IPsec -- the Internet Protocol Security technology protocol suite that authenticates and/or encrypts each IP packet of a communication session in order to secure IP communications -- is a foundation tool that can be complex to implement, especially in an enterprise comprised of many systems. There are two modes in which IPsec can be implemented:
- host-to-host transport mode where only the payload of the IP packet is usually encrypted and/or authenticated; routing remains intact since the IP header is neither modified nor encrypted.
- network tunnel mode encrypts and/or authenticates the entire IP packet, then encapsulates it into a new IP packet with a new IP header; this mode is used to create virtual private networks.
Tunnel mode is an important concept but it can be quite a numbers nightmare. To use IPsec tunnels, each system under an enterprise's control must be configured individually using an XML configuration file or command line. Each IPsec tunnel between two systems has to be configured for more than 20 different parameters; only a few of these are machine dependent.
To reduce the propensity for error from so many configuration variables, IBM introduced a feature in AIX IPsec that simplifies the process. In Simplify and centralize IPSec management on AIX, IBM Software Engineer Jyoti Tenginakai shows you how to use the centralized IPSec management feature in AIX that creates tunnels for each pair of IP addresses that are part of the IPsec configuration policy. Tenginakai also explains how to simplify and centralize management of a configuration using LDAP as a central repository.