[ Previous |
AIX Version 4.3 Commands Reference, Volume 3
Starts IP Security dynamic tunnels using Internet Key Exchange
[ parameter ... ]
The ike is used to start IP Security dynamic tunnels using the Internet
Key Exchange (IKE) protocol. IP Security tunnels protect IP traffic by
authenticating and/or encrypting IP data. The ike command performs
several functions. It can activate, remove, or list IKE and IP Security
tunnels. For an overview of IP Security and IKE tunnels, see
IP Security in
the AIX Version 4.3 System Management Guide: Communications and Networks.
Note: You must have root access to use the ike
The IKE negotiation occurs in two phases. The first phase authenticates
the two parties and sets up a phase 1 Security Association for protecting
the data that is passed during the negotiation.
In this phase the key management policy is used to secure the negotiation
messages. The second phase negotiates
the phase 2 Security Association, which
uses the data management policy
to set up IP Security tunnels in the kernel for encapsulating
and decapsulating data packets.
The secure channel established in phase 1 can be used to protect
multiple data management negotiations between 2 hosts.
The ike command is used to activate tunnels
with identification and policy information which has
already been entered using the Web-based System Management
Graphical User Interface (GUI) under
Virtual Private Networks (IP Security) in the Network application.
The parameters to be used during the negotiation are entered by the
user and stored in a database. The ike command allows the activation,
removal and listing of tunnels that have been started using the security
parameters stored in the database.
In most uses of the ike command, activation and deletion
occurs for both phases, however the command allows these operations to be
||Start the negotiation of an IKE tunnel. If phase is not specified,
both a phase 1 and phase 2 tunnel are started. If IP addresses are
supplied, the tunnel is setup using those IP addresses. If the IDs
used during the negotiation are not IP addresses, the local and remote
host IDs must be entered using the Virtual Private Networks
Web-based System Management
Graphical User Interface (GUI)
A unique tunnel number is created. The tunnel can then be referenced
by the tunnel number in the ike command to indicate the particular
tunnel to be started.|
||ike cmd=activate [ phase=1|2 ] [numlist=tunnel_num_list]
||The activate subcommand works using a two phase paradigm. A
phase 1 tunnel must be established before a phase 2 tunnel can be started.
If a phase 1 tunnel is specified, then only the phase 1 tunnel negotiation
take place. If a phase 2 tunnel is specified, then the system
checks for the existence of the corresponding phase 1 tunnel before creating
the phase 2 tunnel. If the phase 1 negotiation has not been started, it
is started automatically.
Upon successful completion of a phase 2 tunnel, the tunnel definition
and corresponding filter rules are inserted into the kernel, and the
new tunnel is activated. Traffic described by the tunnel definition
passing between the designated endpoints are protected by the encryption
and authentication algorithms indicated by the associated IKE security
Multiple phase 2 tunnels can be started under the same phase 1 tunnel.
A situation where this may be desired is if different types of traffic
between two endpoints need different levels of security protection. The
Security Association used for the phase 1 tunnel can be shared by multiple
phase 2 tunnels. The phase 2 tunnels would specify the type of traffic
(by protocol and port, or subnet mask, for instance) and could have different
security policies protecting them.
The ike command returns if either a negotiation has been
initiated, an error returns, or the tunnel already exists. Since the remote
host must be contacted during the negotiation and the amount of time needed
to complete the negotiation is uncertain, the list subcommand should
be used to determine if the negotiation was successful.
Errors that are detected during the negotiation process can be captured
by using syslog.
- Specifies the type of negotiation desired.
omitted, the activate subcommand activates both a phase 1 and phase
2 tunnel. The
phase flag is an optional flag.
- Initiates the ike tunnel number which corresponds to the desired
phase 1 or phase 2 tunnel(s) to be started. The , (comma) and
- (dash) characters can be used to delimit values and indicate
ranges. The list subcommand with the database option db can
be used to determine the tunnel number for a particular tunnel. An example
using tunnel numbers is shown below:
ike cmd=activate numlist=1,3,5-7
This would start tunnels 1, 3, 5, 6 and 7.
- Starts a phase 1 or phase 2 tunnel between the specified IP Addresses.
- Causes the activation of all phase 1
and phase 2 tunnel database entries which were created
with the autostart parameter set.
The autostart flag does not work in conjunction with any other
flags pertaining to the activate subcommand.
- To activate a phase 2 tunnel between source IP address x.x.x.x and destination
IP address y.y.y.y, enter:
ike cmd=activate phase=2 ipaddr=x.x.x.x,y.y.y.y
The security policy indicated in the data base for the IP addresses x.x.x.x
and y.y.y.y is used for activating the tunnel.
- To activate phase 1 tunnels for tunnels 1 and 2, enter:
ike cmd=activate phase=1 numlist=1,2
- To activate phase 2 tunnels for inactive tunnels 3, 4, 5, and 8 from the
ike cmd=activate phase=2 numlist=3-5,8
Note: Because each phase 2 tunnel must have an associated phase 1
a phase 1 tunnel is automatically activated before the phase 2 tunnel
||Monitors the status of IP Security tunnels by phase.|
||ike cmd=list [phase=1|1+|2] [numlist=
tunnel_num_list] [db | role=i|r] [verbose]|
||The list subcommand queries the Tunnel Manager and lists phase
1 and phase 2 tunnel status and information according to the result of
the query. This command can also be used to view information in the
Tunnel Definition database.
