CopyrightIBMCorporation2010TrademarksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage1of14HeterogeneousIPSecsolutionbetweenAIXandWindowsAntoA.
JohnAkshayKaushikAugust24,2010Internetsecurityisamajorconcern.
InternetProtocolSecurity(IPSec)isaframeworkforasetofprotocolsthathelpsyouimplementsecurityattheIPpacketlevel.
IPSecworksacrossheterogeneousenvironmentstocreatesecuretunnelsforsafertransactions.
ThisarticletalksaboutwhatyoucangainfromconfiguringIPSectoaheterogeneousenvironmentbetweenAIXandWindows.
IntroductionIPSec(InternetProtocolSecurity)isaprotocolforsecuringIPcommunication.
ItauthenticatesandencryptseachIPpacketflowingthroughthenetwork.
Thisisparticularlyimportantwhenyoutrytointeroperatebetweendisparatesystemswithouttheworryofsecurityrisksbetweenthem.
Avirtualprivatenetwork(VPN)isanextensionofanenterprise'sprivateintranetacrossapublicnetworksuchastheInternet,creatingasecureprivateconnectionessentiallythroughaprivatetunnel.
VPNssecurelyconveyinformationacrosstheInternetconnectingremoteusers,branchoffices,andBusinessPartnersintoanextendedcorporatenetwork.
InaVPN,therearesecurityexposureseverywherealonganend-to-endpath:onthedial-uplink,inanISP'saccessbox,intheInternet,inthefirewallorrouter,andeveninthecorporateintranet.
Hence,therearisesaneedforthisVPNtobeprotected.
TheInternetEngineeringTaskForcehasrecommendedthatthetunneltrafficshouldbeprotectedwiththeIPSecprotocols.
HeterogeneityonendpointsinaVPNisextremelyhigh,anditdemandsthattheIPSecsolutionshouldworkwellwithheterogeneoussystemsandenvironments.
Hence,thisarticledealswiththeAIXIPSecsolutionandtheirconfigurationwithWindowsasanotherendpointtoshowcasetheheterogeneouscapabilityofthissolution.
ConfiguringWindows2000forIPSecTheconfigurationofIPSecforWindows2000requiresthecreationofthetunnelparametersandthekindofencryptionusingtheIPSecsnap-ins.
developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage2of14CreateacustomMMCconsoleTheWindows2000machinecanbeconfiguredandmonitoredusingtheMMC(MicrosoftManagementConsole).
IPSecsnap-insneedtobeaddedtothisconsole.
1.
FromtheWindowsdesktop,clickStart,clickRun,andintheOpentextboxtypemmc.
ClickOK.
2.
OntheFilemenu,clickAdd/RemoveSnap-in.
3.
IntheAdd/RemoveSnap-indialogbox,clickAdd.
4.
IntheAddStandaloneSnap-indialogbox,clickIPSecurityPolicyManagement,andthenclickAdd.
5.
VerifythatLocalComputerisselected,andclickFinish.
6.
IntheAddStandaloneSnap-indialogbox,clickIPSecurityMonitor,andthenclickAdd.
7.
ToclosetheAddStandaloneSnap-indialogbox,clickClose.
8.
ToclosetheAdd/RemoveSnap-indialogbox,clickOK.
9.
SavethisasIPSec.
mscforfutureuse.
IPSecSnap-inCreatingIPSecpoliciesInthisstep,wecreateanddefinetheIPSecpoliciesusingtheWindowsmachinethatnegotiateswiththeothermachines.
1.
IntheMMCConsole,right-clickIPSecurityPoliciesonLocalMachine,andthenclickCreateIPSecurityPolicy.
TheIPSecurityPolicyWizardappears.
ibm.
com/developerWorks/developerWorksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage3of14IPSecurityPolicyWizard2.
ClickNext.
3.
TypePolicy1asthenameofyourpolicy,andclickNext.
4.
CleartheActivatethedefaultresponserulecheckbox,ifyouwouldliketosetyourownrules,andthenclickNext.
5.
MakesuretheEditPropertiescheckboxisselected(itisbydefault),andthenclickFinish.
developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage4of14IPSecPolicy1created6.
InthePropertiesdialogboxforthepolicyyouhavejustcreated,ensurethatUseAddWizardcheckboxinthelower-rightcornerisselected,andthenclickAddtostarttheSecurityRuleWizard.
