EMC Solutions Enabler CLI Command Reference

Chapter 1: SYMCLI Commands

symipsec

Displays or sets parameters that control the behavior of IPSec encryption on Gigabit

Ethernet connections.

SYNOPSIS symipsec -h symipsec -sid <SymmID> -dir <#>|ALL [-port <#>|ALL] list -priority <<Level#> | -all> list -stats -type <StatsType> [-local_addr <IPendPt>]

[-priority <Level#>] list -spi show -priority <Level#> | -all symipsec -sid <SymmID> -dir <#> [-port <#>] set spi <on <SpiStart> [ length <SpiLen> ] | off> symipsec -sid <SymmID> -file <FileName> -dir <#> [-port <#>] preview commit

DESCRIPTION

The symipsec command allows you to display and set the values of control parameters for Symmetrix IPSec encryption and authentication support.

Commands for listing or retrieving policies, or retrieving statistics may be executed directly from the

402 EMC Solutions Enabler CLICommand Reference

command line. The results will be returned to the screen for viewing.

Commands for setting, modifying, or clearing policies may be placed in a command file, which will then be processed by this utility. Alternatively, stdin redirection can be used with "here documents" in

UNIX shell scripts. Each command in the file has to be terminated by a semi-colon (;). There is no limit on the number of commands or the type of commands that can be placed in a command file.

Prior to making any changes, the preview argument can be used to verify that the command file is syntactically correct without applying the changes to the Symmetrix array.

When using the commit argument, commands are executed sequentially, and do not execute within the context of a session. Therefore, if there are three or more commands in the file and the second one fails, processing will abort, and the effects of the first command will remain.

The commands in the command file are not case sensitive however, the parameters entered are case sensitive.

ARGUMENTS list Displays the priority number(s) for one or more policies. Optionally, can retrieve and display statistical information about IPSec processors or list the SPI range reserved for manual

IPSec policies.

show Shows detailed information about one or


symipsec 403

Chapter 1: SYMCLI Commands more policies.

preview Verifies the syntax of the changes specified in the command file.

commit Updates the Symmetrix with the changes defined in the command file.

set Reserves a range of SPI values for manual IPSec policies.

OPTIONS

-all Targets all policy level numbers.

-dir Targets a specific director.

-file Specifies the command file that holds the policy definitions.

-port Targets a specific Port. Currently, only port 0 is a valid value and the default.

-priority Targets a specific policy priority level number.

-local_addr Specifies a local endpoint IP address.

-stats Retrieves and displays statistical information about IPSec processors within the Symmetrix array.

-sid Targets a specific Symmetrix array ID.

-spi Lists reserved SPI (Security Parameter

Indexing) range for the specified director.


-length Specifies the number of SPI values in the range to be reserved for manual IPSec policies.

-type Selects the type of statistics to retrieve.

-h Provides brief, online help information.

PARAMETERS

# Specific director or port number.

Optionally ALL may be supplied, during a policy list or show to select all applicable directors on the Symmetrix array.

FileName The target command file name that holds the policies.

IPendPt The local endpoint or IP address to obtain

IKE errors from.

Level# The selected IPSec policy priority number (0-110). The value "ALL" may be supplied, during a policy list or show to select all policy level numbers.

SpiLen The number of values in the range to be reserved for manual IPSec policies.

Default value is 1.

SpiStart The starting SPI value to be reserved for manual IPSec policies. Must be 0 to remove reservations or > 255 to set reservations.


symipsec 405


StatsType The statistical type of report to return.

Possible values are:

- ike_errors

- ipsec_details

When retrieving IKE errors, the local address parameter must be supplied.

Likewise, the priority level number must be provided when retrieving IPSec details.

SymmID The ID of the Symmetrix array

(up to 12-digits).

COMMAND FILE SYNTAX

The following shows how to define and modify policies using command file entries.

When executing a command that changes the array configuration, the preview operation will syntax-check the command file for errors, and the commit operation will send the policy changes to the array.

Note that adding and modifying a policy are almost identical. The former requires that the policy not exist, and the latter requires that the policy already exists and will be overwritten.

Note: Currently, you can only define one proposal and one transform per policy declaration.

Remove an existing policy: policy delete -priority Level#;


Add or modify a policy: policy add|modify

-priority Level#

-action discard|secure|bypass

[-assoc_ike_policy Level#]

#(only if proposal_type is IPSEC)

-local_addr IPaddr

[-ipproto IPprotocol#|all][-ipport IPport#|all]

[-mask IPaddr]

-remote_addr IPaddr

[-ipproto IPprotocol#|all][-ipport IPport#|all]

[-mask IPaddr]

[-remote_tunnel_addr IPaddr]

#(only if esp_mode is 'tunnel')

[-selectivity {destip|destport|srcport} SPECIFICITY]

#(for policies with wildcarded ipaddr/port/proto only)

-proposal_set

-proposal_set_type auto|manual|ike

[-key_format hex|ascii]

[-presharedkey Keystring]

#(if proposal_set_type is IKE only)

