How To
Summary
This document explains how to use basic IPSec configuration to filter network traffic originating from or destined to the underlying AIX host.
Steps
# smitty ipsec4
Move cursor to desired item and press Enter.
Start/Stop IP Security
Basic IP Security Configuration
Advanced IP Security Configuration <----
Configure IP Security Filter Rules <----
List Active IP Security Filter Rules
Activate/Update/Deactivate IP Security Filter Rule
...
View IKE XML DTD
List IP Security Filter Rules
Add an IP Security Filter Rule <----
Change IP Security Filter Rules
Move IP Security Filter Rules
Export IP Security Filter Rules
Import IP Security Filter Rules
Delete IP Security Filter Rules
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
* Rule Action [permit] +
* IP Source Address []
* IP Source Mask []
IP Destination Address []
IP Destination Mask []
* Apply to Source Routing? (PERMIT/inbound only) [yes] +
* Protocol [all] +
* Source Port / ICMP Type Operation [any] +
* Source Port Number / ICMP Type [0] #
* Destination Port / ICMP Code Operation [any] +
* Destination Port Number / ICMP Type [0] #
* Routing [both] +
* Direction [both] +
* Log Control [no] +
* Fragmentation Control [0] +
* Interface [] +
Expiration Time (sec) [] #
Pattern Type [none] +
Pattern / Pattern File []
Description []
- Rule Action: Sets the action taken by the current IPsec filter rule, whether to permit or deny the packet that meets the following criteria. Default is "permit".
- IP Source Address: The IP source address of the TCP or UDP packet undergoing the filtering process.
- IP Source Mask: The netmask for the IP source address.
- IP Destination Address: The IP source address of the TCP or UDP packet undergoing the filtering process.
- IP Destination Mask: The netmask for the IP destination address.
- Apply to Source Routing? (PERMIT/inbound only): Applies the current rule to the inbound traffic that meets the rule criteria. Default value is "yes".
- Protocol: Sets the filter to a specific protocol within the TCP/IP protocol stack. Some routing protocol like OSPF can be specified as well. Default is "all".
- Source Port / ICMP Type Operation: The logical operation that defines the port (or range of ports) targeted by the current rule. Options being: "eq", "neq", "lt", "gt", "le" and "ge", which mean "equal", "not equal", less than", "greater than", "less than or equal" and "greater than or equal" respectively. Default option is "any".
- Source Port Number / ICMP Type: Filter based on the TCP or UDP source port of the packet undergoing the IPSec filtering process.
- Destination Port / ICMP Code Operation: Same as source port.
- Destination Port Number / ICMP Type: Filter based on the TCP or UDP destination port of the packet undergoing the IPSec filtering process.
- Direction: Filter based on the packet direction. Options being: "inbound", "outbound" or "both", with "both" being the default.
- Interface: Specifies which network interface the current rule applies to. It can be specific to a single network interface or general for all interfaces.
Rule Action [deny] +
IP Source Address [0.0.0.0]
IP Source Mask [255.255.255.255]
IP Destination Address [9.40.205.53]
IP Destination Mask [255.255.255.0]
Apply to Source Routing? (PERMIT/inbound only) [yes] +
Protocol [icmp] +
Source Port / ICMP Type Operation [any] +
Source Port Number / ICMP Type [0] #
Destination Port / ICMP Code Operation [any] +
Destination Port Number / ICMP Type [0] #
Routing [both] +
Direction [inbound] +
Log Control [no] +
Fragmentation Control [all packets] +
Tunnel ID [0] +#
Interface [en0] +
Expiration Time (sec) [0] #
Pattern Type [none] +
Pattern / Pattern File []
Description []
Command: OK stdout: yes stderr: no
Before command completion, additional instructions may appear below.
Filter rule 3 for IPv4 has been added successfully.
# smitty ipsec4
<<Enter>>
Move cursor to desired item and press Enter.
Start/Stop IP Security <---- Choose this one
Basic IP Security Configuration
Advanced IP Security Configuration
<<Enter>>
Move cursor to desired item and press Enter.
Start IP Security <---- Choose this one
Stop IP Security
<<Enter>>
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
Start IP Security [Now and After Reboot] <---- +
Deny All Non_Secure IP Packets [no]
<<Enter>>
Command: OK stdout: yes stderr: no
Before command completion, additional instructions may appear below.
ipsec_v4 Available
Default rule for IPv4 in ODM has been changed.
Successfully set default action to PERMIT
# lsdev -Cc ipsec
ipsec_v4 Available IP Version 4 Security Extension
ipsec_v6 Available IP Version 6 Security Extension
# lsfilt -v4 -a
Beginning of IPv4 filter rules.
Rule 1:
*** Dynamic filter placement rule for IKE tunnels ***
Logging control : no
Rule 2: <---- This is the rule of our interest.
Rule action : deny
Source Address : 0.0.0.0
Source Mask : 255.255.255.255
Destination Address : 9.40.205.53
Destination Mask : 255.255.255.0
Source Routing : yes
Protocol : icmp
ICMP type : any 0
ICMP code : any 0
Scope : both
Direction : inbound
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : en0
Auto-Generated : no
Expiration Time : 0
Description :
Rule 3:
Rule action : permit
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : any 0
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :
End of IPv4 filter rules.
