ikedb Command

Purpose

Retrieves, updates, deletes, imports, and exports information in the IKE database.

Syntax

ikedb -p[F s] [ -e entity-file ] [ XML-file ]

ikedb -g[r] [ -t type [ -n name | -i ID -y ID-type ] ]

ikedb -d -t type [ -n name | -i ID -y ID-type ]

ikedb -c[F] [ -l linux-file ] [ -k secrets-file ] [ -f XML-file ]

ikedb -x

ikedb -o

LDAP supported operations

ikedb –R LDAP -p [ -F ]

ikedb –R LDAP -g [ policy-name ]

ikedb –R LDAP -o

ikedb –R LDAP -A <policy-name> [ -f <xml file name> ] [ -h ip/host ] -C <Dn Name>

ikedb –R LDAP -D <policy-name> [-h ip/host ] [ -F ]

Description

The ikedb command allows the user to write to (put) or read from (get) the IKE database. The input and output format is an Extensible Markup Language (XML) file. The format of an XML file is specified by its Document Type Definition (DTD). The ikedb command allows the user to see the DTD that is used to validate the XML file when doing a put. While entity declarations can be added to the DTD using the -e flag, this is the only modification to the DTD that can be made.

Any external DOCTYPE declaration in the input XML file will be ignored and any internal DOCTYPE declaration might result in an error. The rules followed to parse the XML file using the DTD are specified in the XML standard. /usr/samples/ipsec has a sample of what a typical XML file that defines common tunnel scenarios looks like.

Flags

To use LDAP supported operations, configure the host as an LDAP client.

Item Description
-p

Performs a put, which writes to the database, based on the given XML-file.

-F
Forces a put, even if a specified tunnel, protection, proposal, group, or preshared key would overwrite one that exists in the database. The default is for such put attempts to fail. When an -R switch is present, the local entities are overwritten in case the name is a duplicate of a name specified as part of applicable policy on the host in the configuration.
-s
Swaps the local and remote IDs of all tunnels. This flag facilitates importing a tunnel that is generated by a peer system. This flag affects only tunnels. This option is illegal if the remote ID of any tunnel is a group.
-e entity-file
Specifies the name of the file that contains the <!ENTITY ...> lines as defined by entity-file. These lines are added to the internal DTD and allow the user to include XML files in other XML files.
XML-file
Specifies the XML-file to be used and must be the last argument to be displayed in the command line. The XML-file determines whether the write is to a tunnel, protection, proposal, group, pre-shared key, or all of these. If no XML-file is specified, input is read from stdin. A - (hyphen) can also be used to specify stdin.
-R LDAP
The valid value is LDAP. When -p is used in conjunction with the -R switch, the put operation is done by importing the XML configuration file that is associated with the applicable IPSec configuration policy from the LDAP server.
-h You can specify hostname (or) IP address can be IPv4 (or) IPv6 along with -A option (or) -D option.
-g Performs a get, which displays what is stored in the IKE database. Output is sent to stdout and is in XML format, which is suitable for processing with ikedb -p.
-r
Recursive. If this flag is specified for a phase 1 tunnel, information is also returned for all associated phase 2 tunnels and all protections and proposals associated with both sets of tunnels.
-t type
Specifies the type of output requested. Type can have the value of any of the XML elements under AIX_VPN, such as IKETunnel, IPSecProtection, and so on. If omitted, the entire database is output.
-n name
Specifies the name of the requested object. Name can be the name of a proposal, protection, tunnel, or group, depending on the value of the -t flag. The -n flag is valid with all values specified by the -t flag, except IKEPresharedKey. If omitted, all objects of the specified type will be output.
-i ID
Specifies the ID associated with a pre-shared key. The -i flag is only valid with the IKEPresharedKey value of the -t flag. If omitted, all objects of the specified type will be output. The -i flag must be used in conjunction with the -y flag.
-y ID-type
Specifies the ID-type defined by the -i flag. ID-type can be any of the legal types allowed in the XML file, such as User_FQDN, IPV4_Address, and so on. The -y flag must be used in conjunction with the -i flag.
-R LDAP
The valid value is LDAP. When the -g flag is used in conjunction with the-R switch, the get operation is done by displaying XML configuration file stored on the LDAP server for the policy that is associated with the local host. If a policy name is also provided, the xml file stored as part of the policy is displayed on stdout.
-d Performs a delete on the specified item from the database. The flags are the same as for the -g flag, except that -r is not supported.
-C Used to provide the IPSec certificate used in the associated clients.
-c

