5.permissiondenied

permissiondenied  时间:2021-03-17  阅读:()
CopyrightIBMCorporation2010TrademarksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage1of14HeterogeneousIPSecsolutionbetweenAIXandWindowsAntoA.
JohnAkshayKaushikAugust24,2010Internetsecurityisamajorconcern.
InternetProtocolSecurity(IPSec)isaframeworkforasetofprotocolsthathelpsyouimplementsecurityattheIPpacketlevel.
IPSecworksacrossheterogeneousenvironmentstocreatesecuretunnelsforsafertransactions.
ThisarticletalksaboutwhatyoucangainfromconfiguringIPSectoaheterogeneousenvironmentbetweenAIXandWindows.
IntroductionIPSec(InternetProtocolSecurity)isaprotocolforsecuringIPcommunication.
ItauthenticatesandencryptseachIPpacketflowingthroughthenetwork.
Thisisparticularlyimportantwhenyoutrytointeroperatebetweendisparatesystemswithouttheworryofsecurityrisksbetweenthem.
Avirtualprivatenetwork(VPN)isanextensionofanenterprise'sprivateintranetacrossapublicnetworksuchastheInternet,creatingasecureprivateconnectionessentiallythroughaprivatetunnel.
VPNssecurelyconveyinformationacrosstheInternetconnectingremoteusers,branchoffices,andBusinessPartnersintoanextendedcorporatenetwork.
InaVPN,therearesecurityexposureseverywherealonganend-to-endpath:onthedial-uplink,inanISP'saccessbox,intheInternet,inthefirewallorrouter,andeveninthecorporateintranet.
Hence,therearisesaneedforthisVPNtobeprotected.
TheInternetEngineeringTaskForcehasrecommendedthatthetunneltrafficshouldbeprotectedwiththeIPSecprotocols.
HeterogeneityonendpointsinaVPNisextremelyhigh,anditdemandsthattheIPSecsolutionshouldworkwellwithheterogeneoussystemsandenvironments.
Hence,thisarticledealswiththeAIXIPSecsolutionandtheirconfigurationwithWindowsasanotherendpointtoshowcasetheheterogeneouscapabilityofthissolution.
ConfiguringWindows2000forIPSecTheconfigurationofIPSecforWindows2000requiresthecreationofthetunnelparametersandthekindofencryptionusingtheIPSecsnap-ins.
developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage2of14CreateacustomMMCconsoleTheWindows2000machinecanbeconfiguredandmonitoredusingtheMMC(MicrosoftManagementConsole).
IPSecsnap-insneedtobeaddedtothisconsole.
1.
FromtheWindowsdesktop,clickStart,clickRun,andintheOpentextboxtypemmc.
ClickOK.
2.
OntheFilemenu,clickAdd/RemoveSnap-in.
3.
IntheAdd/RemoveSnap-indialogbox,clickAdd.
4.
IntheAddStandaloneSnap-indialogbox,clickIPSecurityPolicyManagement,andthenclickAdd.
5.
VerifythatLocalComputerisselected,andclickFinish.
6.
IntheAddStandaloneSnap-indialogbox,clickIPSecurityMonitor,andthenclickAdd.
7.
ToclosetheAddStandaloneSnap-indialogbox,clickClose.
8.
ToclosetheAdd/RemoveSnap-indialogbox,clickOK.
9.
SavethisasIPSec.
mscforfutureuse.
IPSecSnap-inCreatingIPSecpoliciesInthisstep,wecreateanddefinetheIPSecpoliciesusingtheWindowsmachinethatnegotiateswiththeothermachines.
1.
IntheMMCConsole,right-clickIPSecurityPoliciesonLocalMachine,andthenclickCreateIPSecurityPolicy.
TheIPSecurityPolicyWizardappears.
ibm.
com/developerWorks/developerWorksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage3of14IPSecurityPolicyWizard2.
ClickNext.
3.
TypePolicy1asthenameofyourpolicy,andclickNext.
4.
CleartheActivatethedefaultresponserulecheckbox,ifyouwouldliketosetyourownrules,andthenclickNext.
5.
MakesuretheEditPropertiescheckboxisselected(itisbydefault),andthenclickFinish.
developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage4of14IPSecPolicy1created6.
InthePropertiesdialogboxforthepolicyyouhavejustcreated,ensurethatUseAddWizardcheckboxinthelower-rightcornerisselected,andthenclickAddtostarttheSecurityRuleWizard.
7.
ClickNexttoproceedthroughtheSecurityRuleWizard,whichyoustartedattheendoftheprevioussection.
8.
SelectThisruledoesnotspecifyatunnel,(selectedbydefault)andthenclickNext.
9.