The default behavior is to list the tunnels currently
active. To list the tunnels in the database, the db option must
- Indicates the type and order of the tunnel(s) to be listed. A phase value
of 1 results in only the requested phase 1 tunnel information being displayed.
A phase value of 2 results in the information for the requested phase 2
tunnel(s) and their associated phase 1 tunnel(s) should be displayed. A
phase value of 1+ means that the requested phase 1 tunnel and all associated
phase 2 tunnels should be displayed. The default phase value is 1+.
- Lists of the tunnel numbers which you would like to view. If omitted, the
information from all tunnels is displayed. The , (comma)
and - (dash) characters can be used to delimit values and indicate
ranges. For example:
ike cmd=list numlist=1,3,5-7
When used in conjunction with db, tunnels from the IKE Security
Policy database are shown.
Note: Active tunnel numbers and tunnel numbers from the IKE
Tunnel Definitions database do not necessarily
match up. This is due to the fact that active tunnel numbers
must reflect tunnels from the initiator and responder
- Shows the entries in the database. If this flag is omitted, only active
tunnels is displayed. This cannot be used in conjunction with role.
Supply the list of tunnel numbers which you would like to view.
- Allows the display of tunnels by the point of initiation. If i is
specified, then the tunnels that were initiated by the local host are displayed.
If r is specified, then the tunnels where the local host acted as
a responder are displayed. If this flag is omitted, both initiator and
responder tunnels are shown. This flag cannot be used in conjunction
- Shows extended information about the specified tunnels. If this flag is
not specified, then only a concise entry for each tunnel is shown.
||Note: Tunnel numbers from the database and tunnel numbers from
the tunnel manager do not necessarily reflect the same tunnel.
- To perform a concise (short form) listing of phase 1 tunnels with entries
in the tunnel manger, enter:
ike cmd=list phase=1 numlist=1,2,3
These tunnels are either being negotiated, in the active state , or have
expired. Only tunnels 1, 2, and 3 are listed. Tunnels can be either
initiator or responder role.
- To perform a concise (short form) listing of of the specified phase 2 tunnels
in the database with each preceded by the associated phase 1 tunnel, enter:
ike cmd=list phase=2 numlist=1-3 db
These are tunnels defined in the data-base which may or may not be currently
active in the tunnel manager. All tunnels in the database are used in the
initiator role only.
- To perform a verbose (long form) listing of a phase one tunnel followed
by all of its associated phase two tunnels from the tunnel manager, enter:
ike cmd=list phase=1+ role=r verbose
Only tunnels which were activated in the responder role are listed.
All available tunnel numbers are listed since no numlist was
||Deactivates specified phase 1 or phase 2 tunnel(s) and optionally removes
an entry from the IKE Tunnel Definition database.|
||ike cmd=remove [phase=1|2] [numlist= tunnel_num_list]
||The remove subcommand requests the deactivation of phase 1 or
phase 2 tunnel(s). Because phase 2 tunnels are associated with a phase
1 tunnel, if a phase 1 tunnel is removed, all phase 2 tunnels under the
phase 1 tunnel are not refreshed when the phase 2 tunnel lifetime expires.
This subcommand can also be used to remove entries from the IKE
Tunnel Definition database. If a phase 1 tunnel entry is removed, then any associated
phase 2 tunnels is also removed.|
- Indicates the phase of the tunnel to be deactivated and must be specified.
A phase value of 1 refers to a phase 1 tunnel and a phase value of 2 refers
to a phase 2 tunnel.
- List the tunnel numbers you would like to remove. The , (comma)
and - (dash) characters can be used to delimit values and indicate
ranges. For example:
ike cmd=remove numlist=1,3,5-7
When numlist is omitted, all tunnels are deactivated or removed
from the database.
- Removes entries from the IKE Tunnel Definition database.
- Removes all entries from the IKE Tunnel Definition database.
- To deactivate phase 1 tunnels numbered 1, 2, and 3, enter:
ike cmd=remove phase=1 numlist=1-3
- To remove all phase 1 tunnels in the IKE Tunnel Definition database, enter:
ike cmd=remove phase=1 db all
Note: Use this command with extreme caution.
Since a phase 2 tunnel cannot exist in the database without an associated
phase 1 tunnel, whenever a phase 1 tunnel is removed, all phase 2 tunnels
associated with it are also removed from the database. Since
the all parameter was specified,
all phase 1 tunnels are removed from the database, along
with all associated phase 2 tunnels.
- To remove all phase 1 and phase 2 tunnels, enter:
ike cmd=remove all
- To remove all phase 2 tunnels but keep all phase 1 tunnels active, enter:
ike cmd=remove phase=2 all
- To deactivate all phase 1 tunnels (corresponding phase 2 tunnels will not be
ike cmd=remove phase=1 all
||Location of the ike admin commands.|
[ Previous |