How to simplify and centralize IPSec management on AIX

Overview

Internet Protocol Security is a suite of protocols that provides a wide range of information safety features. Individual users or organizations can use the IPSEC attribute to protect the traffic of all applications without any modification to the application itself. IPSEC uses authentication, integrity checking, and encryption to protect data traffic. Data security is provided at the IP layer of the communication stack, so there is no need to make any modifications to the application. However, each machine must be configured separately to enable it to use IPSEC.

In this article, you understand the AIX IPSEC management feature, which simplifies how to apply and manage IPSec configuration for large networks. This feature provides centralized management of the configuration by maintaining and distributing IPSEC configuration using Lightweight Directory Access Protocol (lightweight directories access Protocol, LDAP) as a central repository. This feature is supported from AIX v61v/71h.

The need for IPSEC simplification

Currently, systems that use IPSEC tunneling must be individually configured using either an XML configuration file or a command line. When you configure certain systems, the workload may not be very large, but in large enterprises with many systems, configuration can be a daunting task. To establish an IPSEC tunnel between the two systems, you need to configure more than 20 configuration parameters, and only a few of the parameters are machine-related.

Because of the large number of configuration parameters, IPSec configuration is both error-prone and time-consuming. To reduce the workload and risk of misconfigured configurations, AIX IPSec adds a new feature that simplifies the entire process for the enterprise. This feature provides:

The ability to store multiple sets of IPSEC configuration policies on an LDAP server for centralized management.

The ability to define IPSEC configuration policies and associate them with a set of hosts. All machines associated with an IPSec configuration policy will use the same set of IPSec configurations (rules) as defined by an XML file. A machine can only be associated with a policy at the same time.

The settings are refreshed once every 60 minutes. If the tunnel configuration changes, the old tunnel will be destroyed and a new tunnel will be created.

Only certificate-based authentication for the first-stage tunnel is supported.

The new AIX feature creates tunnels for each IP address, which is part of the IPSEC configuration policy.

Configuring AIX IPSec

The configuration file that AIX uses to create IPSEC tunnels is in XML format. In order to create a tunnel between the two systems, more than 20 configuration parameters must be configured. Configurable parameters are put into an XML file. However, the XML file does not contain an IP address, and the IP address is obtained from the machine associated with the policy. AIX IPSec provides a command to load an XML configuration file into an LDAP server.

Listing 1 shows a sample XML configuration file stored on the LDAP server.

Listing 1. Sample XML configuration file

$cat ipsec_ldap.xml <?xml version= "1.0"?> <aix_vpn version= "2.0" > <ikeprotection Ike_rol 
         E= "Both" ike_version= "2" ike_xchgmode= "Main" ike_keyoverlap= "ten" ike_flags_usecrl= "No" 
         Ike_protectionname= "P1pol" ike_responderkeyrefreshmaxkb= "ike_responderkeyrefreshminkb=" 1 " ike_responderkeyrefreshmaxminutes= "1440" ike_responderkeyrefreshminminutes= "1" > &LT;IKETRANSFO RM ike_encryption= "3DES-CBC" ike_hash= "SHA" ike_dhgroup= "2" ike_prf= "Prf_h
         Mac_sha1 "ike_authenticationmethod=" Rsa_signatures "/> </IKEProtection> <ipsecproposal Ipsec_proposalname= "P2prop" > <ipsecespprotocol esp_encryption= "esp_3des" Esp_keyre freshkb= "0" esp_authentication= "Hmac-sha" esp_extendedseqnum= "0" Esp_encapsulationmode = "Tunnel" ESP_keyrefreshminutes= "/>" </IPSecProposal> <ipsecprotection ipsec_role= "Both" IPSec _keyoverlap= "Ten" ipsec_proposalrefs= "P2prop" ipsec_protectionname= "P2pol" Ipsec_initiatordhgro up= "1" ipsec_responderdhgroup= "No_pfs group_1 group_2" ipsec_flags_uselifesize= "NO" ipsec_flags _usecommitbit= "No" ipsec_responderkeyrefreshmaxkb= "ipsec_responderkeyrefreshminkb=" "1" IPSe C_responderkeyrefreshmaxminutes= "43200" ipsec_responderkeyrefreshminminutes= "1"/> </AIX_VPN>