SelecttheradiobuttonforAllnetworkconnections,(selectedbydefault)andclickNext.
Creatingfilterrules1.
IntheIPFilterListdialogbox,clickAdd.
AnemptylistofIPfiltersisdisplayed.
NameyourfilterPolicy1FilterList.
ibm.
com/developerWorks/developerWorksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage5of14IPFilterListPolicy1FilterList2.
MakesureUseAddWizardisselectedinthecenter-rightareaofthescreenandthenclickAdd.
ThisstartstheIPFilterWizard.
3.
ClickNexttocontinue.
4.
AcceptMyIPAddressasthedefaultsourceaddressbyclickingNext.
developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage6of145.
ChooseASpecificIPaddressfromthedrop-downlistbox;enteryourPartnersIPAddress.
Here,youcanmakeIPSeccommunicatewithmultiplehosts,aswellbydefiningasubnet,andthenclickNext.
6.
ClickNexttoaccepttheprotocoltypeofAny.
7.
MakesuretheEditPropertiescheckboxiscleared(thisisthedefaultsetting),andclickFinish.
8.
ClickClosetoleavetheIPFilterListdialogboxandreturntotheNewRuleWizard.
9.
IntheFilterListdialogbox,selecttheradiobuttonnexttoPolicy1FilterList.
Policy1FilterListcreated10.
ClickNextforconfiguringfilteraction.
ConfiguringfilteractionInthissection,wedefinethedifferentactionswhichthefiltersperform.
1.
IntheFilterdialogshowninFilterActionfigure,clicktoselecttheUseAddWizardcheckbox,andthenclickAdd.
ibm.
com/developerWorks/developerWorksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage7of14FilterAction2.
ClickNexttoproceedthroughtheFilterActionWizard.
3.
NamethisfilteractionPolicy1FilterActionandclickNext.
4.
IntheFilterActionGeneralOptionsdialogbox,selectNegotiateSecurity,andthenclickNext.
5.
ClickDonotcommunicatewithcomputersthatdonotsupportIPSecfromthenextwizardpage,andthenclickNexttosecureyourmachinefromintruders.
6.
SelectCustomfromthelistofsecuritymethods,andthenclicksettings.
ThissectiongivesyouopportunitytoselectwhetheryouwouldliketohaveasecuritymethodwithAH(AuthenticationHeader)orwithESP(EncapsulatingSecurityPayload).
7.
SelectEncryptionalgorithmandhashingalgorithmyouwanttouseinyourIPSectunnelstoencryptthedata.
ClickOKtocomeoutofCustomSettings.
8.
ClickNext.
developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage8of14Selectingsecuritymethods9.
MakesuretheEditPropertiescheckboxiscleared(thisisthedefaultsetting),andthenclickFinishtoclosethiswizard.
10.
IntheFilterActiondialog,clicktheradiobuttonnexttoPolicy1FilterAction,andthenclickNext.
11.
IntheAuthenticationmethod,selecttheradiobuttonnexttoUsethisstringtoprotectthekeyexchange(presharedkey).
Youcanalsospecifythecertificatesifyoudon'twishtousethesymmetricpresharedkeys.
12.
GivethepresharedkeyyouwanttouseforauthenticationinIPSectunnel(forexample12345)andclickNext.
13.
MakesuretheEditpropertiescheckboxiscleared(thisisthedefaultsetting)andthenclickFinish.
Youhavejustconfiguredthefilteractionthatwillbeusedduringnegotiationswithyourpartner.
Notethatyoucanre-usethisfilteractioninotherpolicies.
14.
InthePropertiespagethatisnowdisplayed,clickClose.
YouhavesuccessfullyconfiguredanIPSecPolicy.
ibm.
com/developerWorks/developerWorksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage9of14IPSecPolicy1createdAssigningpolicyRightclickonthepolicyyouhavejustcreatedandclickAssign.
Policy1assignedasIPSecSecurityPolicyConfiguringAIXforIPSecFortheIPSecnegotiationtogothrough,weneedtoopenupafewportsandprotocolsonthefirewall.
Theyare:developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage10of14PortsandprotocolsforIPSec-UDPport500(forISAKMPtraffic)Protocol-IPProtocol50(forESPtraffic)-IPProtocol51(forAHtraffic)-Andanyotherportaccordingtoyourenvironment.
AIXIPSecprerequisitesInstallAIXIPSecsoftwareandputonlatestIPSecpatches:IPSecfilesetsbos.
msg.
en_US.
net.
ipsecbos.
net.
ipsec.
keymgtbos.
net.
ipsec.
rtebos.
net.
ipsec.
websmbos.
crypto-privgskak.
