advertisement
Chapter 1: SYMCLI Commands
symipsec
Displays or sets parameters that control the behavior of IPSec encryption on Gigabit
Ethernet connections.
SYNOPSIS symipsec -h symipsec -sid <SymmID> -dir <#>|ALL [-port <#>|ALL] list -priority <<Level#> | -all> list -stats -type <StatsType> [-local_addr <IPendPt>]
[-priority <Level#>] list -spi show -priority <Level#> | -all symipsec -sid <SymmID> -dir <#> [-port <#>] set spi <on <SpiStart> [ length <SpiLen> ] | off> symipsec -sid <SymmID> -file <FileName> -dir <#> [-port <#>] preview commit
DESCRIPTION
The symipsec command allows you to display and set the values of control parameters for Symmetrix IPSec encryption and authentication support.
Commands for listing or retrieving policies, or retrieving statistics may be executed directly from the
402 EMC Solutions Enabler CLICommand Reference
command line. The results will be returned to the screen for viewing.
Commands for setting, modifying, or clearing policies may be placed in a command file, which will then be processed by this utility. Alternatively, stdin redirection can be used with "here documents" in
UNIX shell scripts. Each command in the file has to be terminated by a semi-colon (;). There is no limit on the number of commands or the type of commands that can be placed in a command file.
Prior to making any changes, the preview argument can be used to verify that the command file is syntactically correct without applying the changes to the Symmetrix array.
When using the commit argument, commands are executed sequentially, and do not execute within the context of a session. Therefore, if there are three or more commands in the file and the second one fails, processing will abort, and the effects of the first command will remain.
The commands in the command file are not case sensitive however, the parameters entered are case sensitive.
ARGUMENTS list Displays the priority number(s) for one or more policies. Optionally, can retrieve and display statistical information about IPSec processors or list the SPI range reserved for manual
IPSec policies.
show Shows detailed information about one or
Chapter 1: SYMCLI Commands
symipsec 403
Chapter 1: SYMCLI Commands more policies.
preview Verifies the syntax of the changes specified in the command file.
commit Updates the Symmetrix with the changes defined in the command file.
set Reserves a range of SPI values for manual IPSec policies.
OPTIONS
-all Targets all policy level numbers.
-dir Targets a specific director.
-file Specifies the command file that holds the policy definitions.
-port Targets a specific Port. Currently, only port 0 is a valid value and the default.
-priority Targets a specific policy priority level number.
-local_addr Specifies a local endpoint IP address.
-stats Retrieves and displays statistical information about IPSec processors within the Symmetrix array.
-sid Targets a specific Symmetrix array ID.
-spi Lists reserved SPI (Security Parameter
Indexing) range for the specified director.
404 EMC Solutions Enabler CLICommand Reference
-length Specifies the number of SPI values in the range to be reserved for manual IPSec policies.
-type Selects the type of statistics to retrieve.
-h Provides brief, online help information.
PARAMETERS
# Specific director or port number.
Optionally ALL may be supplied, during a policy list or show to select all applicable directors on the Symmetrix array.
FileName The target command file name that holds the policies.
IPendPt The local endpoint or IP address to obtain
IKE errors from.
Level# The selected IPSec policy priority number (0-110). The value "ALL" may be supplied, during a policy list or show to select all policy level numbers.
SpiLen The number of values in the range to be reserved for manual IPSec policies.
Default value is 1.
SpiStart The starting SPI value to be reserved for manual IPSec policies. Must be 0 to remove reservations or > 255 to set reservations.
Chapter 1: SYMCLI Commands
symipsec 405
Chapter 1: SYMCLI Commands
StatsType The statistical type of report to return.
Possible values are:
- ike_errors
- ipsec_details
When retrieving IKE errors, the local address parameter must be supplied.
Likewise, the priority level number must be provided when retrieving IPSec details.
SymmID The ID of the Symmetrix array
(up to 12-digits).
COMMAND FILE SYNTAX
The following shows how to define and modify policies using command file entries.
When executing a command that changes the array configuration, the preview operation will syntax-check the command file for errors, and the commit operation will send the policy changes to the array.
Note that adding and modifying a policy are almost identical. The former requires that the policy not exist, and the latter requires that the policy already exists and will be overwritten.
Note: Currently, you can only define one proposal and one transform per policy declaration.
