CopyrightIBMCorporation2010TrademarksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage1of14HeterogeneousIPSecsolutionbetweenAIXandWindowsAntoA.
JohnAkshayKaushikAugust24,2010Internetsecurityisamajorconcern.
InternetProtocolSecurity(IPSec)isaframeworkforasetofprotocolsthathelpsyouimplementsecurityattheIPpacketlevel.
IPSecworksacrossheterogeneousenvironmentstocreatesecuretunnelsforsafertransactions.
ThisarticletalksaboutwhatyoucangainfromconfiguringIPSectoaheterogeneousenvironmentbetweenAIXandWindows.
IntroductionIPSec(InternetProtocolSecurity)isaprotocolforsecuringIPcommunication.
ItauthenticatesandencryptseachIPpacketflowingthroughthenetwork.
Thisisparticularlyimportantwhenyoutrytointeroperatebetweendisparatesystemswithouttheworryofsecurityrisksbetweenthem.
Avirtualprivatenetwork(VPN)isanextensionofanenterprise'sprivateintranetacrossapublicnetworksuchastheInternet,creatingasecureprivateconnectionessentiallythroughaprivatetunnel.
VPNssecurelyconveyinformationacrosstheInternetconnectingremoteusers,branchoffices,andBusinessPartnersintoanextendedcorporatenetwork.
InaVPN,therearesecurityexposureseverywherealonganend-to-endpath:onthedial-uplink,inanISP'saccessbox,intheInternet,inthefirewallorrouter,andeveninthecorporateintranet.
Hence,therearisesaneedforthisVPNtobeprotected.
TheInternetEngineeringTaskForcehasrecommendedthatthetunneltrafficshouldbeprotectedwiththeIPSecprotocols.
HeterogeneityonendpointsinaVPNisextremelyhigh,anditdemandsthattheIPSecsolutionshouldworkwellwithheterogeneoussystemsandenvironments.
Hence,thisarticledealswiththeAIXIPSecsolutionandtheirconfigurationwithWindowsasanotherendpointtoshowcasetheheterogeneouscapabilityofthissolution.
ConfiguringWindows2000forIPSecTheconfigurationofIPSecforWindows2000requiresthecreationofthetunnelparametersandthekindofencryptionusingtheIPSecsnap-ins.
developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage2of14CreateacustomMMCconsoleTheWindows2000machinecanbeconfiguredandmonitoredusingtheMMC(MicrosoftManagementConsole).
IPSecsnap-insneedtobeaddedtothisconsole.
1.
FromtheWindowsdesktop,clickStart,clickRun,andintheOpentextboxtypemmc.
ClickOK.
2.
OntheFilemenu,clickAdd/RemoveSnap-in.
3.
IntheAdd/RemoveSnap-indialogbox,clickAdd.
4.
IntheAddStandaloneSnap-indialogbox,clickIPSecurityPolicyManagement,andthenclickAdd.
5.
VerifythatLocalComputerisselected,andclickFinish.
6.
IntheAddStandaloneSnap-indialogbox,clickIPSecurityMonitor,andthenclickAdd.
7.
ToclosetheAddStandaloneSnap-indialogbox,clickClose.
8.
ToclosetheAdd/RemoveSnap-indialogbox,clickOK.
9.
SavethisasIPSec.
mscforfutureuse.
IPSecSnap-inCreatingIPSecpoliciesInthisstep,wecreateanddefinetheIPSecpoliciesusingtheWindowsmachinethatnegotiateswiththeothermachines.
1.
IntheMMCConsole,right-clickIPSecurityPoliciesonLocalMachine,andthenclickCreateIPSecurityPolicy.
TheIPSecurityPolicyWizardappears.
ibm.
com/developerWorks/developerWorksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage3of14IPSecurityPolicyWizard2.
ClickNext.
3.
TypePolicy1asthenameofyourpolicy,andclickNext.
4.
CleartheActivatethedefaultresponserulecheckbox,ifyouwouldliketosetyourownrules,andthenclickNext.
5.
MakesuretheEditPropertiescheckboxisselected(itisbydefault),andthenclickFinish.
developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage4of14IPSecPolicy1created6.
InthePropertiesdialogboxforthepolicyyouhavejustcreated,ensurethatUseAddWizardcheckboxinthelower-rightcornerisselected,andthenclickAddtostarttheSecurityRuleWizard.
