit of 25 IpTimeCondition specifications and references on the IpManVpnAction statement.
IpTimeConditionRef
The name of a globally defined IpTimeCondition statement. There is a limit of 25 IpTimeCondition specifications and references on the IpManVpnAction statement.
Rules:
  • If ESP authentication is being used with encryption, the SPI values on the EncryptInboundSa and AuthInboundSa parameters must be the same value. Also, the SPI values on EncryptOutboundSa and AuthOutboundSa parameters must be the same value.
  • The combination of inbound SPI value, LocalSecurityEndpointAddr, and RemoteSecurityEndpointAddr that you specify for ESP encapsulation must be unique across the entire set of IpManVpnAction statements. The following values are ESP encapsulation SPI values:
    • SPI value specified on the EncryptInboundSa parameter
    • SPI value specified on the AuthInboundSa parameter, if HowToAuth ESP is specified
  • The combination of inbound SPI value, LocalSecurityEndpointAddr, and RemoteSecurityEndpointAddr that you specify for AH encapsulation must be unique across the entire set of IpManVpnAction statements. The following value is the AH encapsulation SPI value:
    • SPI value specified on the AuthInboundSa parameter, if HowToAuth AH is specified
  • If ESP authentication is being used without encryption, the ESP header is present, but the payload is not encrypted (ESP_NULL).
  • Replay prevention is not supported for manual security associations.
  • All IpManVpnAction addresses must be in the same address family (IPv4 or IPv6).
  • The addresses for the IpFilterRule statement associated with this action must be in the same address family as the addresses for this action.
Results:
  • The setting of the Active parameter is applied each time the manual tunnel is installed in the stack. A change to any parameter on the IpManVpnAction statement (including the Active parameter) results in the manual tunnel being reinstalled in the stack and the Active parameter being applied. For example, in the case where the Active parameter is set to No and the manual tunnel has been activated with the ipsec -m activate command, a change to the encryption key results in the tunnel being reinstalled and the state being set to inactive.
  • If both HowToAuth and HowToEncrypt are specified, the semantic is that encryption is always applied to the payload before authentication.
  • If you specify Any, Any4, or Any6 for the LocalSecurityEndpointAddr or RemoteSecurityEndpointAddr parameters, and you set HowToEncap to Transport, then encapsulation preserves the original source or destination address in the IP header.
  • If you specify Any, Any4, or Any6 for the LocalSecurityEndpointAddr or RemoteSecurityEndpointAddr parameters, and you set HowToEncap to Tunnel, then encapsulation preserves the original source or destination address in the IP header, if possible. If necessary, the source address is changed to an appropriate source address on the local stack.
Tips:
  • Use the ipsec command to activate and deactivate manual tunnels.
  • Manual tunnels must be activated at both security endpoints. Unlike dynamic tunnels, there is no responder mode activation for manual tunnels.
  • Because multicast traffic is one-to-many but can be used both for sending and receiving, using manual tunnels for multicast requires the same SPI and keys for inbound and outbound traffic.
Parent topic: IPSec policy statements