AIX is the leading enterprise class operating system providing secure, scalable, and robust infrastructure solutions for enterprises. AIX uses Internet Protocol Security (IPSec) which is an open standard security technology developed by the Internet Engineering Task Force (IETF) to enable secure communications over the Internet.
IPSec in AIX helps to provide a set of security services for traffic at the IP layer for both IPv4 and IPv6 without needing any changes to the applications. The building block on which secure communications is built is a concept known as a Security Association (SA) and tunnels are defined to manage security associations (SAs) between two hosts.
Once IPSec Phase I and Phase II tunnels get created and moved to active state, those will always remain in active state even though there is no data traffic between the end points, or an end point unexpectedly goes down. SA bundle will remain in "ACTIVE" state until their lifetime naturally expires or when user manually teardowns the tunnels. This may lead to wastage of system resources which can fail creating new SAs for other peers.
This tutorial talks about the feature introduced in AIX 7.2 TL5 – “SA Idle Timeout” which addresses aforementioned problem by deleting SAs which are idle for a specified time in order to reclaim the resources and thus optimizing IPSec tunnels.
An Introduction
When IPsec is enabled in AIX , resources must be allocated to maintain security association (SA) created between two peer nodes. The SA requires both memory and several timers to monitor the health of this SA or for KEY exchange. If a peer which is associated with this SA is idle for a long time and no real data traffic in between, then this will lead to wastage of system resources.
The objective of SA Idle Timeout is to identify the SAs those are idle and tear down corresponding tunnels which are inactive. With the introduction of “IPSec SA Idle Timeout” feature in AIX, there is now SA idle timer that can be configured to monitor the data traffic through SA. When you set an SA idle timeout interval by using the SA_IDLE_TIMEOUT option, in seconds, a timer is created to monitor the data traffic that is sent or received through SA. If there is no traffic during the specified time interval, the SA is deleted and an information message(delete payload) is sent to the associated remote peer node requesting remote peer to delete the corresponding SA.
Configuration
AIX provides a configurable option to the user for SA Idle Timeout. Setting an attribute SA_IDLE_TIMEOUT in configuration file /etc/isakmpd.conf enables SA Idle timeout. This is a global configuration and applies to all phase-2 tunnels.
- SA_IDLE_TIMEOUT is specified in seconds
- Default value for SA_IDLE_TIMEOUT is Zero
- SA_IDLE_TIMEOUT is disabled by default
- No entry for SA_IDLE_TIMEOUT in /etc/isakmpd.conf is considered Zero and will not enable SA Idle timeout
- SA_IDLE_TIMEOUT can be applied for initiator or responder or both
- SA_IDLE_TIMEOUT is applicable for only IKEv2
Example Configuration
# cat /etc/isakmpd.conf
SOCKS4_SERVER=
SOCKS4_PORTNUM=1080
SOCKS4_USERID=
LDAP_SERVER=
LDAP_VERSION=2
LDAP_SERVERPORT=389
LDAP_SEARCHTIME=10
CRL_FETCH_ORDER=HTTP,LDAP
MAIN_MODE_REQUIRES_IP=NO
IKE_FRAGMENTATION=NO
SA_IDLE_TIMEOUT=120
How it Works?
A peer identified as the initiator begins the IKE negotiation process. This IKE security association (SA) agreement is known as phase-1. The phase-1 parameters identify the remote peer called responder and both end points agree upon authentication and encryption mechanisms through pre-shared key (PSK) or digital certificates. Basically phase-1 helps to authenticate remote peer, sets up secure communication channel between the endpoints for establishing phase-2 further.
Phase-2 parameters define the algorithms that can be used to encrypt and transfer data. With phase-2 tunnel established, the IPsec tunnel is fully negotiated and traffic between the end points in allowed until SA terminates.
Let us assume the initiator is configured with SA_IDLE_TIMEOUT of 120 seconds in /etc/isakmpd.conf. If there is no traffic between the two end points for more than 120 seconds, the initiator treats this tunnel as inactive and deletes the phase-2 tunnel and sends a delete payload request to the responder and requests it to delete its own SA.
