AIX

 View Only
  • 1.  how to configure IPSEC tunnel on AIX 6.1/7.1

    Posted Sun July 26, 2020 02:41 PM
    Hi All,

    I am trying to setup a IPSEC tunnel between two AIX systems as POC.  The document I am following is https://www.ibm.com/developerworks/aix/library/au-aix-ipsec-tunnel-config-2/

    I used the exact same xml configuration file, just replaced ALL 1.1.1.1 and 2.2.2.2 with the IPs on the left/right side. so left side has 
    <IKELocalIdentity>
    <IPV4_Address Value="10.0.0.11"/>
    </IKELocalIdentity>
    <IKERemoteIdentity>
    <IPV4_Address Value="10.0.0.12"/>
    </IKERemoteIdentity>
    ...

    and right side:
    <IKELocalIdentity>
    <IPV4_Address Value="10.0.0.12"/>
    </IKELocalIdentity>
    <IKERemoteIdentity>
    <IPV4_Address Value="10.0.0.11"/>
    </IKERemoteIdentity>
    ...
    "lsdev -Cc ipsec" shows ipsec_v4 and ipsec_v6 available.

    "lssrc -g ike" and "lssrc -s isakmpd" shows all services active .

    The problem is when I run "ike cmd=remove phase=1; ike cmd=activate phase=1;ike cmd=list verbose", the result is always same:
    Phase 1 Tunnel ID: 1
    Local ID Type: N/A
    Local ID: N/A
    Remote ID Type: IPv4_Address
    Remote ID: 10.0.0.12
    Security Policy:
    Role: Responder
    Encryption Alg: N/A
    Auth Method: N/A
    Hash Alg: N/A
    Key Lifetime: 0 Seconds
    Key Lifesize: 0 Kbytes
    Key Rem Lifetime: 0 Seconds
    Key Refresh Overlap: 100%
    Tunnel Lifetime: 0 Seconds
    Tunnel Lifesize: 0 Kbytes
    Tun Rem Lifetime: 0 Seconds
    Status: Negotiating

    1. For some reason, the "Local ID Type" and "Local ID" is always N/A.
    2. Role is Responder instead of Both or Initiator
    3. No security Policy.
    4. Stay in Nogtiating status.
    5. run tcpdump on each side, don't see any tcp/udp traffic .
    6. enabled /var/adm/ipsec.log in /etc/syslog.conf, the only thing I see are something like:
    Jul 26 07:41:41 ic-aix08 local4:info Tunnel Manager: 1: Removed P1 tunnel from collection (tid)
    Jul 26 07:41:45 ic-aix08 local4:info Tunnel Manager: 0: TM is processing a Connection_request_msg
    Jul 26 07:41:45 ic-aix08 local4:info Tunnel Manager: 1: Creating new P1 tunnel object (tid)
    Jul 26 07:41:51 ic-aix08 local4:info Tunnel Manager: 0: TM is processing a List_tunnels_msg

    So Remote ID is working but Local ID doesn't. I tried some different configuration, like using FQDN  instead of IPV4_Address , switch from IKEv1 to IKEv2, all has same issue. Tried it with 4 different AIX LPars with AIX 6.1 and AIX 7.1 OS, all has same issue.

    Looks like I missed some pieces, but I couldn't figure out where it is, googled it and didn't find any clue.

    I have tried to follow http://ps-2.kev009.com/basil.holloway/ALL%20PDF/sg246066.pdf  chapter 2.8 , but didn't find any issue.

    "smit ips4_advanced"3 show active filters:

    0:permit:0.0.0.0:0.0.0.0:0.0.0.0:0.0.0.0:no:udp:any:0-0:eq:500-500:local:inbound:all packets:0
    1:permit:0.0.0.0:0.0.0.0:0.0.0.0:0.0.0.0:no:udp:eq:500-500:any:0-0:local:outbound:all packets:0
    2:permit:0.0.0.0:0.0.0.0:0.0.0.0:0.0.0.0:no:udp:any:0-0:eq:4500-4500:local:inbound:all packets:0
    3:permit:0.0.0.0:0.0.0.0:0.0.0.0:0.0.0.0:no:udp:eq:4500-4500:any:0-0:local:outbound:all packets:0
    4:permit:0.0.0.0:0.0.0.0:0.0.0.0:0.0.0.0:no:ah:any:0-0:any:0-0:both:inbound:all packets:0
    5:permit:0.0.0.0:0.0.0.0:0.0.0.0:0.0.0.0:no:esp:any:0-0:any:0-0:both:inbound:all packets:0

    Any suggestion what might be the issue?

    Thanks.

     








    ------------------------------
    Jack Chen
    ------------------------------


  • 2.  RE: how to configure IPSEC tunnel on AIX 6.1/7.1

    Posted Mon July 27, 2020 11:58 AM

    Hello Jack

    Can you please try the following?  I look at the below as having 3 parts: Removing, activating and listing:

    "ike cmd=remove phase=2 ; ike cmd=remove phase=1; ike cmd=activate phase=2; sleep 1; ike cmd=list verbose"

    While removing tunnels, can you please remove Phase2 before Phase1 like shown above?
         "ike cmd=remove phase=2 ; ike cmd=remove phase=1"

    The next is activation. Using "phase=2" during activation will activate both Phase1 and Phase2.

    Followed by a sleep, to give the activation and listing enough delay to reflect the proper state.