7.
ClickNexttoproceedthroughtheSecurityRuleWizard,whichyoustartedattheendoftheprevioussection.
8.
SelectThisruledoesnotspecifyatunnel,(selectedbydefault)andthenclickNext.
9.
SelecttheradiobuttonforAllnetworkconnections,(selectedbydefault)andclickNext.
Creatingfilterrules1.
IntheIPFilterListdialogbox,clickAdd.
AnemptylistofIPfiltersisdisplayed.
NameyourfilterPolicy1FilterList.
ibm.
com/developerWorks/developerWorksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage5of14IPFilterListPolicy1FilterList2.
MakesureUseAddWizardisselectedinthecenter-rightareaofthescreenandthenclickAdd.
ThisstartstheIPFilterWizard.
3.
ClickNexttocontinue.
4.
AcceptMyIPAddressasthedefaultsourceaddressbyclickingNext.
developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage6of145.
ChooseASpecificIPaddressfromthedrop-downlistbox;enteryourPartnersIPAddress.
Here,youcanmakeIPSeccommunicatewithmultiplehosts,aswellbydefiningasubnet,andthenclickNext.
6.
ClickNexttoaccepttheprotocoltypeofAny.
7.
MakesuretheEditPropertiescheckboxiscleared(thisisthedefaultsetting),andclickFinish.
8.
ClickClosetoleavetheIPFilterListdialogboxandreturntotheNewRuleWizard.
9.
IntheFilterListdialogbox,selecttheradiobuttonnexttoPolicy1FilterList.
Policy1FilterListcreated10.
ClickNextforconfiguringfilteraction.
ConfiguringfilteractionInthissection,wedefinethedifferentactionswhichthefiltersperform.
1.
IntheFilterdialogshowninFilterActionfigure,clicktoselecttheUseAddWizardcheckbox,andthenclickAdd.
ibm.
com/developerWorks/developerWorksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage7of14FilterAction2.
ClickNexttoproceedthroughtheFilterActionWizard.
3.
NamethisfilteractionPolicy1FilterActionandclickNext.
4.
IntheFilterActionGeneralOptionsdialogbox,selectNegotiateSecurity,andthenclickNext.
5.
ClickDonotcommunicatewithcomputersthatdonotsupportIPSecfromthenextwizardpage,andthenclickNexttosecureyourmachinefromintruders.
6.
SelectCustomfromthelistofsecuritymethods,andthenclicksettings.
ThissectiongivesyouopportunitytoselectwhetheryouwouldliketohaveasecuritymethodwithAH(AuthenticationHeader)orwithESP(EncapsulatingSecurityPayload).
7.
SelectEncryptionalgorithmandhashingalgorithmyouwanttouseinyourIPSectunnelstoencryptthedata.
ClickOKtocomeoutofCustomSettings.
8.
ClickNext.
developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage8of14Selectingsecuritymethods9.
MakesuretheEditPropertiescheckboxiscleared(thisisthedefaultsetting),andthenclickFinishtoclosethiswizard.
10.
IntheFilterActiondialog,clicktheradiobuttonnexttoPolicy1FilterAction,andthenclickNext.
11.
IntheAuthenticationmethod,selecttheradiobuttonnexttoUsethisstringtoprotectthekeyexchange(presharedkey).
Youcanalsospecifythecertificatesifyoudon'twishtousethesymmetricpresharedkeys.
12.
GivethepresharedkeyyouwanttouseforauthenticationinIPSectunnel(forexample12345)andclickNext.
13.
MakesuretheEditpropertiescheckboxiscleared(thisisthedefaultsetting)andthenclickFinish.
Youhavejustconfiguredthefilteractionthatwillbeusedduringnegotiationswithyourpartner.
Notethatyoucanre-usethisfilteractioninotherpolicies.
14.
InthePropertiespagethatisnowdisplayed,clickClose.
YouhavesuccessfullyconfiguredanIPSecPolicy.
ibm.
com/developerWorks/developerWorksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage9of14IPSecPolicy1createdAssigningpolicyRightclickonthepolicyyouhavejustcreatedandclickAssign.