SA Idle Timeout in Action
This section outlines an end to end user scenario of using IPSec and SA Idle Timeout using PSK and IKEV2. SA Idle Timeout feature is specific to an endpoint. You can enable SA Idle Timeout on initiator or responder or both.
To enable SA Idle Timeout for initiator, update /etc/isakmpd.conf with attribute SA_DLE_TIMEOUT on initiator
# cat /etc/isakmpd.conf
SOCKS4_SERVER=
SOCKS4_PORTNUM=1080
SOCKS4_USERID=
LDAP_SERVER=
LDAP_VERSION=2
LDAP_SERVERPORT=389
LDAP_SEARCHTIME=10
CRL_FETCH_ORDER=HTTP,LDAP
MAIN_MODE_REQUIRES_IP=NO
IKE_FRAGMENTATION=NO
SA_IDLE_TIMEOUT=120
The configuration files used to create IPSec tunnels in AIX are in xml format. All the configurable parameters are updated in the xml file including the IP addresses of the end points (both initiator and responder).
Prepare the xml files for both endpoints and upload them on both end points using the command- “ikedb -p <xml file>”
Verify that the xml files get updated successfully in database using the command- “ikedb -g”
Sample xml files used in this tutorial are attached for reference at the end (1.local.xml and 1.remote.xml)
To create IPSec tunnels between the end points run the command ike cmd=activate on initiator
To verify the tunnels on both initiator and responder run this command on both end points - ike cmd=list
To verify the tunnel information in detail run this command on both initiator and responder : lstun -aO command.
As the SA Idle Timeout is set only on initiator, lstun -aO shows timeout set for 120 sec (2minutes) on initiator but is not enabled on responder (Refer the screenshot below)
When the SA Idle Timeout is set on initiator for 120 seconds and if there is no data traffic between the end points for 120 seconds, the tunnels become inactive. The initiator deletes the inactive phase-2 tunnel and sends delete payload to the responder requesting it to delete its SA. This helps in reclaiming the system resources thus optimising the IPSec in AIX.
Phase-2 tunnel get deleted on initiator machine and phase-2 tunnel on responder get expired as referenced in the screenshot below. 
Conclusion
The SA Idle Timeout feature introduced in AIX optimises IPSec tunnels and reclaim the idle system resources thus providing the following advantages -
- Increased availability of resources
- Improved scalability of IPSec deployments as it prevents waste of resources
- Deletion of open inactive tunnels reduce the risk of security attacks
- Recommended by IKE specification thus making AIX IPSec complaint with standards
XML Config
# cat 1.local.xml
<?xml version="1.0"?>
<AIX_VPN
Version="2.0">
<IKEProtection
IKE_Role="Both"
IKE_XCHGMode="Main"
IKE_Version="2"