7.
ClickNexttoproceedthroughtheSecurityRuleWizard,whichyoustartedattheendoftheprevioussection.
8.
SelectThisruledoesnotspecifyatunnel,(selectedbydefault)andthenclickNext.
9.
SelecttheradiobuttonforAllnetworkconnections,(selectedbydefault)andclickNext.
Creatingfilterrules1.
IntheIPFilterListdialogbox,clickAdd.
AnemptylistofIPfiltersisdisplayed.
NameyourfilterPolicy1FilterList.
ibm.
com/developerWorks/developerWorksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage5of14IPFilterListPolicy1FilterList2.
MakesureUseAddWizardisselectedinthecenter-rightareaofthescreenandthenclickAdd.
ThisstartstheIPFilterWizard.
3.
ClickNexttocontinue.
4.
AcceptMyIPAddressasthedefaultsourceaddressbyclickingNext.
developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage6of145.
ChooseASpecificIPaddressfromthedrop-downlistbox;enteryourPartnersIPAddress.
Here,youcanmakeIPSeccommunicatewithmultiplehosts,aswellbydefiningasubnet,andthenclickNext.
6.
ClickNexttoaccepttheprotocoltypeofAny.
7.
MakesuretheEditPropertiescheckboxiscleared(thisisthedefaultsetting),andclickFinish.
8.
ClickClosetoleavetheIPFilterListdialogboxandreturntotheNewRuleWizard.
9.
IntheFilterListdialogbox,selecttheradiobuttonnexttoPolicy1FilterList.
Policy1FilterListcreated10.
ClickNextforconfiguringfilteraction.
ConfiguringfilteractionInthissection,wedefinethedifferentactionswhichthefiltersperform.
1.
IntheFilterdialogshowninFilterActionfigure,clicktoselecttheUseAddWizardcheckbox,andthenclickAdd.
ibm.
com/developerWorks/developerWorksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage7of14FilterAction2.
ClickNexttoproceedthroughtheFilterActionWizard.
3.
NamethisfilteractionPolicy1FilterActionandclickNext.
4.
IntheFilterActionGeneralOptionsdialogbox,selectNegotiateSecurity,andthenclickNext.
5.
ClickDonotcommunicatewithcomputersthatdonotsupportIPSecfromthenextwizardpage,andthenclickNexttosecureyourmachinefromintruders.
6.
SelectCustomfromthelistofsecuritymethods,andthenclicksettings.
ThissectiongivesyouopportunitytoselectwhetheryouwouldliketohaveasecuritymethodwithAH(AuthenticationHeader)orwithESP(EncapsulatingSecurityPayload).
7.
SelectEncryptionalgorithmandhashingalgorithmyouwanttouseinyourIPSectunnelstoencryptthedata.
ClickOKtocomeoutofCustomSettings.
8.
ClickNext.
developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage8of14Selectingsecuritymethods9.
MakesuretheEditPropertiescheckboxiscleared(thisisthedefaultsetting),andthenclickFinishtoclosethiswizard.
10.
IntheFilterActiondialog,clicktheradiobuttonnexttoPolicy1FilterAction,andthenclickNext.
11.
IntheAuthenticationmethod,selecttheradiobuttonnexttoUsethisstringtoprotectthekeyexchange(presharedkey).
Youcanalsospecifythecertificatesifyoudon'twishtousethesymmetricpresharedkeys.
12.
GivethepresharedkeyyouwanttouseforauthenticationinIPSectunnel(forexample12345)andclickNext.
13.
MakesuretheEditpropertiescheckboxiscleared(thisisthedefaultsetting)andthenclickFinish.
Youhavejustconfiguredthefilteractionthatwillbeusedduringnegotiationswithyourpartner.
Notethatyoucanre-usethisfilteractioninotherpolicies.
14.
InthePropertiespagethatisnowdisplayed,clickClose.
YouhavesuccessfullyconfiguredanIPSecPolicy.
ibm.
com/developerWorks/developerWorksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage9of14IPSecPolicy1createdAssigningpolicyRightclickonthepolicyyouhavejustcreatedandclickAssign.
