Configuring secure IP tunnels between the mover service partitions on the source and destination servers

With Virtual I/O Server (VIOS) 2.1.2.0, or later, you can configure secure IP tunnels between the mover service partitions (MSPs) on the source and destination servers. However, when both the source and destination servers are using the Virtual I/O Server 2.2.2.0, or later, the tunnels are created automatically depending on the security profile applied on the source VIOS.

Before you begin

Consider enabling secure IP tunnels between the MSP on the source server and the MSP on the destination server. For example, you might want to enable secure IP tunnels when the source and destination servers are not on a trusted network. Secure IP tunnels encrypt the partition state data that the MSP on the source server sends to the MSP on the destination server during active partition mobility.
Note: If the source server and target server are at firmware level FW920, or later, the PowerVM Hypervisor automatically encrypts the data that is transmitted by the MSPs so that you might not enable secure IP tunnels.

Before you start, complete the following tasks:

  1. Verify that the MSPs on the source and destination servers are at version 2.1.2.0, or later, by using the ioslevel command.
  2. Obtain the IP address of the MSP on the source server.
  3. Obtain the IP address of the MSP on the destination server.
  4. Obtain the preshared authentication key for the source and destination MSPs.

About this task

To configure and enable secure IP tunnels, complete the following steps:

Procedure

  1. List the available secure tunnel agents by using the lssvc command.
    For example:
    $lssvc
    ipsec_tunnel
  2. List all the attributes that are associated with the secure tunnel agent by using the cfgsvc command.
    For example:
    $cfgsvc ipsec_tunnel -ls
    local_ip
    remote_ip
    key
  3. Configure a secure tunnel between the MSP on the source server and the MSP on the destination server by using the cfgsvc command:
    cfgsvc ipsec_tunnel  -attr local_ip=src_msp_ip remote_ip=dest_msp_ip key=key
    where:
    • src_msp_ip is the IP address of the MSP on the source server.
    • dest_msp_ip is the IP address of the MSP on the destination server.
    • key is the preshared authentication key for the MSPs on the source and destination servers. For example, abcderadf31231adsf.
  4. Enable the secure tunnel by using the startsvc command.
    For example:
    startsvc ipsec_tunnel
    Note: When you apply the High, Payment Card Industry (PCI), or Department of Defence (DoD) security profiles, the secure tunnel is created and active partition mobility is performed over this secure channel. The secure channel that was created automatically gets destroyed when the partition mobility operation is complete.