    ----------------------------------------------------------------
    I see the following in my setup before activation:
    ----------------------------------------------------------------
    # lsfilt -aO -v4
    1|*** Dynamic filter placement rule for IKE tunnels ***|no
    2|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||

    *** Dynamic table ***

    0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|any|0-0|eq|500-500|both|both|all packets|0
    1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|ah|any|0-0|any|0-0|both|inbound|all packets|0
    2|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|esp|any|0-0|any|0-0|both|inbound|all packets|0

    ----------------------------------------------------------------
    And the following after activation:(Changed IPs)
    ----------------------------------------------------------------
    # lsfilt -aO -v4
    1|*** Dynamic filter placement rule for IKE tunnels ***|no
    2|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||

    *** Dynamic table ***

    0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|any|0-0|eq|500-500|both|both|all packets|0
    1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|ah|any|0-0|any|0-0|both|inbound|all packets|0
    2|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|esp|any|0-0|any|0-0|both|inbound|all packets|0
    3|permit|10.0.0.11|10.0.0.11|10.0.0.12|10.0.0.12|no|all|any|0-0|any|0-0|both|outbound|all packets|IKE1
    4|permit|10.0.0.12|10.0.0.12|10.0.0.11|10.0.0.11|no|all|any|0-0|any|0-0|both|inbound|all packets|IKE1


    I hope the above command helps!

     AIX knowledge center Link for all things IPsec:  https://www.ibm.com/support/knowledgecenter/ssw_aix_72/security/ipsec_overview.html 



    ------------------------------
    SHAILAJA MALLYA
    ------------------------------



  • 3.  RE: how to configure IPSEC tunnel on AIX 6.1/7.1

    Posted Mon July 27, 2020 03:45 PM
    Thanks SHAILAJA, I finally made it work :-)

    My problem was I started with IKEv2, and phase 1 tunnel always shows
    Local ID Type: N/A
    Local ID: N/A

    and tcpdump didn't capture any traffic, so I thought something wrong with my local ID configuration.

    I later switched to IKEv1, got same "Local ID N/A" result, so I assumed it's a Local ID configuration issue and didn't run tcpdump to see if there is communication.

    Turned out in AIX, if the two side configuration doesn't match,  phase 1 will stuck and "Local ID" will be showing as "N/A". so it doesn't mean something is wrong with Local ID, just phase 1 is stuck.  But since ike shows "Remote ID" correctly but "Local ID" as "N/A", it misled me.

    Once I made both side configuration match, IKEv1 phase1 and phase2 are all up.

    I have later also made IKEv2 work, I found my original IKEv2 configuration missed a line :
    IKE_PRF="PRF_HMAC_SHA1"

    Without this line, IKEv2 initiator won't send out any packet for phase 1, just quietly went to the broken mode.

    ------------------------------
    Jack Chen
    ------------------------------



  • 4.  RE: how to configure IPSEC tunnel on AIX 6.1/7.1

    Posted Mon July 27, 2020 04:34 PM
    Hi SHAILAJA,

    I am wondering if you have successfully connected AIX to other systems with IPSec ? Now I successfully connected two AIX systems with IPSec, but my real goal is to connect a AIX to another VPN server.

    I have tried to connect a AIX instance to a IBM Cloud VPN Gateway ( probably based on StrongSwan), but got error "received INVALID_SYNTAX notify error" during IKE SA initiation.  I suspect AIX 's ipsec implementation might not fully compatible with newer VPN servers, but there are very little information online.

     


    ------------------------------
    Jack Chen
    ------------------------------



  • 5.  RE: how to configure IPSEC tunnel on AIX 6.1/7.1

    Posted Tue July 28, 2020 10:16 AM
    Hello Jack

    Nice Job on getting the tunnels to work between AIX - AIX :).

    We have been able to configure IKE tunnels with other operating systems like tunnels between AIX - Libreswan on Linux, AIX - Windows and AIX - Zos (System Z). I have also heard of people who established tunnels between AIX - StrongSwan on Linux.

    If you can please share the XML + /etc/isakmpd.conf file on AIX and the configuration on the remote system end point (Linux), I can have a quick look and double check your configurations.  [Please change your IPs to dummy IPs before sharing:) ]

    If I cant help with your config, then this could be a bug and I would recommend you to open a Sales Force ticket.  

    Step-by-Step Guide to open a ticket:
    https://www.ibm.com/mysupport/s/article/User-Administration
    Please follow the sites recommendations and use the 'help' link for any specific assistance.

    ------------------------------
    SHAILAJA MALLYA
    ------------------------------



  • 6.  RE: how to configure IPSEC tunnel on AIX 6.1/7.1

    Posted Fri July 31, 2020 10:52 AM
    Thanks SHAILAJA, just want to give you a update, I was able to connect a AIX instance to a StrongSwan instance with ikev2 IPSEC.  The reason it failed for me at beginning is I added "ENABLE_IPSEC_NAT_TRAVERSAL" in AIX 's /etc/isakmpd.conf file. Both AIX and StrongSwan are behind NAT, so I thought I need to add it, but somehow it won't work. Once I removed it, the tunnel is up.


    ------------------------------
    Jack Chen
    ------------------------------



  • 7.  RE: how to configure IPSEC tunnel on AIX 6.1/7.1

    Posted Fri July 31, 2020 11:17 AM
    Thanks for the update Jack.. Good to know the tunnels are up.

    ------------------------------
    SHAILAJA MALLYA
    ------------------------------



  • 8.  RE: how to configure IPSEC tunnel on AIX 6.1/7.1

    Posted Mon August 24, 2020 06:50 AM
    Thanks for the update Jack

    ------------------------------
    JAPANDUHOC COM
    Blogger
    JAPANDUHOC
    Hải Phòng
    0961005230
    ------------------------------