Internet Protocol Security (IPSec) commands
The storage system supports Internet Protocol Security (IPSec) connections that you can specify the connection by using a connection file.
This connection file has the following format for the commands.
- conn conn_ID
- (Required) Specifies a connection definition with the name of conn_ID. This line is immediately followed by other parameters, one per line, without intervening blank lines. The connection definition ends by a blank line that follows all other parameters. The conn_ID is required by most IPSec commands except mkipsec, and is limited to the following characters: upper and lowercase alphabetic, numeric, dash (-), underscore (_), and period (.).
- authby = pubkey | rsasig | psk | secret
-
- pubkey | rsasig
- Specifies the public key signature authentication, including rsasig (RSA digital signature). The default is pubkey if authby, leftauth, nor rightauth is specified.
- psk | secret
- Specifies the pre-shared key authentication.
Note: This parameter is deprecated, but still accepted, since two peers are not required to use the same authentication method. The leftauth and rightauth parameters are used to specify the individual authentication methods. - auto = add | route | start
-
- add
- Specifies that the connection is loaded by the server, but disabled.
- route
- Specifies that the connection is loaded in such a way that if an attempt to connect is detected between the left and right peers, the connection is enabled.
- start
- Specifies that the connection is loaded by the server, and is enabled.
Note: This parameter is required in all connection definitions. - esp = cipher_suites
- Specifies a list of ESP (Encapsulating Security Payload) encryption and integrity algorithm
pairs that are used with a connection. The format of cipher_suites is a
comma-separated list of encryption and integrity algorithms with the following format:
- encryption-integrity[-dhgroup][-esnmode]
-
- encryption
- Specifies an encryption algorithm keyword.
- integrity
- Specifies an integrity algorithm keyword.
- dhgroup
- Specifies a Diffie-Hellman group keyword. If specified, a separate Diffie-Hellman exchange is used for CHILD_SA setup and rekeying.
- esnmode
- Specifies the extended sequence number support mode. The valid values are esn and noesn. The default is noesn if esnmode is not specified.
The following table lists the valid keywords for encryption, integrity, and dhgroup.Table 1. Valid keywords for encryption, integrity, and dhgroup Keyword Description IANA IKE ESP 3des 168 bit 3DES-EDE-CBC 3 x o g a k cast128 128 bit CAST-CBC 6 o g a k blowfish128 or blowfish 128 bit Blowfish-CBC 7 x o g a k blowfish192 192 bit Blowfish-CBC 7 x o g k blowfish256 256 bit Blowfish-CBC 7 x o g k null Null encryption 11 - k aes128 or aes 128 bit AES-CBC 12 x o g a k aes192 192 bit AES-CBC 12 x o g a k aes256 256 bit AES-CBC 12 x o g a k aes128ctr 128 bit AES-COUNTER 13 x o g a k aes192ctr 192 bit AES-COUNTER 13 x o g a k aes256ctr 256 bit AES-COUNTER 13 x o g a k aes128ccm8 or aes128ccm64 128 bit AES-CCM with 64-bit ICV 14 x o g a k aes192ccm8 or aes192ccm64 192 bit AES-CCM with 64-bit ICV 14 x o g a k aes256ccm8 or aes256ccm64 256 bit AES-CCM with 64-bit ICV 14 x o g a k aes128ccm12 or aes128ccm96 128 bit AES-CCM with 96-bit ICV 15 x o g a k aes192ccm12 or aes192ccm96 192 bit