IKE_KeyOverlap="10"
IKE_Flags_UseCRL="No"
IKE_ProtectionName="tun1P1Pol"
IKE_ResponderKeyRefreshMaxKB="200"
IKE_ResponderKeyRefreshMinKB="1"
IKE_ResponderKeyRefreshMaxMinutes="1440"
IKE_ResponderKeyRefreshMinMinutes="1">
<IKETransform
IKE_Hash="SHA"
IKE_DHGroup="2"
IKE_KeyRefreshMinutes="60"
IKE_Encryption="3DES-CBC"
IKE_PRF="PRF_HMAC_SHA1"
IKE_AuthenticationMethod="Preshared_key"/>
</IKEProtection>
<IKETunnel
IKE_TunnelName="tun1P1"
IKE_ProtectionRef="tun1P1Pol"
IKE_Flags_AutoStart="No"
IKE_Flags_MakeRuleWithOptionalIP="No">
<IKELocalIdentity>
<IPV4_Address
Value="53.53.53.1"/>
</IKELocalIdentity>
<IKERemoteIdentity>
<IPV4_Address
Value="53.53.53.2"/>
</IKERemoteIdentity>
</IKETunnel>
<IKEPresharedKey
Value="abcdefghabcdefgh"
Format="ASCII">
<IKEPresharedRemoteID>
<PK_IPV4_Address
Value="53.53.53.2"/>
</IKEPresharedRemoteID>
</IKEPresharedKey>
<IPSecProposal
IPSec_ProposalName="IPsec_3des_sha">
<IPSecESPProtocol
ESP_Encryption="ESP_3DES"
ESP_Authentication="HMAC-MD5"
ESP_KeyRefreshMinutes="30"
ESP_EncapsulationMode="Transport"
ESP_KeyRefreshKB="20000"
ESP_ExtendedSeqNum="0"/>
</IPSecProposal>
<IPSecProposal
IPSec_ProposalName="tun1P2Prop">
<IPSecESPProtocol
ESP_Encryption="ESP_3DES"
ESP_Authentication="HMAC-SHA"
ESP_KeyRefreshMinutes="3600"
ESP_EncapsulationMode="Transport"
ESP_KeyRefreshKB="20000"
ESP_ExtendedSeqNum="0"/>
</IPSecProposal>
<IPSecProtection
IPSec_Role="Both"
IPSec_KeyOverlap="5"
IPSec_ProposalRefs="IPsec_3des_sha"
IPSec_ProtectionName="IPsec_no_pfs"
IPSec_InitiatorDHGroup="0"
IPSec_ResponderDHGroup="NO_PFS GROUP_1 GROUP_2 GROUP_5"
IPSec_Flags_UseLifeSize="No"
IPSec_Flags_UseCommitBit="No"
IPSec_ResponderKeyRefreshMaxKB="0"
IPSec_ResponderKeyRefreshMinKB="0"
IPSec_ResponderKeyRefreshMaxMinutes="120"
IPSec_ResponderKeyRefreshMinMinutes="1"/>
<IPSecProtection
IPSec_Role="Both"
IPSec_KeyOverlap="10"
IPSec_ProposalRefs="tun1P2Prop"
IPSec_ProtectionName="tun1P2Pol"
IPSec_InitiatorDHGroup="0"
IPSec_ResponderDHGroup="NO_PFS GROUP_1 GROUP_2"
IPSec_Flags_UseLifeSize="No"
IPSec_Flags_UseCommitBit="No"
IPSec_ResponderKeyRefreshMaxKB="200"
IPSec_ResponderKeyRefreshMinKB="1"
IPSec_ResponderKeyRefreshMaxMinutes="43200"
IPSec_ResponderKeyRefreshMinMinutes="1"/>
<IPSecTunnel
IKE_TunnelName="tun1P1"
IPSec_TunnelName="tun1P2"
IPSec_ProtectionRef="tun1P2Pol"
IPSec_Flags_OnDemand="No"
IPSec_Flags_AutoStart="No">
<IPSecLocalIdentity>
<IPV4_Address_Range
From_IPAddr="53.53.53.1"
To_IPAddr="53.53.53.1"/>
</IPSecLocalIdentity>
<IPSecRemoteIdentity>
<IPV4_Address_Range
From_IPAddr="53.53.53.2"
To_IPAddr="53.53.53.2"/>
</IPSecRemoteIdentity>
</IPSecTunnel>
</AIX_VPN>
# cat 1.remote.xml
<?xml version="1.0"?>
<AIX_VPN
Version="2.0">