Remove an existing policy: policy delete -priority Level#;
406 EMC Solutions Enabler CLICommand Reference
Add or modify a policy: policy add|modify
-priority Level#
-action discard|secure|bypass
[-assoc_ike_policy Level#]
#(only if proposal_type is IPSEC)
-local_addr IPaddr
[-ipproto IPprotocol#|all][-ipport IPport#|all]
[-mask IPaddr]
-remote_addr IPaddr
[-ipproto IPprotocol#|all][-ipport IPport#|all]
[-mask IPaddr]
[-remote_tunnel_addr IPaddr]
#(only if esp_mode is 'tunnel')
[-selectivity {destip|destport|srcport} SPECIFICITY]
#(for policies with wildcarded ipaddr/port/proto only)
-proposal_set
-proposal_set_type auto|manual|ike
[-key_format hex|ascii]
[-presharedkey Keystring]
#(if proposal_set_type is IKE only)
[-inenc_key Keystring -outenc_key Keystring]
#(if transform_type is ESP or IKE, and
#propset_type is MANUAL)
[-inauth_key Keystring -outauth_key Keystring]
#(only if proposal_set_type is MANUAL
# and auth_alg isn't NULL)
[-in_spi SPI# -out_spi SPI#]
#(only if proposal_set_type is MANUAL)
[-in_nonce NONCE -out_nonce NONCE]
#(only if proposal_set_type is MANUAL
#and -enc_alg is one of the aes-cm modes)
[-ike_mode main|aggressive]
#(only if proposal_set_type is IKE)
[-pfs on|off]
#(only if proposal_set_type is IKE)
Chapter 1: SYMCLI Commands
symipsec 407
Chapter 1: SYMCLI Commands
-proposal
-proposal_type ike|ipsec
-transform
-transform_type ike|esp
[-auth_alg null|sha1|md5|xcbc]
[-enc_alg null|des|3des|aes_128|aes_256| aes_cm_128|aes_cm_256]
#(only if transform_type is ESP or IKE)
[-dhgroup 1|2|3|4]
#(only if transform_type is IKE)
[-esp_mode tunnel|transport]
#(only if transform_type is ESP)
[-lifetime [LifeParam1][,][LifeParam2]]
[-auth_method preshared_key|dsa|rsa]
#(only if transform_type is IKE)
COMMAND FILE OPTIONS
-priority Specifies the index number of the policy to be retrieved or modified.
When packets arrive, policies with lower numbered priorities are examined first. Also, any IKE policies must have a lower priority index number (higher priority) than the corresponding
IPSec policy.
-action Specifies the kind of action to run: discard, secure, or bypass.
-assoc_ike_policy For IPSec policies, specifies the IKE policy that will set up and maintain session details for this IPSec policy.
-local_addr Specifies the local IP address.
-remote_addr Specifies the remote IP address.
408 EMC Solutions Enabler CLICommand Reference
-ipproto Specifies the IP protocol number.
-ipport Specifies the IP port number.
-mask Specifies the IP address to mask.
-remote_tunnel_addr
Specifies the remote tunnel IP address.
-selectivity Specifies to use selectivity lists confined to destination or source points and optional specificity types/protocols for wildcarded proposals only. When a endpoint field's properties has been wildcarded, determines whether new connections will share an existing security association
(selectivity POLICY), or if new connections will cause a new security association to be created (selectivity
PACKET). Selecting PACKET results in a more secure configuration, since encryption keys won't be shared between connections, but consumes more resources. Selecting POLICY conserves security associations, when this is desired. Properties that may be wildcarded include IP address, IP port number, and IP protocol number.
-proposal_set Starts a proposal set declaration.
-proposal_set_type
Specifies the type of proposal to set for key management: auto, manual, or ike
Chapter 1: SYMCLI Commands
symipsec 409
Chapter 1: SYMCLI Commands
-key_format Specifies the format in which the keys provided in the policy are presented.
Default value is hex.
Note that ASCII strings will be half the length of hex strings, but security is slightly diminished, since 1/8 of the available hex key space is not available to ASCII strings.
-presharedkey Specifies the preshared key string.
(Same secret string shared between security points.)
-inenc_key Specifies an encryption key string used for encrypting/decrypting incoming traffic. Must match the corresponding field on the remote endpoint. For manual IPSec proposals with a non-NULL
ESP mode only.
-outenc_key Specifies an encryption key string used for encrypting/decrypting outgoing traffic. Must match the corresponding field on the remote endpoint. For manual IPSec proposals with a non-NULL
ESP mode only.