Policy1assignedasIPSecSecurityPolicyConfiguringAIXforIPSecFortheIPSecnegotiationtogothrough,weneedtoopenupafewportsandprotocolsonthefirewall.
Theyare:developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage10of14PortsandprotocolsforIPSec-UDPport500(forISAKMPtraffic)Protocol-IPProtocol50(forESPtraffic)-IPProtocol51(forAHtraffic)-Andanyotherportaccordingtoyourenvironment.
AIXIPSecprerequisitesInstallAIXIPSecsoftwareandputonlatestIPSecpatches:IPSecfilesetsbos.
msg.
en_US.
net.
ipsecbos.
net.
ipsec.
keymgtbos.
net.
ipsec.
rtebos.
net.
ipsec.
websmbos.
crypto-privgskak.
rteTostarttheIPsecurityonAIX,runthefollowingcommand:Smittyipsec4------->start/stopIPSecurity-startIPSecurityStartIPsecurityTypeorselectvaluesinentryfields.
PressEnterAFTERmakingalldesiredchanges.
[EntryFields]StartIPSecurity[NowandAfterReboot]DenyAllNon_SecureIPPackets[no]PressEntertostarttheIPsecurity.
RunthefollowingcommandtocheckthestateoftheIPSecdevices.
#lsdev-CcipsecBoththedevicesshouldbeintheavailablestate(ipsec_v4andipsec_v6).
#lsdev-Ccipsecipsec_v4AvailableIPVersion4SecurityExtensionipsec_v6AvailableIPVersion6SecurityExtensionToconfiguretheIPSeconAIX,wefirstneedtocreatetheIPSecconfigurationfile.
ThisfileshouldbeinXMLfileformat.
SampleXMLfile(SavethefilewiththenameIPSECpolicy1)UpdatenewIPSecconfigurationintheIKEdatabase1.
WefirstneedtoremovethepreviousIPSecconfigurationintheIKEdatabase,andthenputthenewconfigurationfileintheikedb.
2.
Toremovethepreviousconfiguration,runthefollowingcommand:#ikedb-xP1_ITDdatabasecreatedsuccessfullyP2_ITDdatabasecreatedsuccessfullyP1_PREKEYdatabasecreatedsuccessfullyPROPOSAL_LISTdatabasecreatedsuccessfullyPROPOSALdatabasecreatedsuccessfullyPOLICYdatabasecreatedsuccessfullyGROUPdatabasecreatedsuccessfullyNDBM:/etc/ipsec/inet/DB/privkey3.
Toputthenewconfigurationfileinthedatabase,runthefollowingcommand:#ikedb-pIPSECpolicy1Checkifallthethreedaemons(tmd,isakmpdandcpsd)arerunning.
Thetmddaemontakescareofthetunnelmanagement,andtheisakmpddaemontakescareoftheIKEnegotiation.
Ifwearenotusingcertificatesforauthentication,thereisnoneedforthecpsddaemontorun.
Tostartthedaemons,runthefollowingcommand:#startsrc-gike0513-059ThecpsdSubsystemhasbeenstarted.
SubsystemPIDis434304.
0513-059ThetmdSubsystemhasbeenstarted.
SubsystemPIDis315554.
0513-059TheisakmpdSubsystemhasbeenstarted.
SubsystemPIDis401504.
Runthefollowingcommandtocheckifthedaemonsarestartedornot.
Ifthedaemonisstarted,thestatusofthatdaemonshouldbeactive.
#lssrc-gikeSubsystemGroupPIDStatuscpsdike241894activetmdike315550activeisakmpdike319648activeRunthefollowingcommandtocheckifanyIPSectunnelisactive:#ikecmd=listNotunnelsmatchyourrequest.
Ifyoudonotfindthetunnelsbetweenthemachinesyouactuallyintendtohavethetunnel,thenrunthefollowingcommandtoactivatethetunnels:#ikecmd=activatePhase2tunnel1activaterequestinitiated.
ibm.
com/developerWorks/developerWorksHeterogeneousIPSecsolutionbetweenAIXandWindowsPage13of14Nowtheikecmdcommandshouldlistthestateofthetunnelsforyou.
#ikecmd=listPhaseTunIdStatusLocalIdRemoteId11Dormant9.
124.
101.
1389.
124.
101.
17521Dormant9.
124.
101.
1389.
124.
101.