AES-CCM with 96-bit ICV 15 x o g a k aes256ccm12 or aes256ccm96 256 bit AES-CCM with 96-bit ICV 15 x o g a k aes128ccm16 or aes128ccm128 128 bit AES-CCM with 128-bit ICV 16 x o g a k aes192ccm16 or aes192ccm128 192 bit AES-CCM with 128-bit ICV 16 x o g a k aes256ccm16 or aes256ccm128 256 bit AES-CCM with 128-bit ICV 16 x o g a k aes128gcm8 or aes128gcm64 128 bit AES-GCM with 64-bit ICV 18 x o g a k aes192gcm8 or aes192gcm64 192 bit AES-GCM with 64-bit ICV 18 x o g a k aes256gcm8 or aes256gcm64 256 bit AES-GCM with 64-bit ICV 18 x o g a k aes128gcm12 or aes128gcm96 128 bit AES-GCM with 96-bit ICV 19 x o g a k aes192gcm12 or aes192gcm96 192 bit AES-GCM with 96-bit ICV 19 x o g a k aes256gcm12 or aes256gcm96 256 bit AES-GCM with 96-bit ICV 19 x o g a k aes128gcm16 or aes128gcm128 128 bit AES-GCM with 128-bit ICV 20 x o g a k aes192gcm16 or aes192gcm128 192 bit AES-GCM with 128-bit ICV 20 x o g a k aes256gcm16 or aes256gcm128 256 bit AES-GCM with 128-bit ICV 20 x o g a k aes128gmac Null encryption with 128-bit AES-GMAC 21 - k Aes192gmac Null encryption with 192-bit AES-GMAC 21 - k aes256gmac Null encryption with 256-bit AES-GMAC 21 - k camellia128 or camellia 128 bit Camellia-CBC 23 o g a k camellia192 192 bit Camellia-CBC 23 o g a k camellia256 256 bit Camellia-CBC 23 o g a k camellia128ctr 128 bit Camellia-COUNTER 24 o g a k camellia192ctr 192 bit Camellia-COUNTER 24 o g a k camellia256ctr 256 bit Camellia-COUNTER 24 o g a k camellia128ccm8 or camellia128ccm64 128 bit Camellia-CCM with 64 bit ICV 25 o g a camellia192ccm8 or camellia192ccm64 192 bit Camellia-CCM with 64-bit ICV 25 o g a camellia256ccm8 or camellia256ccm64 256 bit Camellia-CCM with 64-bit ICV 25 o g a camellia128ccm12 or camellia128ccm96 128 bit Camellia-CCM with 96-bit ICV 26 o g a camellia192ccm12 or camellia192ccm96 192 bit Camellia-CCM with 96-bit ICV 26 o g a camellia256ccm12 or camellia256ccm96 256 bit Camellia-CCM with 96-bit ICV 26 o g a camellia128ccm16 or camellia128ccm128 128 bit Camellia-CCM with 128-bit ICV 27 o g a camellia192ccm16 or camellia192ccm128 192 bit Camellia-CCM with 128-bit ICV 27 o g a camellia256ccm16 or camellia256ccm128 256 bit Camellia-CCM with 128-bit ICV 27 o g a Key:- IANA
- IANA (Internet Assigned Numbers Authority) encryption number.
- x
- Default strongSwan built-in cryptographic library.
- o
- OpenSSL (Open SSL project) cryptographic library.
- g
- gcrypt (GNU cryptographic) cryptographic library.
- a
- AF_ALG user-space cryptographic API for the Linux 2.6.38 kernel or newer.
- k
- Linux 2.6 kernel.
| Keyword | Description | IANA | IKE | ESP | Info |
|---|---|---|---|---|---|
| md5 | MD5 HMAC | 1 | 96 bit | 96 bit | |
| md5_128 | MD5_128 HMAC | 6 | n/a | 128 bit | x |
| sha1 or sha | SHA1 HMAC | 2 | 96 bit | 96 bit | |
| sha1_160 | SHA1_160 HMAC | 7 | n/a | 160 bit | x |
| aesxcbc | AES XCBC | 5 | 96 bit | 96 bit | |
| sha2_256 or sha256 | SHA2_256_128 HMAC | 12 | 128 bit | 128 bit | t |
| sha2_384 or sha384 | SHA2_384_192 HMAC | 13 | 192 bit | 192 bit | |
| sha2_512 or sha512 | SHA2_512_256 HMAC | 14 | 256 bit | 256 bit | |
| sha2_256_96 or sha256_96 | SHA2_256_96 HMAC | p | 96 bit | 96 bit | t |
Key:
- IANA
- IANA (Internet Assigned Numbers Authority) integrity number.
- x
- Requires Linux 2.6.33 kernel or newer.
- t
- Before Linux 2.6.33, the Linux kernel incorrectly used 96-bit truncation for SHA-256.
