Hi All,
I am trying to setup a IPSEC tunnel between two AIX systems as POC. The document I am following is
https://www.ibm.com/developerworks/aix/library/au-aix-ipsec-tunnel-config-2/I used the exact same xml configuration file, just replaced ALL 1.1.1.1 and 2.2.2.2 with the IPs on the left/right side. so left side has
<IKELocalIdentity>
<IPV4_Address Value="10.0.0.11"/>
</IKELocalIdentity>
<IKERemoteIdentity>
<IPV4_Address Value="10.0.0.12"/>
</IKERemoteIdentity>
...
and right side:
<IKELocalIdentity>
<IPV4_Address Value="10.0.0.12"/>
</IKELocalIdentity>
<IKERemoteIdentity>
<IPV4_Address Value="10.0.0.11"/>
</IKERemoteIdentity>
...
"lsdev -Cc ipsec" shows ipsec_v4 and ipsec_v6 available.
"lssrc -g ike" and "lssrc -s isakmpd" shows all services active .
The problem is when I run "ike cmd=remove phase=1; ike cmd=activate phase=1;ike cmd=list verbose", the result is always same:
Phase 1 Tunnel ID: 1
Local ID Type: N/ALocal ID: N/ARemote ID Type: IPv4_Address
Remote ID: 10.0.0.12
Security Policy:Role: ResponderEncryption Alg: N/A
Auth Method: N/A
Hash Alg: N/A
Key Lifetime: 0 Seconds
Key Lifesize: 0 Kbytes
Key Rem Lifetime: 0 Seconds
Key Refresh Overlap: 100%
Tunnel Lifetime: 0 Seconds
Tunnel Lifesize: 0 Kbytes
Tun Rem Lifetime: 0 Seconds
Status: Negotiating1. For some reason, the "Local ID Type" and "Local ID" is always N/A.
2. Role is Responder instead of Both or Initiator
3. No security Policy.
4. Stay in Nogtiating status.
5. run tcpdump on each side, don't see any tcp/udp traffic .
6. enabled /var/adm/ipsec.log in /etc/syslog.conf, the only thing I see are something like:
Jul 26 07:41:41 ic-aix08 local4:info Tunnel Manager: 1: Removed P1 tunnel from collection (tid)
Jul 26 07:41:45 ic-aix08 local4:info Tunnel Manager: 0: TM is processing a Connection_request_msg
Jul 26 07:41:45 ic-aix08 local4:info Tunnel Manager: 1: Creating new P1 tunnel object (tid)
Jul 26 07:41:51 ic-aix08 local4:info Tunnel Manager: 0: TM is processing a List_tunnels_msg
So Remote ID is working but Local ID doesn't. I tried some different configuration, like using FQDN instead of IPV4_Address , switch from IKEv1 to IKEv2, all has same issue. Tried it with 4 different AIX LPars with AIX 6.1 and AIX 7.1 OS, all has same issue.
Looks like I missed some pieces, but I couldn't figure out where it is, googled it and didn't find any clue.
I have tried to follow
http://ps-2.kev009.com/basil.holloway/ALL%20PDF/sg246066.pdf chapter 2.8 , but didn't find any issue.
"smit ips4_advanced"3 show active filters:
0:permit:0.0.0.0:0.0.0.0:0.0.0.0:0.0.0.0:no:udp:any:0-0:eq:500-500:local:inbound:all packets:0
1:permit:0.0.0.0:0.0.0.0:0.0.0.0:0.0.0.0:no:udp:eq:500-500:any:0-0:local:outbound:all packets:0
2:permit:0.0.0.0:0.0.0.0:0.0.0.0:0.0.0.0:no:udp:any:0-0:eq:4500-4500:local:inbound:all packets:0
3:permit:0.0.0.0:0.0.0.0:0.0.0.0:0.0.0.0:no:udp:eq:4500-4500:any:0-0:local:outbound:all packets:0
4:permit:0.0.0.0:0.0.0.0:0.0.0.0:0.0.0.0:no:ah:any:0-0:any:0-0:both:inbound:all packets:0
5:permit:0.0.0.0:0.0.0.0:0.0.0.0:0.0.0.0:no:esp:any:0-0:any:0-0:both:inbound:all packets:0
Any suggestion what might be the issue?
Thanks.
------------------------------
Jack Chen
------------------------------