-inauth_key Specifies a hash key string used for authenticating incoming traffic. Must match the corresponding field on the remote endpoint. For manual IPSec proposals with a non-NULL auth mode only.
-outauth_key Specifies a hash key string used for authenticating outgoing traffic. Must
410 EMC Solutions Enabler CLICommand Reference
match the corresponding field on the remote endpoint. For manual IPSec proposals with a non-NULL authenticate mode only.
-in_spi Specifies the Security Parameter
Indexing (SPI) number for incoming traffic decode security associations.
Applies to a manual proposal only.
-out_spi Specifies the Security Parameter
Indexing (SPI) number for outgoing traffic encode security associations.
Applies to a manual proposal only.
-in_nonce Specifies a random nonce value on incoming traffic to counter replay attacks.
-out_nonce Specifies a random nonce value on outgoing traffic to counter replay attacks.
-ike_mode For IKE phase 1 negotiations specifies the intensity of examination. Main mode is more intense and secure, but time consuming. Aggressive mode provides faster negotiations but exposes identies of the peers to eavesdropping.
-pfs Turns on, or off, Perfect Forward
Secrecy (PFS) mode for IKE policies.
(Typically, this should be left on, unless you have a special environment.)
-transform Specifies the start of a transform declaration.
Chapter 1: SYMCLI Commands
symipsec 411
Chapter 1: SYMCLI Commands
-transform_type Specifies the type of transform to apply to the policy. Possible values are:
- ike -- IP Key Exchange
- esp -- Encapsulation Security Payload
Note that value ah for authentication header is not currently supported.
-auth_alg Specifies the authentication algorithm for IKE or ESP policy transform hash functions. Possible values are:
- null
- sha1
- md5
- xcbc
-enc_alg Specifies the encryption algorithm for
IKE or ESP policy transforms. Possible values are:
- null
- des
- 3des
- aes_128
- aes_256
- aes_cm_128
- aes_cm_256
-dhgroup Specifies which Diffie-Hellman (dh) group to use for the symmetrical key generation. Groups 1 through 4 are supported.
-esp_mode Specifies the Ecapsulating Security
412 EMC Solutions Enabler CLICommand Reference
Payload (ESP) transform mode:
- tunnel
- transport
-lifetime Specifies the life of a policy with time and/or data size parameters.
-auth_method Specifies the authentication method for
IKE transforms. Possible values are:
- preshared_key
- dsa
- rsa
COMMAND FILE PARAMETERS
Level# An unsigned 32-bit integer that specifies the priority level (policy index number 0-110).
IPaddr The local, remote, or remote-tunnel endpoint IP address.
In addition to the IP address, the mask and
IP protocol options can also be specified here:
[-mask IPaddr]
#(mask not valid when using "ipaddr all")
[-ipproto IPprotocol#|all]
#(defaults to all)
[-ipport IPport#|all]
#(defaults to all)
Where:
- IPprotocol# is a protocol number. For example,
6 for TCP, or 1 for IPv4-ICMP.
- IPport# is an IP port number. For example,
3260 for iSCSI, or 1748 for RDF.
Chapter 1: SYMCLI Commands
symipsec 413
Chapter 1: SYMCLI Commands
The CLI will determine if this is an IPv4 or v6 address by looking for the presence of dots
('.',v4) or colons (':',v6) in the address. If both are present in 'mixed-mode' form
(e.g., ::FFFF:a.b.c.d), only the v4 section will be used.
When specifying the remote tunnel address, -mask,
-ipproto, and -ipport are not supported.
SPI# Security parameter index number for
Security Associations (SA's). An unsigned
32-bit integer greater than 255.
NONCE An unsigned 32-bit integer. Required when using
AES counter mode. A nonce is a random value used to prevent replay attacks. It makes sure the sender is really participating in the conversation.
Keystring A string of concatenated hexadecimal digit pairs, without per-byte delimeters, that represent an encryption or authentication key.
