ipsec
NAME
ipsec – manipulates the ipsec SP/SA/certificate Databases and displays ipsec statistics
SYNOPSIS
ipsec policy add [-s src_ip/prefixlen[port]] [-t dst_ip/prefixlen[port]] -p {esp|ah|none}[-e {des|3des|null} | -a {sha1|md5|null}] -d {in|out}
[-m]
[-f ip_protocol]
[-l {restrict|permit}]
ipsec policy delete all | -i index
[[-s src_ip|-t dst_ip] -d {in|out} [-m]]
ipsec policy show [-s src_ip] [-t dst_ip] [-f ip_protocol] [-d {in|out}] [-p {esp|ah}]
ipsec cert set [-c <file_name> -k <file_name>]
ipsec cert set [-r <file_name1> <file_name2> ..]
ipsec cert show
ipsec sa show [spi
[-s src_ip -t dst_ip -p {esp|ah}]] [-v]
ipsec stats [-z]
DESCRIPTION
ipsec (Internet Protocol Security) is a security protocol in Internet Protocol layer. ipsec is provided by two subprotocols, ESP (encapsulated security payload) and AH (authentication header). ESP protects IP payload from wire-tapping by encrypting it by secret key cryptography algorithms. AH guarantees integrity of IP packet and protects it from intermediate alteration or impersonation, by attaching cryptographic checksum computed by one-way hash functions. ipsec is controlled by key management engine and a policy engine.Policy engine is controlled by the ipsec policy command, which adds, deletes and displays the Security Policy Database (SPD) entries.
Key management engine is controlled by key exchange protocol module IKE (Internet Key Exchange). Through key management, a Security Association (SA) is negotiated between two end stations. This SA is used for secure data exchanges between these two statons. The ipsec sa command displays the Security Association Database (SAD) entries.
IKE negotiation involves authentication. The supported IKE authentication algorithms are pre-shared keys, Kerberos authentication and certificate authentication. Currently Kerberos authentication works for the Windows environment only. When IKE negotiation takes place, the filer obeys the authentication policy configured on the partner. Thus if the partner is setup for pre-shared keys, the filer expects to find the preshared key in /etc/psk.txt file. For more information on the psk.txt, refer to psk.txt . CIFS is a important dependency for kerberos Authentication and should be configured. The certificate authentication supports IKE Main mode with RSA signature authentication and supports X.509v3 (RFC 3280) certificates in PEM format.
The ipsec stats command displays a set of ipsec statistics.
OPTIONS
-s source The source of the secure communication specified as IP Address or IP Address range, and it may accompany TCP/UDP port specification. This takes the following form:
address address/prefixlen address[port] address/prefixlen[port]
- -t destination
- The destination of the secure communication. This also takes the above form.
- -p protocol
- Specify a protocol. Either esp (ESP based on rfc2405) or ah (AH based on rfc2402) are used.
- -e ealgo
- Specify an encryption algorithm if the protocol specified is esp. Choose 3des to enable the triple Data Encryption Standard(DES) algorithm, des to use the DES algorithm or null to have no encryption. If this option is not specified, best algorithm will be selected based on the peer capabilities.
- -a aalgo
- Specify an authentication algorithm. sha1 to use a 128-bit key or md5 to use a 160 bit key. To choose the best negotiated algorithm choose null.
- -d direction
- Specify a direction. Either in or out are used.
- -m
- Disable Mirror Policy creation.By default a mirror policy, a policy in the opposite direction with source and destination addresses reversed, will be created.
- -f IP protocol
- Specify an Upper Layer Protocol, as a numeric protocol number. For e.g. 6 for tcp or 17 for udp.
- -l level
- Specify a level. restrict, or permit are used. restrict means data traffic is enabled only if a valid Security Association (SA) is obtained. permit means if an attempt to obtain an SA fails, then the data traffic is without any security processing.
- -i index
- Specify an index in the Security Policy Database. The index is obtained by the ipsec policy show command.
- -z
- Clears the statistics counters.
- -c user certificate
- Specify the file name of a user certificate. The certificate has been signed by a certification authority (CA).
- -k key
- Specify the file name of a private key. The private key was required and generated by an administrator in order to obtain a certificate.
- -r root certificate(s)
- Specify 1 to maximum 15 file names of trusted root certificates. A root certificate is obtained from a certification authority (CA).
DISPLAYS
The output format for ipsec policy show is as follows:Index IPAddress/prefix/port/protocol Dir/Policy Proto/SecLevel ealg/aalg —– ——————————– ———- ————– ——— 2 172.25.0.0 /16/[139 ]/any -> in /IPSEC esp/restrict 3des/sha1 172.25.102.47 /[any ]/any 1 172.25.102.47 /[any ]/any -> out/IPSEC esp/restrict 3des/sha1 172.25.0.0 /16/[139 ]/any
Alg/State/Spi Current Bytes/CreatedTime SrcIPAddr->DstIPAddr ————- ————————- ——————– esp/M/0001388 0/20 Aug 2002 17:28:19 10.56.19.172->10.56.19.173
M Mature and active. D Dead. d Dying. L Larval.
CLUSTER CONSIDERATIONS
Each filer in a cluster maintains its own SPD and SAD. If the filer is in the partner mode, the ipsec command manipulates the SPD/SAD of the partner. When taking over all the existing Security Policies of the failed filer will be taken-over by the live filer. The SAs however need to be re-negotiated.
EXAMPLES
ipsec policy add -s 10.56.19.172/24[139] -p esp -e des -a ah -d in
ipsec cert set -c my_cert -k my_key
SEE ALSO
psk.txt , keymgr
NOTES
The databases entries are persistent across reboots. All the existing Security Policies at the time of reboot will be retained. If ipsec is to be used for a snapmirror application, then pre-shared keys is the only supported authentication mechanism.
Copyright © 1994-2008 NetApp, Inc. Legal Information