rteTostarttheIPsecurityonAIX,runthefollowingcommand:Smittyipsec4------->start/stopIPSecurity-startIPSecurityStartIPsecurityTypeorselectvaluesinentryfields.
PressEnterAFTERmakingalldesiredchanges.
[EntryFields]StartIPSecurity[NowandAfterReboot]DenyAllNon_SecureIPPackets[no]PressEntertostarttheIPsecurity.
RunthefollowingcommandtocheckthestateoftheIPSecdevices.
#lsdev-CcipsecBoththedevicesshouldbeintheavailablestate(ipsec_v4andipsec_v6).
#lsdev-Ccipsecipsec_v4AvailableIPVersion4SecurityExtensionipsec_v6AvailableIPVersion6SecurityExtensionToconfiguretheIPSeconAIX,wefirstneedtocreatetheIPSecconfigurationfile.
ThisfileshouldbeinXMLfileformat.
SampleXMLfile(SavethefilewiththenameIPSECpolicy1)UpdatenewIPSecconfigurationintheIKEdatabase1.
WefirstneedtoremovethepreviousIPSecconfigurationintheIKEdatabase,andthenputthenewconfigurationfileintheikedb.
2.
Toremovethepreviousconfiguration,runthefollowingcommand:#ikedb-xP1_ITDdatabasecreatedsuccessfullyP2_ITDdatabasecreatedsuccessfullyP1_PREKEYdatabasecreatedsuccessfullyPROPOSAL_LISTdatabasecreatedsuccessfullyPROPOSALdatabasecreatedsuccessfullyPOLICYdatabasecreatedsuccessfullyGROUPdatabasecreatedsuccessfullyNDBM:/etc/ipsec/inet/DB/privkey3.
Toputthenewconfigurationfileinthedatabase,runthefollowingcommand:#ikedb-pIPSECpolicy1Checkifallthethreedaemons(tmd,isakmpdandcpsd)arerunning.
Thetmddaemontakescareofthetunnelmanagement,andtheisakmpddaemontakescareoftheIKEnegotiation.
Ifwearenotusingcertificatesforauthentication,thereisnoneedforthecpsddaemontorun.
Tostartthedaemons,runthefollowingcommand:#startsrc-gike0513-059ThecpsdSubsystemhasbeenstarted.
SubsystemPIDis434304.
0513-059ThetmdSubsystemhasbeenstarted.
SubsystemPIDis315554.
0513-059TheisakmpdSubsystemhasbeenstarted.
SubsystemPIDis401504.
Runthefollowingcommandtocheckifthedaemonsarestartedornot.
Ifthedaemonisstarted,thestatusofthatdaemonshouldbeactive.
#lssrc-gikeSubsystemGroupPIDStatuscpsdike241894activetmdike315550activeisakmpdike319648activeRunthefollowingcommandtocheckifanyIPSectunnelisactive:#ikecmd=listNotunnelsmatchyourrequest.
Ifyoudonotfindthetunnelsbetweenthemachinesyouactuallyintendtohavethetunnel,thenrunthefollowingcommandtoactivatethetunnels:#ikecmd=activatePhase2tunnel1activaterequestinitiated.
ibm.
com/developerWorks/developerWorksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage13of14Nowtheikecmdcommandshouldlistthestateofthetunnelsforyou.
#ikecmd=listPhaseTunIdStatusLocalIdRemoteId11Dormant9.
124.
101.
1389.
124.
101.
17521Dormant9.
124.
101.
1389.
124.
101.
175Weneedtopingtheremotehosttoactivatethetunnels.
Oneortwopingrequestmaybedenieduntilthetunnelsbecomeactive.
Therequestswillbesuccessfulfromthenon.
#ping9.
124.
101.
175PING9.
124.
101.
175(9.
124.
101.
175):56databytesping:sendto:Permissiondeniedping:wrote9.
124.
101.
17564chars,ret=-164bytesfrom9.
124.
101.
175:icmp_seq=1ttl=255time=0ms64bytesfrom9.
124.
101.
175:icmp_seq=2ttl=255time=0ms64bytesfrom9.
124.
101.
175:icmp_seq=3ttl=255time=0msNowyouhavecreatedasuccessfulAIXtoWindowsIPSectunnelthatcanbefurtherusedforsecurecommunicationoverthenetwork.
ConclusionThisarticleshowcasestheabilityofAIXIPSectoworkacrossheterogeneousenvironments.
SimilartotheWindowsIPSecconfigurationreviewedinthisarticle,youcantryusingotheroperatingsystemstocommunicatesecurelywithAIXusingIPSec.
Doingsocanprovidegreatersecurityinaninsecurepublicnetworkwithheterogeneoussystems.
developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage14of14RelatedtopicsAnIllustratedGuidetoIPSecpSeriesandAIXInformationCenterInternetInformationServices(IIS)7.
0Administrator'sPocketConsultantbyWilliamR.
StanekStep-by-stepguidetoInternetProtocolSecurity(IPSec)Windows2000ServerCopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)