Policy1assignedasIPSecSecurityPolicyConfiguringAIXforIPSecFortheIPSecnegotiationtogothrough,weneedtoopenupafewportsandprotocolsonthefirewall.
Theyare:developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage10of14PortsandprotocolsforIPSec-UDPport500(forISAKMPtraffic)Protocol-IPProtocol50(forESPtraffic)-IPProtocol51(forAHtraffic)-Andanyotherportaccordingtoyourenvironment.
AIXIPSecprerequisitesInstallAIXIPSecsoftwareandputonlatestIPSecpatches:IPSecfilesetsbos.
msg.
en_US.
net.
ipsecbos.
net.
ipsec.
keymgtbos.
net.
ipsec.
rtebos.
net.
ipsec.
websmbos.
crypto-privgskak.
rteTostarttheIPsecurityonAIX,runthefollowingcommand:Smittyipsec4------->start/stopIPSecurity-startIPSecurityStartIPsecurityTypeorselectvaluesinentryfields.
PressEnterAFTERmakingalldesiredchanges.
[EntryFields]StartIPSecurity[NowandAfterReboot]DenyAllNon_SecureIPPackets[no]PressEntertostarttheIPsecurity.
RunthefollowingcommandtocheckthestateoftheIPSecdevices.
#lsdev-CcipsecBoththedevicesshouldbeintheavailablestate(ipsec_v4andipsec_v6).
#lsdev-Ccipsecipsec_v4AvailableIPVersion4SecurityExtensionipsec_v6AvailableIPVersion6SecurityExtensionToconfiguretheIPSeconAIX,wefirstneedtocreatetheIPSecconfigurationfile.
ThisfileshouldbeinXMLfileformat.
SampleXMLfile(SavethefilewiththenameIPSECpolicy1)UpdatenewIPSecconfigurationintheIKEdatabase1.
WefirstneedtoremovethepreviousIPSecconfigurationintheIKEdatabase,andthenputthenewconfigurationfileintheikedb.
2.
Toremovethepreviousconfiguration,runthefollowingcommand:#ikedb-xP1_ITDdatabasecreatedsuccessfullyP2_ITDdatabasecreatedsuccessfullyP1_PREKEYdatabasecreatedsuccessfullyPROPOSAL_LISTdatabasecreatedsuccessfullyPROPOSALdatabasecreatedsuccessfullyPOLICYdatabasecreatedsuccessfullyGROUPdatabasecreatedsuccessfullyNDBM:/etc/ipsec/inet/DB/privkey3.
Toputthenewconfigurationfileinthedatabase,runthefollowingcommand:#ikedb-pIPSECpolicy1Checkifallthethreedaemons(tmd,isakmpdandcpsd)arerunning.
Thetmddaemontakescareofthetunnelmanagement,andtheisakmpddaemontakescareoftheIKEnegotiation.
Ifwearenotusingcertificatesforauthentication,thereisnoneedforthecpsddaemontorun.
Tostartthedaemons,runthefollowingcommand:#startsrc-gike0513-059ThecpsdSubsystemhasbeenstarted.
SubsystemPIDis434304.
0513-059ThetmdSubsystemhasbeenstarted.
SubsystemPIDis315554.
0513-059TheisakmpdSubsystemhasbeenstarted.
SubsystemPIDis401504.
Runthefollowingcommandtocheckifthedaemonsarestartedornot.
Ifthedaemonisstarted,thestatusofthatdaemonshouldbeactive.
#lssrc-gikeSubsystemGroupPIDStatuscpsdike241894activetmdike315550activeisakmpdike319648activeRunthefollowingcommandtocheckifanyIPSectunnelisactive:#ikecmd=listNotunnelsmatchyourrequest.
Ifyoudonotfindthetunnelsbetweenthemachinesyouactuallyintendtohavethetunnel,thenrunthefollowingcommandtoactivatethetunnels:#ikecmd=activatePhase2tunnel1activaterequestinitiated.
ibm.
com/developerWorks/developerWorksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage13of14Nowtheikecmdcommandshouldlistthestateofthetunnelsforyou.
#ikecmd=listPhaseTunIdStatusLocalIdRemoteId11Dormant9.
124.
101.
1389.
124.
101.
17521Dormant9.
124.
101.
1389.
124.
101.
175Weneedtopingtheremotehosttoactivatethetunnels.