The following key length restrictions must be adhered to:
- MD5: exactly 16 bytes
- SHA1: exactly 20 bytes
- AES_CBC: exactly 16 bytes
- DES: exactly 8 bytes
- 3DES: exactly 24 bytes
- AES_128: exactly 16 bytes
- AES_256: exactly 32 bytes
- Preshared: between 1 and 64 bytes
SPECIFICITY
414 EMC Solutions Enabler CLICommand Reference
A string that defines what happens when a new packet matches this policy, and the policy contains a wildcard in the corresponding field
(i.e., src/dest ip address, src/dest port, protocol). The following possible string values may only be specified when the corresponding object is wildcarded:
- packet: A new SA will be created to handle this connection. (fine-grained)
- policy: A single SA will be created that will handle all connections that match this policy (coarse-grained).
LifeParam Lifetime parameters concerning time and data size. Just one, or both values in any order, can be specified:
- a time value in minutes or hours
(e.g., 90m or 5h)
- a data size value in megabytes or gigabytes
(e.g., 50mb or 3gb)
If both are specified, apply a comma between parameters with no intervening space. The first limit reached will end life.
RETURN CODES
Code # Code Symbol
------ -----------
0 CLI_C_SUCCESS
1 CLI_C_FAIL
Chapter 1: SYMCLI Commands
symipsec 415
Chapter 1: SYMCLI Commands
2 CLI_C_DB_FILE_IS_LOCKED
19 CLI_C_GK_IS_LOCKED
All gatekeepers to the Symmetrix array are currently locked.
EXAMPLES
To list the policy priorities on all directors within a specific Symmetrix, enter: symipsec -sid 123456789012 -dir ALL -port ALL list -all
To show the policy details for a specific policy, enter: symipsec -sid 123456789012 -dir 1A -port 0 show -priority 20
To check the syntax of a command file, enter: symipsec -sid 123456789012 -dir 1A -port 0
-file /tmp/commandfile preview
To display IPSec SA details for a specific priority, enter: symipsec -sid 123456789012 -dir 1A -port 0 list -stats -type ipsec_details -priority 20
To add an IPSec iSCSI policy to the policy database, enter: symipsec -sid 0039 -dir 1A -port 0 -file /tmp/ap commit
Where /tmp/ap contains: policy add
-priority 50 -assoc_ike_policy 40 -action secure
416 EMC Solutions Enabler CLICommand Reference
;
-local_addr 172.23.195.20 -ipport 3260 -ipproto 6
-remote_addr 50.60.70.80 -ipport 3260 -ipproto 6
-selectivity destip packet -selectivity destport packet
-proposal_set -proposal_set_type auto -proposal
-proposal_type ipsec -transform -transform_type esp
-encalg aes_cm_256 -lifetime 90m,5gb
To remove an IPSec policy to the policy database, enter: symipsec -sid 0039 -dir 1A -port 0 -file /tmp/dp commit
Where /tmp/dp contains: policy delete -priority 50;
Chapter 1: SYMCLI Commands
symipsec 417
advertisement
Related manuals
advertisement
Table of contents
- 12 symaccess
- 36 symacl
- 54 symapierr
- 56 symaudit
- 68 symauth
- 84 symbcv
- 96 symcfg
- 135 symcg
- 162 symchg
- 173 symchksum
- 183 symcli
- 185 symclient
- 188 symclone
- 207 symconfigure
- 270 symconnect
- 277 symdev
- 306 symdg
- 337 symdisk
- 346 symdrv
- 349 symevent
- 368 symfast
- 384 symhost
- 388 syminq
- 393 symioctl
- 402 symipsec
- 418 symlabel
- 423 symlmf
- 429 symlv
- 438 symmask
- 451 symmaskdb
- 457 symmigrate
- 468 symmir
- 490 symntctl
- 499 symoptmz
- 512 sympart
- 517 sympd
- 523 symqos
- 540 symrcopy
- 554 symrdb
- 576 symrdf
- 637 symrecover
- 659 symreplicate
- 688 symreturn
- 690 symrslv
- 697 symsan
- 700 symsg
- 723 symsnap
- 742 symsnapvx
- 765 symstar
- 784 symstat
- 800 symtier
- 808 symtw
- 814 symvg
- 826 Daemon Options File
- 827 Common Parameters
- 829 storsrvd [SYMAPI server daemon] parameters
- 833 storapid [Base Daemon] parameters
- 836 storgnsd [Group Name Service (GNS) Daemon] parameters
- 838 storevntd [Event Daemon] parameters
- 842 storstpd [Statistics Collection (STP) Daemon] parameters
- 846 Options File
- 846 Options File
- 864 Return code handling for Windows and UNIX
- 875 Return code handling for OpenVMS