175Weneedtopingtheremotehosttoactivatethetunnels.
Oneortwopingrequestmaybedenieduntilthetunnelsbecomeactive.
Therequestswillbesuccessfulfromthenon.
#ping9.
124.
101.
175PING9.
124.
101.
175(9.
124.
101.
175):56databytesping:sendto:Permissiondeniedping:wrote9.
124.
101.
17564chars,ret=-164bytesfrom9.
124.
101.
175:icmp_seq=1ttl=255time=0ms64bytesfrom9.
124.
101.
175:icmp_seq=2ttl=255time=0ms64bytesfrom9.
124.
101.
175:icmp_seq=3ttl=255time=0msNowyouhavecreatedasuccessfulAIXtoWindowsIPSectunnelthatcanbefurtherusedforsecurecommunicationoverthenetwork.
ConclusionThisarticleshowcasestheabilityofAIXIPSectoworkacrossheterogeneousenvironments.
SimilartotheWindowsIPSecconfigurationreviewedinthisarticle,youcantryusingotheroperatingsystemstocommunicatesecurelywithAIXusingIPSec.
Doingsocanprovidegreatersecurityinaninsecurepublicnetworkwithheterogeneoussystems.
developerWorksibm.
com/developerWorks/HeterogeneousIPSecsolutionbetweenAIXandWindowsPage14of14RelatedtopicsAnIllustratedGuidetoIPSecpSeriesandAIXInformationCenterInternetInformationServices(IIS)7.
0Administrator'sPocketConsultantbyWilliamR.
StanekStep-by-stepguidetoInternetProtocolSecurity(IPSec)Windows2000ServerCopyrightIBMCorporation2010(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
wordpress公司网站模板,wordpresss简洁风格的高级通用自适应网站效果,完美自适应支持多终端移动屏幕设备功能,高级可视化后台自定义管理模块+规范高效的搜索优化。wordpress公司网站模板采用标准的HTML5+CSS3语言开发,兼容当下的各种主流浏览器: IE 6+(以及类似360、遨游等基于IE内核的)、Firefox、Google Chrome、Safari、Opera等;同时...
digital-vm在日本东京机房当前提供1Gbps带宽、2Gbps带宽、10Gbps带宽接入的独立服务器,每个月自带10T免费流量,一个独立IPv4。支持额外购买流量:20T-$30/月、50T-$150/月、100T-$270美元/月;也支持额外购买IPv4,/29-$5/月、/28-$13/月。独立从下单开始一般24小时内可以上架。官方网站:https://digital-vm.com/de...
RAKsmart怎么样?RAKsmart是一家由华人运营的国外主机商,提供的产品包括独立服务器租用和VPS等,可选数据中心包括美国加州圣何塞、洛杉矶、中国香港、韩国、日本、荷兰等国家和地区数据中心(部分自营),支持使用PayPal、支付宝等付款方式,网站可选中文网页,提供中文客服支持。本月商家继续提供每日限量秒杀服务器月付30.62美元起,除了常规服务器外,商家美国/韩国/日本站群服务器、1-10...
permissiondenied为你推荐
酒店回应名媛拼单酒店分房时出现单男单女时,怎样处理?2020双十一成绩单2020考研成绩出分后需要做什么?安徽汽车网中国汽车十大品牌mathplayer比较word,TeX,MathML中的数学公式处理方式的异同点,尽量详细哦,分数不是问题,谢谢哈,会加分的。lunwenjiance我写的论文,检测相似度是21.63%,删掉参考文献后就只有6.3%,这是为什么?蒋存祺蒋存祺的主要事迹rawtools照片上面的RAW是什么意思,为什么不能到PS中去编辑www.qq530.com谁能给我一个听歌的网站?haole16.com高手们帮我看看我的新网站WWW.16mngt.com怎么不被收录啊?抓站工具仿站必备软件有哪些工具?最好好用的仿站工具是那个几个?
传奇服务器租用 美国加州vps duniu 空间打开慢 dropbox网盘 炎黄盛世 789电视网 刀片式服务器 tna官网 ftp免费空间 能外链的相册 域名与空间 阿里云免费邮箱 主机管理系统 域名和主机 阿里云邮箱申请 卡巴斯基官网下载 脚本大全 美国代理服务器 cdn加速技术 更多