[-inenc_key Keystring -outenc_key Keystring]

#(if transform_type is ESP or IKE, and

#propset_type is MANUAL)

[-inauth_key Keystring -outauth_key Keystring]

#(only if proposal_set_type is MANUAL

# and auth_alg isn't NULL)

[-in_spi SPI# -out_spi SPI#]

#(only if proposal_set_type is MANUAL)

[-in_nonce NONCE -out_nonce NONCE]

#(only if proposal_set_type is MANUAL

#and -enc_alg is one of the aes-cm modes)

[-ike_mode main|aggressive]

#(only if proposal_set_type is IKE)

[-pfs on|off]

#(only if proposal_set_type is IKE)


symipsec 407


-proposal

-proposal_type ike|ipsec

-transform

-transform_type ike|esp

[-auth_alg null|sha1|md5|xcbc]

[-enc_alg null|des|3des|aes_128|aes_256| aes_cm_128|aes_cm_256]

#(only if transform_type is ESP or IKE)

[-dhgroup 1|2|3|4]

#(only if transform_type is IKE)

[-esp_mode tunnel|transport]

#(only if transform_type is ESP)

[-lifetime [LifeParam1][,][LifeParam2]]

[-auth_method preshared_key|dsa|rsa]

#(only if transform_type is IKE)

COMMAND FILE OPTIONS

-priority Specifies the index number of the policy to be retrieved or modified.

When packets arrive, policies with lower numbered priorities are examined first. Also, any IKE policies must have a lower priority index number (higher priority) than the corresponding

IPSec policy.

-action Specifies the kind of action to run: discard, secure, or bypass.

-assoc_ike_policy For IPSec policies, specifies the IKE policy that will set up and maintain session details for this IPSec policy.

-local_addr Specifies the local IP address.

-remote_addr Specifies the remote IP address.


-ipproto Specifies the IP protocol number.

-ipport Specifies the IP port number.

-mask Specifies the IP address to mask.

-remote_tunnel_addr

Specifies the remote tunnel IP address.

-selectivity Specifies to use selectivity lists confined to destination or source points and optional specificity types/protocols for wildcarded proposals only. When a endpoint field's properties has been wildcarded, determines whether new connections will share an existing security association

(selectivity POLICY), or if new connections will cause a new security association to be created (selectivity

PACKET). Selecting PACKET results in a more secure configuration, since encryption keys won't be shared between connections, but consumes more resources. Selecting POLICY conserves security associations, when this is desired. Properties that may be wildcarded include IP address, IP port number, and IP protocol number.

-proposal_set Starts a proposal set declaration.

-proposal_set_type

Specifies the type of proposal to set for key management: auto, manual, or ike


symipsec 409


-key_format Specifies the format in which the keys provided in the policy are presented.

Default value is hex.

Note that ASCII strings will be half the length of hex strings, but security is slightly diminished, since 1/8 of the available hex key space is not available to ASCII strings.

-presharedkey Specifies the preshared key string.

(Same secret string shared between security points.)

-inenc_key Specifies an encryption key string used for encrypting/decrypting incoming traffic. Must match the corresponding field on the remote endpoint. For manual IPSec proposals with a non-NULL

ESP mode only.

-outenc_key Specifies an encryption key string used for encrypting/decrypting outgoing traffic. Must match the corresponding field on the remote endpoint. For manual IPSec proposals with a non-NULL

ESP mode only.

-inauth_key Specifies a hash key string used for authenticating incoming traffic. Must match the corresponding field on the remote endpoint. For manual IPSec proposals with a non-NULL auth mode only.

-outauth_key Specifies a hash key string used for authenticating outgoing traffic. Must


match the corresponding field on the remote endpoint. For manual IPSec proposals with a non-NULL authenticate mode only.

-in_spi Specifies the Security Parameter

Indexing (SPI) number for incoming traffic decode security associations.

Applies to a manual proposal only.

-out_spi Specifies the Security Parameter

Indexing (SPI) number for outgoing traffic encode security associations.

Applies to a manual proposal only.

-in_nonce Specifies a random nonce value on incoming traffic to counter replay attacks.

-out_nonce Specifies a random nonce value on outgoing traffic to counter replay attacks.

-ike_mode For IKE phase 1 negotiations specifies the intensity of examination. Main mode is more intense and secure, but time consuming. Aggressive mode provides faster negotiations but exposes identies of the peers to eavesdropping.

-pfs Turns on, or off, Perfect Forward

Secrecy (PFS) mode for IKE policies.

(Typically, this should be left on, unless you have a special environment.)

-transform Specifies the start of a transform declaration.


symipsec 411


-transform_type Specifies the type of transform to apply to the policy. Possible values are:

- ike -- IP Key Exchange

- esp -- Encapsulation Security Payload

Note that value ah for authentication header is not currently supported.

-auth_alg Specifies the authentication algorithm for IKE or ESP policy transform hash functions. Possible values are:

- null

- sha1

- md5

- xcbc

-enc_alg Specifies the encryption algorithm for

IKE or ESP policy transforms. Possible values are:

- null

- des

- 3des

- aes_128

- aes_256

- aes_cm_128

- aes_cm_256

-dhgroup Specifies which Diffie-Hellman (dh) group to use for the symmetrical key generation. Groups 1 through 4 are supported.

