ike Command

Purpose

Starts, stops, and monitors IP Security dynamic tunnels which use the Internet Key Exchange Protocol (ISAKMP/Oakley).

Syntax

ike cmd=Subcommand [ parameter ... ]

Description

The IKE negotiation occurs in two phases. The first phase authenticates the two parties and sets up a Key Management (also known as phase 1) Security Association for protecting the data that is passed during the negotiation. In this phase the key management policy is used to secure the negotiation messages. The second phase negotiates Data Management (also known as the phase 2) Security Association, which uses the data management policy to set up IP Security tunnels in the kernel for encapsulating and decapsulating data packets. The secure channel established in phase 1 can be used to protect multiple data management negotiations between 2 hosts.

The ike command is used to activate tunnels with identification and policy information which has already been entered using the ikedb command. The parameters to be used during the negotiation are entered by the user and stored in a database. The ike command allows the activation, removal and listing of tunnels that have been started using the security parameters stored in the database.

In most uses of the ike command, activation and deletion occurs for both phases, however the command allows these operations to be done separately.

Subcommands

activate

activate command

Item	Description
Purpose	Start the negotiation of an IKE tunnel. If phase is not specified, both a phase 1 and phase 2 tunnel are started. If IP addresses are supplied, the tunnel is setup using those IP addresses. If the IDs used during the negotiation are not IP addresses, the local and remote host IDs must be entered using the ikedb command. A unique tunnel number is created. The tunnel can then be referenced by the tunnel number in the ike command to indicate the particular tunnel to be started.
Syntax	ike cmd=activate [ phase=1|2 ] [numlist=tunnel_num_list] [ namelist=tunnel_name_list ] [ remid=remote_id ] [ipaddr=src_addr,dst_addr]  [autostart]
Description	The activate subcommand works using a two phase paradigm. A phase 1 tunnel must be established before a phase 2 tunnel can be started. If a phase 1 tunnel is specified, then only the phase 1 tunnel negotiation takes place. If a phase 2 tunnel is specified, the system checks for the existence of the corresponding phase 1 tunnel before creating the phase 2 tunnel. If the phase 1 negotiation has not been started, it is started automatically. Upon successful completion of a phase 2 tunnel, the tunnel definition and corresponding filter rules are inserted into the IP Security kernel, and the new tunnel is activated. Traffic described by the tunnel definition passing between the designated endpoints is protected by the encryption and authentication algorithms indicated by the associated IKE security policy. Multiple phase 2 tunnels can be started under the same phase 1 tunnel. A situation where this may be desired is if different types of traffic between two endpoints need different levels of security protection. The Security Association used for the phase 1 tunnel can be shared by multiple phase 2 tunnels. The phase 2 tunnels would specify the type of traffic (by protocol and port, or subnet mask, for instance) and could have different security policies protecting them. The ike command returns if either a negotiation has been initiated, an error returns, or the tunnel already exists. Since the remote host must be contacted during the negotiation and the amount of time needed to complete the negotiation is uncertain, the list subcommand should be used to determine if the negotiation was successful. Errors that are detected during the negotiation process can be captured by using syslog.
Flags	phase Specifies the type of negotiation desired. If omitted, the activate subcommand activates both a phase 1 and phase 2 tunnel. The phase flag is an optional flag. numlist Initiates the ike tunnel number which corresponds to the desired phase 1 or phase 2 tunnel(s) to be started. The , (comma) and - (dash) characters can be used to delimit values and indicate ranges. The list subcommand with the database option db can be used to determine the tunnel number for a particular tunnel. An example using tunnel numbers is shown below: ike cmd=activate numlist=1,3,5-7 This would start tunnels 1, 3, 5, 6 and 7. remid Starts phase 1 or phase 2 tunnel(s) from the local ID to the specified remote ID. remid could be a phase 1 ID (such as IP address, FQDN, user FQDN and X500DN), a phase 2 ID (such as IP address, subnet and IP address range) or a group ID. The , (comma) is used to delimit the subnet id and subnet mask, and the starting and ending IP address. If remid is a group name, a tunnel is initiated for each group member. remid is an optional flag and can only be used with the activate subcommand. It cannot be used in conjunction with the ipaddr, numlist or namelist flags. To activate a phase 1 tunnel to remote IP address 9.3.97.100, type: ike cmd=activate phase=1 remid=9.3.97.100 To activate a phase 2 tunnel to remote subnet ID 9.3.97.100,255.255.255.0, type: ike cmd=activate phase=2 remid=9.3.97.100,255.255.255.0 ipaddr Starts a phase 1 or phase 2 tunnel between the specified IP Addresses. autostart Causes the activation of all phase 1 and phase 2 tunnel database entries which were created with the autostart parameter set. The autostart flag does not work in conjunction with any other flags pertaining to the activate subcommand. namelist Specifies a tunnel name or comma-separated list of tunnel names to be activated. This flag requires the use of the phase flag.
Examples	To activate a phase 2 tunnel between source IP address x.x.x.x and destination IP address y.y.y.y, enter: ike cmd=activate phase=2 ipaddr=x.x.x.x,y.y.y.y The security policy indicated in the database for the IP addresses x.x.x.x and y.y.y.y is used for activating the tunnel. To activate phase 1 tunnels for tunnels 1 and 2, enter: ike cmd=activate phase=1 numlist=1,2 To activate phase 2 tunnels for inactive tunnels named AIXFW1_DM and remote_office in the database enter: ike cmd=activate phase=2 namelist=AIXFW1_DM,remote_office Note: Because each phase 2 tunnel must have an associated phase 1 tunnel, a phase 1 tunnel is automatically activated before the phase 2 tunnel is activated.