<IKEProtection
IKE_Role="Both"
IKE_XCHGMode="Main"
IKE_Version="2"
IKE_KeyOverlap="10"
IKE_Flags_UseCRL="No"
IKE_ProtectionName="tun1P10Pol"
IKE_ResponderKeyRefreshMaxKB="200"
IKE_ResponderKeyRefreshMinKB="1"
IKE_ResponderKeyRefreshMaxMinutes="1440"
IKE_ResponderKeyRefreshMinMinutes="1">
<IKETransform
IKE_Hash="SHA"
IKE_DHGroup="2"
IKE_KeyRefreshMinutes="60"
IKE_Encryption="3DES-CBC"
IKE_PRF="PRF_HMAC_SHA1"
IKE_AuthenticationMethod="Preshared_key"/>
</IKEProtection>
<IKETunnel
IKE_TunnelName="tun1P1"
IKE_ProtectionRef="tun1P10Pol"
IKE_Flags_AutoStart="No"
IKE_Flags_MakeRuleWithOptionalIP="No">
<IKELocalIdentity>
<IPV4_Address
Value="53.53.53.2"/>
</IKELocalIdentity>
<IKERemoteIdentity>
<IPV4_Address
Value="53.53.53.1"/>
</IKERemoteIdentity>
</IKETunnel>
<IKEPresharedKey
Value="abcdefghabcdefgh"
Format="ASCII">
<IKEPresharedRemoteID>
<PK_IPV4_Address
Value="53.53.53.1"/>
</IKEPresharedRemoteID>
</IKEPresharedKey>
<IPSecProposal
IPSec_ProposalName="IPsec_3des_sha">
<IPSecESPProtocol
ESP_Encryption="ESP_3DES"
ESP_Authentication="HMAC-MD5"
ESP_KeyRefreshMinutes="30"
ESP_EncapsulationMode="Transport"
ESP_KeyRefreshKB="20000"
ESP_ExtendedSeqNum="0"/>
</IPSecProposal>
<IPSecProposal
IPSec_ProposalName="tun1P2Prop">
<IPSecESPProtocol
ESP_Encryption="ESP_3DES"
ESP_KeyRefreshMinutes="3600"
ESP_EncapsulationMode="Transport"
ESP_KeyRefreshKB="20000"
ESP_Authentication="HMAC-SHA"
ESP_ExtendedSeqNum="0"/>
</IPSecProposal>
<IPSecProtection
IPSec_Role="Both"
IPSec_KeyOverlap="5"
IPSec_ProposalRefs="IPsec_3des_sha"
IPSec_ProtectionName="IPsec_no_pfs"
IPSec_InitiatorDHGroup="0"
IPSec_ResponderDHGroup="NO_PFS GROUP_1 GROUP_2 GROUP_5"
IPSec_Flags_UseLifeSize="No"
IPSec_Flags_UseCommitBit="No"
IPSec_ResponderKeyRefreshMaxKB="0"
IPSec_ResponderKeyRefreshMinKB="0"
IPSec_ResponderKeyRefreshMaxMinutes="120"
IPSec_ResponderKeyRefreshMinMinutes="1"/>
<IPSecProtection
IPSec_Role="Both"
IPSec_KeyOverlap="10"
IPSec_ProposalRefs="tun1P2Prop"
IPSec_ProtectionName="tun1P2Pol"
IPSec_InitiatorDHGroup="0"
IPSec_ResponderDHGroup="NO_PFS GROUP_1 GROUP_2"
IPSec_Flags_UseLifeSize="No"
IPSec_Flags_UseCommitBit="No"
IPSec_ResponderKeyRefreshMaxKB="200"
IPSec_ResponderKeyRefreshMinKB="1"
IPSec_ResponderKeyRefreshMaxMinutes="43200"
IPSec_ResponderKeyRefreshMinMinutes="1"/>
<IPSecTunnel
IKE_TunnelName="tun1P1"
IPSec_TunnelName="tun1P2"
IPSec_ProtectionRef="tun1P2Pol"
IPSec_Flags_OnDemand="No"
IPSec_Flags_AutoStart="No">
<IPSecLocalIdentity>
<IPV4_Address_Range
From_IPAddr="53.53.53.2"
To_IPAddr="53.53.53.2"/>
</IPSecLocalIdentity>
<IPSecRemoteIdentity>
<IPV4_Address_Range
From_IPAddr="53.53.53.1"
To_IPAddr="53.53.53.1"/>
</IPSecRemoteIdentity>
</IPSecTunnel>
</AIX_VPN>