-esp_mode Specifies the Ecapsulating Security


Payload (ESP) transform mode:

- tunnel

- transport

-lifetime Specifies the life of a policy with time and/or data size parameters.

-auth_method Specifies the authentication method for

IKE transforms. Possible values are:

- preshared_key

- dsa

- rsa

COMMAND FILE PARAMETERS

Level# An unsigned 32-bit integer that specifies the priority level (policy index number 0-110).

IPaddr The local, remote, or remote-tunnel endpoint IP address.

In addition to the IP address, the mask and

IP protocol options can also be specified here:

[-mask IPaddr]

#(mask not valid when using "ipaddr all")

[-ipproto IPprotocol#|all]

#(defaults to all)

[-ipport IPport#|all]

#(defaults to all)

Where:

- IPprotocol# is a protocol number. For example,

6 for TCP, or 1 for IPv4-ICMP.

- IPport# is an IP port number. For example,

3260 for iSCSI, or 1748 for RDF.


symipsec 413


The CLI will determine if this is an IPv4 or v6 address by looking for the presence of dots

('.',v4) or colons (':',v6) in the address. If both are present in 'mixed-mode' form

(e.g., ::FFFF:a.b.c.d), only the v4 section will be used.

When specifying the remote tunnel address, -mask,

-ipproto, and -ipport are not supported.

SPI# Security parameter index number for

Security Associations (SA's). An unsigned

32-bit integer greater than 255.

NONCE An unsigned 32-bit integer. Required when using

AES counter mode. A nonce is a random value used to prevent replay attacks. It makes sure the sender is really participating in the conversation.

Keystring A string of concatenated hexadecimal digit pairs, without per-byte delimeters, that represent an encryption or authentication key.

The following key length restrictions must be adhered to:

- MD5: exactly 16 bytes

- SHA1: exactly 20 bytes

- AES_CBC: exactly 16 bytes

- DES: exactly 8 bytes

- 3DES: exactly 24 bytes

- AES_128: exactly 16 bytes

- AES_256: exactly 32 bytes

- Preshared: between 1 and 64 bytes

SPECIFICITY


A string that defines what happens when a new packet matches this policy, and the policy contains a wildcard in the corresponding field

(i.e., src/dest ip address, src/dest port, protocol). The following possible string values may only be specified when the corresponding object is wildcarded:

- packet: A new SA will be created to handle this connection. (fine-grained)

- policy: A single SA will be created that will handle all connections that match this policy (coarse-grained).

LifeParam Lifetime parameters concerning time and data size. Just one, or both values in any order, can be specified:

- a time value in minutes or hours

(e.g., 90m or 5h)

- a data size value in megabytes or gigabytes

(e.g., 50mb or 3gb)

If both are specified, apply a comma between parameters with no intervening space. The first limit reached will end life.

RETURN CODES

Code # Code Symbol

------ -----------

0 CLI_C_SUCCESS

1 CLI_C_FAIL


symipsec 415


2 CLI_C_DB_FILE_IS_LOCKED

19 CLI_C_GK_IS_LOCKED

All gatekeepers to the Symmetrix array are currently locked.

EXAMPLES

To list the policy priorities on all directors within a specific Symmetrix, enter: symipsec -sid 123456789012 -dir ALL -port ALL list -all

To show the policy details for a specific policy, enter: symipsec -sid 123456789012 -dir 1A -port 0 show -priority 20

To check the syntax of a command file, enter: symipsec -sid 123456789012 -dir 1A -port 0

-file /tmp/commandfile preview

To display IPSec SA details for a specific priority, enter: symipsec -sid 123456789012 -dir 1A -port 0 list -stats -type ipsec_details -priority 20

To add an IPSec iSCSI policy to the policy database, enter: symipsec -sid 0039 -dir 1A -port 0 -file /tmp/ap commit

Where /tmp/ap contains: policy add

-priority 50 -assoc_ike_policy 40 -action secure


;

-local_addr 172.23.195.20 -ipport 3260 -ipproto 6

-remote_addr 50.60.70.80 -ipport 3260 -ipproto 6

-selectivity destip packet -selectivity destport packet

-proposal_set -proposal_set_type auto -proposal

-proposal_type ipsec -transform -transform_type esp

-encalg aes_cm_256 -lifetime 90m,5gb

To remove an IPSec policy to the policy database, enter: symipsec -sid 0039 -dir 1A -port 0 -file /tmp/dp commit

Where /tmp/dp contains: policy delete -priority 50;


symipsec 417

EMC Solutions Enabler CLI Command Reference

symipsec

Related manuals

Table of contents

EMC Solutions Enabler CLI Command Reference

symipsec

Related manuals

Dell

Solutions Enabler

Dell

Solutions Enabler

Dell

Solutions Enabler

Dell

Solutions Enabler

Table of contents