HostMem,最新优惠促销,全场75折优惠,大硬盘VPS特价优惠,美国洛杉矶QuadraNet机房,KVM虚拟架构,KVM虚拟架构,2核2G内存240GB SSD,100Mbps带宽,27美元/年

HostMem近日发布了最新的优惠消息,全场云服务器产品一律75折优惠,美国洛杉矶QuadraNet机房,基于KVM虚拟架构,2核心2G内存240G SSD固态硬盘100Mbps带宽4TB流量,27美元/年,线路方面电信CN2 GT,联通CU移动CM,有需要美国大硬盘VPS云服务器的朋友可以关注一下。HostMem怎么样?HostMem服务器好不好?HostMem值不值得购买?HostMem是一家...

打开海外主机域名商出现"Attention Required"原因和解决

最近发现一个比较怪异的事情,在访问和登录大部分国外主机商和域名商的时候都需要二次验证。常见的就是需要我们勾选判断是不是真人。以及比如在刚才要访问Namecheap检查前几天送给网友域名的账户域名是否转出的,再次登录网站的时候又需要人机验证。这里有看到"Attention Required"的提示。我们只能手工选择按钮,然后根据验证码进行选择合适的标记。这次我要选择的是船的标识,每次需要选择三个,一...

享有云:美国BGP云服务器低至20元/月起,首月打折;香港2核2G2M仅50元/月起

享有云怎么样?享有云是一家新的国内云服务器商家,目前提供国内、香港及海外地区的云服务器,拥有多线路如:BGP线路、CN2线路、高防等云服务器,并且提供稳定、安全、弹性、高性能的云端计算服务,实时满足您的多样性业务需求。目前,美国bgp云服务器,5M带宽,低至20元/月起,270元/年起,首月打折;香港2核2G2M仅50元/月起,450元/年起!点击进入:享有云官方网站地址享有云优惠活动:一、美国B...

permissiondenied为你推荐
openeuler手机里的安全性open.wpapsk分别是什么意思xyq.163.cbg.com梦幻西游藏宝阁porndao单词prondao的汉语是什么www.228gg.comwww.a8tb.com这个网站该如何改善www.bbb551.com广州欢乐在线551要收费吗?sesehu.comwww.hu338.com 怎么看不到啊www.kaspersky.com.cn现在网上又有病毒了?555sss.comms真的是500万像素?m.yushuwu.org花样滑冰名将YU NA KIM的资料谁有?www.97yes.comwww.moyigui88.com是不是一个好网站呢
windows虚拟主机 虚拟主机99idc 未注册域名查询 域名备案中心 如何注销域名备案 idc评测 tk域名 秒杀预告 可外链网盘 服务器监测 linux使用教程 in域名 联通网站 我的世界服务器ip 稳定空间 netvigator 德国代理ip 热云 挂马检测工具 性能测试工具 更多