Performs a conversion from a Linux IPSec configuration file to an AIX® IPSec configuration file in XML format. It requires as input one or two files from the Linux environment, a configuration file, and possibly a secrets file with pre-shared keys.

-F
Forces a put, even if a specified tunnel, protection, proposal, group, or pre-shared key would overwrite one that already exists in the database. The default is for such put attempts to fail. The -F flag has no effect if the -f flag is also used.
-l linux-file
Specifies the Linux configuration file as define by linux-file. If no file is specified, the system looks for the ipsec.conf file in the current directory.
-k secrets-file
Specifies the Linux pre-shared keys file as defined by the secrets-file parameter. If no file is specified, the system looks for the ipsec.secrets file in the current directory.
-f XML-file
Specifies the XML configuration file to which the Linux configuration files are converted. The default behavior is to do a put operation directly to the IKE database. If the filename has a hyphen (-), the results are sent to stdout. This flag is invalid if the -R switch is also present on the command line.
-x Performs an expunge operation on the database. This flag empties the database. This flag is invalid if the -R flag is also present on the command line.
-o Performs an output of the DTD that specifies all elements and attributes for an XML file that is used by the ikedb command. The DTD is sent to stdout. When -R switch is present, DTD that specifies all the elements and attribute for the XML file allowed to be stored as part of configuration policy on LDAP is sent to stdout.
-A

Associates the IP addresses provided with the policy name. If no IP addresses are provided, the first local IPV6 address for the local host is selected and associated with the policy. Policy configuration is enforced by downloading the XML file from LDAP and putting it into the database. The tunnels thus defined are activated.

-f < -path to XML file >
If an XML file is provided, it is stored on the LDAP server as the new XML applicable for the defined policy. If the policy does not exist, this flag is required.
-R LDAP
The valid value is LDAP. This switch must be provided on the command line.
-D

Performs disassociation of configuration policy and IP on LDAP server.

This flag is invalid without the -R switch. The only valid value for the R switch is LDAP.

- F
If the last IP address associated with the specified policy is removed, this switch causes the corresponding policy data (XML configuration file) to be deleted from LDAP server. If this flag is not used, the policy is not deleted from the LDAP server.

Files

Item Description
/usr/samples/ipsec Examples of an XML file that sets up various tunnel configurations.

Examples

  1. To put definitions to the IKE database from an XML file that has been generated on a peer machine and overwrite any existing objects in the database with the same name, type:
     ikedb -pFs peer_tunnel_conf.xml   

    peer_tunnel_conf.xml is the XML file generated on a peer machine.

  2. To get the definition of the phase 1 tunnel named tunnel_sys1_and_sys2 and all dependent phase 2 tunnels with respective proposals and protections, type:
     ikedb -gr -t IKETunnel -n tunnel_sys1_and_sys2
  3. To delete all preshared keys from the database, type:
     ikedb -d -t IKEPresharedKey
  4. To associate the host that has the IP address 10.10.10.1 with the configuration policy named Poll with certificate /C=US/O=IBM/CN=test01.austin.ibm.com with xml file ldap.xml, type:
    ikedb -R LDAP -A Pol1  -f  ldap.xml  -h 10.10.10.1 -C /C=US/O=IBM/CN=test01.austin.ibm.com