list

list command

Item	Description
Purpose	Monitors the status of IP Security tunnels by phase. It is also used to view tunnel entries defined in the IKE database.
Syntax	ike cmd=list [phase=1|1+|2] [numlist= tunnel_num_list] [db | role=i|r] [verbose]
Description	The list subcommand queries the Tunnel Manager and lists phase 1 and phase 2 tunnel status and information according to the result of the query. This command can also be used to view information in the Tunnel Definition database. The default behavior is to list the tunnels currently active. To list the tunnels in the database, the db option must be used.
Flags	phase Indicates the type and order of the tunnel(s) to be listed. A phase value of 1 results in only the requested phase 1 tunnel information being displayed. A phase value of 2 results in the information for the requested phase 2 tunnel(s) and their associated phase 1 tunnel(s) should be displayed. A phase value of 1+ means that the requested phase 1 tunnel and all associated phase 2 tunnels should be displayed. The default phase value is 1+. numlist Lists of the tunnel numbers which you would like to view. If omitted, the information from all tunnels is displayed. The , (comma) and - (dash) characters can be used to delimit values and indicate ranges. For example: ike cmd=list numlist=1,3,5-7 When used in conjunction with db, tunnels from the IKE Security Policy database are shown. Note: Active tunnel numbers and tunnel numbers from the IKE Tunnel Definitions database do not necessarily match up. This is because a single tunnel entry in the database can correspond to multiple active tunnels. db Shows the entries in the database. If this flag is omitted, only active tunnels are displayed. This cannot be used in conjunction with role. Supply the list of tunnel numbers which you would like to view. role Allows the display of tunnels by the point of initiation. If i is specified, then the tunnels that were initiated by the local host are displayed. If r is specified, then the tunnels where the local host acted as a responder are displayed. If this flag is omitted, both initiator and responder tunnels are shown. This flag cannot be used in conjunction with db. verbose Shows extended information about the specified tunnels. If this flag is not specified, then only a concise entry for each tunnel is shown.
Examples	Note: Tunnel numbers from the database and tunnel numbers from the tunnel manager do not necessarily reflect the same tunnel. To perform a concise (short form) listing of phase 1 tunnels with entries in the tunnel manger, enter: ike cmd=list phase=1 numlist=1,2,3 These tunnels are either being negotiated, in the active state , or have expired. Only tunnels 1, 2, and 3 are listed. Tunnels can be either initiator or responder role. To perform a concise (short form) listing of of the specified phase 2 tunnels in the database with each preceded by the associated phase 1 tunnel, enter: ike cmd=list phase=2 numlist=1-3 db These are tunnels defined in the database which may or may not be currently active in the tunnel manager. All tunnels in the database are used in the initiator role only. To perform a verbose (long form) listing of a phase 1 tunnel followed by all of its associated phase 2 tunnels from the tunnel manager, enter: ike cmd=list phase=1+ role=r verbose Only tunnels which were activated in the responder role are listed. All available tunnel numbers are listed since no numlist was specified.

remove

remove command

Item	Description
Purpose	Deactivates specified phase 1 or phase 2 tunnel(s).
Syntax	ike cmd=remove [phase=1|2] [numlist= tunnel_num_list] [all]
Description	The remove subcommand requests the deactivation of phase 1 or phase 2 tunnel(s). Because phase 2 tunnels are associated with a phase 1 tunnel, if a phase 1 tunnel is deactivated, all phase 2 tunnels under the phase 1 tunnel are not refreshed when the phase 2 tunnel lifetime expires.
Flags	phase Indicates the phase of the tunnel to be deactivated and must be specified. A phase value of 1 refers to a phase 1 tunnel and a phase value of 2 refers to a phase 2 tunnel. numlist Lists the tunnel numbers you would like to deactivate. The , (comma) and - (dash) characters can be used to delimit values and indicate ranges. For example: ike cmd=remove phase=1 numlist=1,3,5-7 When numlist is omitted, all tunnels are deactivated. all Deactivates all active tunnels. This parameter does not work in conjunction with numlist.
Examples	To deactivate phase 1 tunnels numbered 1, 2, and 3, enter: ike cmd=remove phase=1 numlist=1-3 To deactivate all phase 1 and phase 2 tunnels, enter: ike cmd=remove all To deactivate all phase 2 tunnels but keep all phase 1 tunnels active, enter: ike cmd=remove phase=2 all To deactivate all phase 1 tunnels (corresponding phase 2 tunnels will not be refreshed), enter: ike cmd=remove phase=1 all

log

Table 1. log

Item	Description
Purpose	Read the ISAKMP daemon log level from /etc/isamkpd.conf and start logging at that level.
Syntax	ike cmd=log
Description	The log subcommand causes the ISAKMP daemon to read the log level from /etc/isakmpd.conf, and a filename from /etc/syslog.conf. The logging level specified is set and the log output, along with other syslog output, is placed in the file specified.

Note: If the log level or the output file name in /etc/syslog.conf are changed, the refresh -s syslogd command must also be run.

Note: There are four valid logging levels for the ISAKMP daemon. They are none, errors, events, and information. none means no logging, errors means logging of only ISAKMP daemon errors will occur, events means errors and other ISAKMP daemon events will be logged, and information is the highest level of logging which is all inclusive.

Security

Files