[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 3

ikedb Command

Purpose

Retrieves, updates, deletes, imports, and exports information in the IKE database.

Syntax

ikedb -p[F s] [ -e entity-file ] [ XML-file ]

ikedb -g[r] [ -t type [ -n name | -i ID -y ID-type ] ]

ikedb -d -t type [ -n name | -i ID -y ID-type ]

ikedb -c[F] [ -l linux-file ] [ -k secrets-file ] [ -f XML-file ]

ikedb -x

ikedb -o

Description

The ikedb command allows the user to write to (put) or read from (get) the IKE database. The input and output format is an Extensible Markup Language (XML) file. The format of an XML file is specified by its Document Type Definition (DTD). The ikedb command allows the user to see the DTD that is used to validate the XML file when doing a put. While entity declarations can be added to the DTD using the -e flag, this is the only modification to the DTD that can be made.

Any external DOCTYPE declaration in the input XML file will be ignored and any internal DOCTYPE declaration may result in an error. The rules followed to parse the XML file using the DTD are specified in the XML standard. /usr/samples/ipsec has a sample of what a typical XML file that defines common tunnel scenarios looks like.

Flags


-p

Performs a put, which writes to the database, based on the given XML-file.

-F
Forces a put, even if a specified tunnel, protection, proposal, group, or pre-shared key would overwrite one that already exists in the database. The default is for such put attempts to fail.

-s
Swaps the local and remote IDs of all tunnels. This facilitates importing a tunnel generated by a peer machine. This flag only affects tunnels. This option is illegal if the remote ID of any tunnel is a group.

-e entity-file
Specifies the name of the file containing the <!ENTITY ...> lines as defined by entity-file. These lines are added to the internal DTD and allow the user to include XML files in other XML files.

XML-file
Specifies the XML-file to be used and must be the last argument to appear in the command line. The XML-file determines whether the write is to a tunnel, protection, proposal, group, pre-shared key, or all of these. If no XML-file is specified, input is read from stdin. A hyphen (-) can also be used to specify stdin.

-g Performs a get, which displays what is stored in the IKE database. Output is sent to stdout and is in XML format, which is suitable for processing with ikedb -p.

-r
Recursive. If this flag is specified for a phase 1 tunnel, information is also returned for all associated phase 2 tunnels and all protections and proposals associated with both sets of tunnels.

-t type
Specifies the type of output requested. Type can have the value of any of the XML elements under AIX_VPN, such as IKETunnel, IPSecProtection, and so on. If omitted, the entire database is output.

-n name
Specifies the name of the requested object. Name can be the name of a proposal, protection, tunnel, or group, depending on the value of the -t flag. The -n flag is valid with all values specified by the -t flag, except IKEPresharedKey. If omitted, all objects of the specified type will be output.

-i ID
Specifies the ID associated with a pre-shared key. The -i flag is only valid with the IKEPresharedKey value of the -t flag. If omitted, all objects of the specified type will be output. The -i flag must be used in conjunction with the -y flag.

-y ID-type
Specifies the ID-type defined by the -i flag. ID-type can be any of the legal types allowed in the XML file, such as User_FQDN, IPV4_Address, and so on. The -y flag must be used in conjunction with the -i flag.
-d Performs a delete on the specified item from the database. The flags are the same as for the -g flag, except that -r is not supported.
-c

Performs a conversion from a Linux IPSec configuration file to an AIX IPSec configuration file in XML format. It requires as input one or two files from Linux, a configuration file, and possibly a secrets file with pre-shared keys.

-F
Forces a put, even if a specified tunnel, protection, proposal, group, or pre-shared key would overwrite one that already exists in the database. The default is for such put attempts to fail. The -F flag has no effect if the -f flag is also used.

-s
Swaps the local and remote IDs of all tunnels. This facilitates importing a tunnel generated by a peer machine. This flag only affects tunnels.

-l linux-file
Specifies the Linux configuration file as define by linux-file. If no file is specified, the system looks for the ipsec.conf file in the current directory.

-k secrets-file
Specifies the Linux pre-shared keys file as defined by the secrets-file parameter. If no file is specified, the system looks for the ipsec.secrets file in the current directory.

-f XML-file
Specifies the XML configuration file to which the Linux configuration files are converted. The default behavior is to do a put directly to the IKE database. If the filename given is a hyphen (-), the results are sent to stdout.

-x Performs an expunge on the database. This empties out the database.
-o Performs an output of the DTD that specifies all elements and attributes for an XML file that is used by the ikedb command. The DTD is sent to stdout.

Files


/usr/samples/ipsec Examples of an XML file that sets up various tunnel configurations.

Examples

  1. To put definitions to the IKE database from an XML file that has been generated on a peer machine and overwrite any existing objects in the database with the same name, type: 
     ikedb -pFs peer_tunnel_conf.xml

    peer_tunnel_conf.xml is the XML file generated on a peer machine.

  2. To get the definition of the phase 1 tunnel named tunnel_sys1_and_sys2 and all dependent phase 2 tunnels with respective proposals and protections, type: 
     ikedb -gr -t IKETunnel -n tunnel_sys1_and_sys2
  3. To delete all preshared keys from the database, type: 
     ikedb -d -t IKEPresharedKey

[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]