# ping 9.40.205.53
PING 9.40.205.53 (9.40.205.53): 56 data bytes
64 bytes from 9.40.205.53: icmp_seq=0 ttl=244 time=258.847 ms
64 bytes from 9.40.205.53: icmp_seq=317 ttl=244 time=253.621 ms
64 bytes from 9.40.205.53: icmp_seq=318 ttl=244 time=256.467 ms
64 bytes from 9.40.205.53: icmp_seq=319 ttl=244 time=251.794 ms
64 bytes from 9.40.205.53: icmp_seq=320 ttl=244 time=243.249 ms
64 bytes from 9.40.205.53: icmp_seq=321 ttl=244 time=253.040 ms
64 bytes from 9.40.205.53: icmp_seq=322 ttl=244 time=247.723 ms
64 bytes from 9.40.205.53: icmp_seq=323 ttl=244 time=398.772 ms
64 bytes from 9.40.205.53: icmp_seq=324 ttl=244 time=253.756 ms
64 bytes from 9.40.205.53: icmp_seq=325 ttl=244 time=245.174 ms
Request timeout for icmp_seq 326
Request timeout for icmp_seq 327
Request timeout for icmp_seq 328
Request timeout for icmp_seq 329
Request timeout for icmp_seq 330
Request timeout for icmp_seq 331
Request timeout for icmp_seq 332
Request timeout for icmp_seq 333
Request timeout for icmp_seq 334
Request timeout for icmp_seq 335
Request timeout for icmp_seq 336
Request timeout for icmp_seq 337
Request timeout for icmp_seq 338
Packet Number 33
ETH: ====( 98 bytes received on interface en0 )==== 13:49:03.366102470
ETH: [ 3c:8a:b0:00:8f:f0 -> 02:db:1d:33:d7:02 ] type 800 (IP)
IP: < SRC = 9.211.34.6 >
IP: < DST = 9.40.205.53 > (tcp53)
IP: ip_v=4, ip_hl=20, ip_tos=0, ip_len=84, ip_id=24869, ip_off=0
IP: ip_ttl=53, ip_sum=224e, ip_p = 1 (ICMP)
ICMP: icmp_type=8 (ECHO_REQUEST) icmp_id=61398 icmp_seq=13
Packet Number 34
ETH: ====( 98 bytes received on interface en0 )==== 13:49:04.439390156
ETH: [ 3c:8a:b0:00:8f:f0 -> 02:db:1d:33:d7:02 ] type 800 (IP)
IP: < SRC = 9.211.34.6 >
IP: < DST = 9.40.205.53 > (tcp53)
IP: ip_v=4, ip_hl=20, ip_tos=0, ip_len=84, ip_id=4743, ip_off=0
IP: ip_ttl=53, ip_sum=70ec, ip_p = 1 (ICMP)
ICMP: icmp_type=8 (ECHO_REQUEST) icmp_id=61398 icmp_seq=14
Packet Number 35
ETH: ====( 98 bytes received on interface en0 )==== 13:49:05.386043960
ETH: [ 3c:8a:b0:00:8f:f0 -> 02:db:1d:33:d7:02 ] type 800 (IP)
IP: < SRC = 9.211.34.6 >
IP: < DST = 9.40.205.53 > (tcp53)
IP: ip_v=4, ip_hl=20, ip_tos=0, ip_len=84, ip_id=14240, ip_off=0
IP: ip_ttl=53, ip_sum=4bd3, ip_p = 1 (ICMP)
ICMP: icmp_type=8 (ECHO_REQUEST) icmp_id=61398 icmp_seq=15
Packet Number 36
ETH: ====( 98 bytes received on interface en0 )==== 13:49:06.368631062
ETH: [ 3c:8a:b0:00:8f:f0 -> 02:db:1d:33:d7:02 ] type 800 (IP)
IP: < SRC = 9.211.34.6 >
IP: < DST = 9.40.205.53 > (tcp53)
IP: ip_v=4, ip_hl=20, ip_tos=0, ip_len=84, ip_id=20709, ip_off=0
IP: ip_ttl=53, ip_sum=328e, ip_p = 1 (ICMP)
ICMP: icmp_type=8 (ECHO_REQUEST) icmp_id=61398 icmp_seq=16
- Likewise, we can tailor these IPSec filtering criteria to match our need whether it's IP-based, port-based or protocol-based filtering.
- Referring to the IPSec filter table shown in step 12, we can see a number or rules displayed despite of configuring just one rule. That introduces the "default IPSec filter rule", which lies at the end of the table.
- Filter rules in the table are checked from the beginning to the end until a match is found. If no match, the default rule applies.
- It's good for the default rule to be a permit one unless instructed otherwise.
SUPPORT |
If you require more assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract. 1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: 4. Provide a clear, concise description of the issue. 5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For guidance, see: Working with IBM AIX Support: Collecting snap data |
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
02 June 2022
UID
ibm16590907