- p
- strongSwan uses the value of 1026 from the IANA private use range.
| Keyword | DH Group | Modulus | IKE |
|---|---|---|---|
| modp756 | 1 | 768 bits | m o g |
| modp1024 | 2 | 1024 bits | m o g |
| modp1536 | 5 | 1536 bits | m o g |
| modp2048 | 14 | 2048 bits | m o g |
| modp3072 | 15 | 3072 bits | m o g |
| modp4096 | 16 | 4096 bits | m o g |
| modp6144 | 17 | 6144 bits | m o g |
| modp8192 | 18 | 8192 bits | m o g |
| Keyword | DH Group | Modulus | Subgroup | IKE |
|---|---|---|---|---|
| modp1024s160 | 22 | 1024 bits | 160 bits | m o g |
| modp2048s224 | 23 | 2048 bits | 224 bits | m o g |
| modp2048s256 | 24 | 2048 bits | 256 bits | m o g |
| Keyword | DH Group | Modulus | IKE |
|---|---|---|---|
| ecp192 | 25 | 192 bits | O |
| ecp224 | 26 | 224 bits | O |
| ecp256 | 19 | 256 bits | O |
| ecp384 | 20 | 384 bits | O |
| ecp521 | 21 | 521 bits | O |
Key:
- m
- GMP (GNU Multi-Precision) big number library.
- o
- OpenSSL (Open SSL project) cryptographic library.
- g
- gcrypt (GNU cryptographic) cryptographic library.
Note: The complete list of IANA transform type numbers
can be found at Internet Assigned
Numbers Authority website
- ike = cipher_suites
- Specifies a list of IKE/ISAKMP (Internet Key Exchange/Internet
Security Association and Key Management Protocol) encryption, integrity,
and Diffie-Hellman algorithms that are used with a connection. The
format of cipher_suites has the following format:encryption-integrity-dhgroup
- Encryption
- Specifies an encryption algorithm keyword.
- Integrity
- Specifies an integrity algorithm keyword.
- Dhgroup
- Specifies a Diffie-Hellman group keyword.
Note: The keywords for encryption, integrity, and dhgroup are listed in the tables under esp. - keyexchange = ike | ikev2
- ike
- Specifies the protocol to be used to initialize a connection. The default is ike if keyexchange is not specified, and is equivalent to ikev2.
- ikev2
- Specifies that the IKE version 2 protocol is to be used to initialize the connection.
Note: The IKE version 1 protocol (ikev1) is not supported for customer-specified connections.- type = tunnel | transport
- tunnel
- Specifies a host-to-host, host-to-subnet, or subnet-to-subnet IPSec tunnel mode. The default is tunnel, if type is not specified.
- transport
- Specifies a host-to-host IPSec transport mode.
The following keywords are defined in terms of connection left and right endpoints or peers. The
left connection endpoint is considered to be the local peer endpoint that is associated with the
HMC, and the following documentation implies this assumption. The right connection endpoint is
considered to be the remote peer endpoint.
- left/right = ip_address | fqdn | %any | %defaultroute
-
- ip_address
- Specifies the peer’s IP address in either IPv4 or IPv6 format.
- fqdn
- Specifies the peer’s IP address as a Fully Qualified Domain Name.
- %any
- When used with the right keyword, specifies the remote peer’s IP address that might be any IP address.
- %defaultroute
- When used with the left keyword, specifies the local peer’s IP address.
Note: The default value for the left keyword is %defaultroute and the default for the right keyword is %any. - leftauth/rightauth = pubkey | psk
-
- pubkey
- Specifies public key signature authentication that includes RSA digital signature or Elliptic Curve DSA signature. The default is pubkey if authby, leftauth, nor rightauth is specified.
- psk
- Specifies pre-shared key authentication.
- leftcert/rightcert = cert_name
-
- cert_name
- Specifies the peer’s x.509 certificate’s file name. The certificate file must be in PEM or DER format, and must be imported with the mkipseccert command.
The following Internet Protocol Security (IPSec) commands are available:
- chipsec
- The chipsec command modifies an existing Internet Protocol Security (IPSec) connection.
- lsipsec
- The lsipsec command displays a list of defined Internet Protocol Security (IPSec) connection configurations.
- lsipseccert
- The lsipseccert command displays a list of Internet Protocol Security (IPSec) certificates.
- mkipsec
- The mkipsec command creates an Internet Protocol Security (IPSec) connection by importing an Internet Protocol Security (IPSec) connection configuration file that contains a connection definition to the Hardware Management Console (HMC).
- mkipseccert
- The mkipseccert command imports an Internet Protocol Security (IPSec) certificate to the storage system.
- rmipsec
- The rmipsec command deletes an Internet Protocol Security (IPSec) connection from the IPSec server.
- rmipseccert
- The rmipseccert command deletes an Internet Protocol Security (IPSec) certificate from the Hardware Management Console (HMC).
- setipsec
- The setipsec command manages the Internet Protocol Security (IPSec) connections.