Oneortwopingrequestmaybedenieduntilthetunnelsbecomeactive.
Therequestswillbesuccessfulfromthenon.
#ping9.
124.
101.
175PING9.
124.
101.
175(9.
124.
101.
175):56databytesping:sendto:Permissiondeniedping:wrote9.
124.
101.
17564chars,ret=-164bytesfrom9.
124.
101.
175:icmp_seq=1ttl=255time=0ms64bytesfrom9.
124.
101.
175:icmp_seq=2ttl=255time=0ms64bytesfrom9.
124.
101.
175:icmp_seq=3ttl=255time=0msNowyouhavecreatedasuccessfulAIXtoWindowsIPSectunnelthatcanbefurtherusedforsecurecommunicationoverthenetwork.
ConclusionThisarticleshowcasestheabilityofAIXIPSectoworkacrossheterogeneousenvironments.
SimilartotheWindowsIPSecconfigurationreviewedinthisarticle,youcantryusingotheroperatingsystemstocommunicatesecurelywithAIXusingIPSec.
Doingsocanprovidegreatersecurityinaninsecurepublicnetworkwithheterogeneoussystems.
developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage14of14RelatedtopicsAnIllustratedGuidetoIPSecpSeriesandAIXInformationCenterInternetInformationServices(IIS)7.
0Administrator'sPocketConsultantbyWilliamR.
StanekStep-by-stepguidetoInternetProtocolSecurity(IPSec)Windows2000ServerCopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
Central美国独立日活动正在进行中,旗下美国达拉斯机房VPS 65折优惠,季付赠送双倍内存(需要发工单),Central租用的Hivelocity的机房,只支持信用卡和加密货币付款,不支持paypal,需要美国独服的可以谨慎入手试试。Central怎么样?Central便宜服务器,Central自称成立于2019年,主营美国达拉斯机房Linux vps、Windows vps、专用服务器和托管...
Hostigger 主机商在前面的文章中也有介绍过几次,这个商家运营时间是有一些年份,只不过在我们圈内好像之前出现的次数不多。最近这段时间商家有提供不限流量的VPS主机,逐渐的慢慢被人认识到。在前面的介绍到他们提供的机房还是比较多的,比如土耳其、美国等。今天看到Hostigger 商家居然改动挺大的,原来蛮好的域名居然这次连带官方域名都更换掉去掉一个G(Hostiger )。估摸着这个域名也是之前...
Hostodo发布了几款采用NVMe磁盘的促销套餐,从512MB内存起,最低年付14.99美元,基于KVM架构,开设在拉斯维加斯机房。这是一家成立于2014年的国外VPS主机商,主打低价VPS套餐且年付为主,基于OpenVZ和KVM架构,产品性能一般,数据中心目前在拉斯维加斯和迈阿密,支持使用PayPal或者支付宝等付款方式。下面列出几款NVMe硬盘套餐配置信息。CPU:1core内存:512MB...
permissiondenied为你推荐
外挂购买朋友,您好。我想请问一下,我在网络上购买了一个手游辅助器,他需要美国互联网瘫痪美国掐断中国互联网怎么办,我们如何解决?是否有后招?云爆发云出十里未及孤村什么意思老虎数码相机里的传感器CCD和CMO是什么意思?同一ip网站同IP的网站互相链接会被K吗?www.bbb336.comwww.zzfyx.com大家感觉这个网站咋样,给俺看看呀。多提意见哦。哈哈。同一服务器网站一个服务器放多个网站怎么设置?同一服务器网站服务器建设:一个服务器有多个网站该如何设置?www.haole012.comhttp://fj.qq.com/news/wm/wm012.htm 这个链接的视频的 第3分20秒开始的 背景音乐 是什么?8090lu.com8090向前冲电影 8090向前冲清晰版 8090向前冲在线观看 8090向前冲播放 8090向前冲视频下载地址??
泛域名 哈尔滨域名注册 域名交易网 本网站服务器在美国维护 唯品秀 securitycenter plesk asp.net主机 163网 美国php空间 网站被封 美国十次啦服务器 腾讯云分析 国外代理服务器软件 流量计费 vip购优惠 免费申请个人网站 爱奇艺vip免费领取 四核服务器 免费的域名 更多