Configuring multiple IKEv2 tunnels by using the same digital certificate

Edit online

You can use the same digital certificate over multiple Internet Key Exchange Version 2 (IKEv2) tunnels.

Starting with AIX® Version 7.2 Technology Level 5, you can use the same digital certificates at a specific endpoint to configure multiple IKEv2 tunnels, when you use RSA digital signatures in Phase1 configuration for IKEv2. The following figure illustrates such an IKEv2 IPSec tunnel configuration:
Figure 1. IKEv2 IP security tunnel configuration example
IKEv2 IP security tunnel configuration example

In this example configuration, System A uses the /CN=CERT-A certificate for three IKEv2 IPsec tunnels, Tunnel-1, Tunnel-2, and Tunnel-3. Two IKEv2 IPsec tunnels from System A are associated with System B, and one IKEv2 IPsec tunnel is associated with System C. Thus, System A is using the same /CN=CERT-A certificate for both System B and System C. System A has another certificate, /CN=CERT-G, which is used for two IKEv2 IPsec tunnels, Tunnel-4 and Tunnel-5 that are associated with System D.

To use the same IKEv2 certificate over multiple IKEv2 IPsec tunnels as shown in the Figure 1, consider the following guidelines:
  • This type of IKEv2 IPsec tunnel configuration is supported only for IKEv2 protocol on the AIX operating system. This tunnel configuration does not support the IKEv1 protocol. Therefore, you cannot use IKEv1 IPsec tunnels for this configuration. To use this type of IKEv2 IPsec tunnel configuration, start the ikev2 daemons by using the following commands:
    startsrc -s tmd; startsrc -s ikev2d; startsrc -s cpsd
  • This type of IKEv2 IPsec tunnel configuration supports Rivest-Shamir-Adleman algorithm (RSA) digital signatures that are configured only with the ASN1_DN elements in the tunnel definition of Phase1 configuration. For more information, see Creating IKE tunnels using digital certificates. A combination of fully qualified domain name (FQDN) and a pre-shared key (PSK) are not supported. Also, the ASN1_DN elements in the tunnel definition within the IKE group is not supported in this configuration setup.
  • This type of IKEv2 IPsec tunnel configuration does not support the remid option with the activate subcommand of the ike command. For example, the following command is not supported: 
    ike cmd=activate phase=1 remid=/c=IN/o=IBM/ou=ISL/cn=CERT-B
    Alternatively, use the following command with IKEv2 certificates to activate the required tunnel: 
    ike cmd=activate numlist=2
The following snippet is an example of key management security association (also known as Phase1 configuration) on System A that defines IKEv2 IPsec tunnels, in which the same IKEv2 certificate is used for multiple IKEv2 IPsec tunnels:
<IKETunnel
         IKE_TunnelName="Phase1Tunnel1"
         IKE_ProtectionRef="Phase1Tunnel1Pol"
         IKE_Flags_AutoStart="No"
         IKE_Flags_MakeRuleWithOptionalIP="Yes">
      <IKELocalIdentity>
         <ASN1_DN
               Value="/c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-A">
            <IPV4_Address
                  Value="1.1.1.1"/>
         </ASN1_DN>
      </IKELocalIdentity>
      <IKERemoteIdentity>
         <ASN1_DN
               Value="/c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-B">
            <IPV4_Address
                  Value="1.1.1.2"/>
         </ASN1_DN>
      </IKERemoteIdentity>
   </IKETunnel>

<IKETunnel
         IKE_TunnelName="Phase1Tunnel2"
         IKE_ProtectionRef="Phase1Tunnel2Pol"
         IKE_Flags_AutoStart="No"
         IKE_Flags_MakeRuleWithOptionalIP="Yes">
      <IKELocalIdentity>
         <ASN1_DN
               Value="/c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-A">
            <IPV4_Address
                  Value="2.2.2.2"/>
         </ASN1_DN>
      </IKELocalIdentity>
      <IKERemoteIdentity>
         <ASN1_DN
               Value="/c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-B">
            <IPV4_Address
                  Value="2.2.2.3"/>
         </ASN1_DN>
      </IKERemoteIdentity>
   </IKETunnel>

<IKETunnel
         IKE_TunnelName="Phase1Tunnel3"
         IKE_ProtectionRef="Phase1Tunnel3Pol"
         IKE_Flags_AutoStart="No"
         IKE_Flags_MakeRuleWithOptionalIP="Yes">
      <IKELocalIdentity>
         <ASN1_DN
               Value="/c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-A">
            <IPV4_Address
                  Value="3.3.3.3"/>
         </ASN1_DN>
      </IKELocalIdentity>
      <IKERemoteIdentity>
         <ASN1_DN
               Value="/c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-C">
            <IPV4_Address
                  Value="3.3.3.4"/>
         </ASN1_DN>
      </IKERemoteIdentity>
   </IKETunnel>

<IKETunnel
         IKE_TunnelName="Phase1Tunnel4"
         IKE_ProtectionRef="Phase1Tunnel4Pol"
         IKE_Flags_AutoStart="No"
         IKE_Flags_MakeRuleWithOptionalIP="Yes">
      <IKELocalIdentity>
         <ASN1_DN
               Value="/c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-G">
            <IPV4_Address
                  Value="4.4.4.4"/>
         </ASN1_DN>
      </IKELocalIdentity>
      <IKERemoteIdentity>
         <ASN1_DN
               Value="/c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-D">
            <IPV4_Address
                  Value="4.4.4.5"/>
         </ASN1_DN>
      </IKERemoteIdentity>
   </IKETunnel>

<IKETunnel
         IKE_TunnelName="Phase1Tunnel5"
         IKE_ProtectionRef="Phase1Tunnel5Pol"
         IKE_Flags_AutoStart="No"
         IKE_Flags_MakeRuleWithOptionalIP="Yes">
      <IKELocalIdentity>
         <ASN1_DN
               Value="/c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-G">
            <IPV4_Address
                  Value="5.5.5.5"/>
         </ASN1_DN>
      </IKELocalIdentity>
      <IKERemoteIdentity>
         <ASN1_DN
               Value="/c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-E">
            <IPV4_Address
                  Value="5.5.5.6"/>
         </ASN1_DN>
      </IKERemoteIdentity>
   </IKETunnel>
Each IKEv2 IPsec tunnel in the example snippet can be uploaded to the IKE database in the following ways:
  • Each <IKETunnel> XML element is defined in a separate XML file, along with the corresponding Phase2 configuration. You can upload this type of IKEv2 tunnel definition by using the following command for each XML file:
    ikedb -p file.xml
  • All <IKETunnel> XML elements are defined in a single XML file, along with the corresponding Phase2 configuration and other required configuration settings. You can upload this type of IKEv2 tunnel definition by using the following command:
    ikedb -p single_combined_file.xml
In the IKEv2 IP security tunnel configuration example in Figure 1, if you run the ike cmd=list command in System A, the output might be similar to the following sample:
ike cmd=list
Phase  Tun Id  Status      Local Id                        Remote Id
1      1       Active      /c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-A  /c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-B
2      1       Active      1.1.1.1-1.1.1.1                 1.1.1.2-1.1.1.2

Phase  Tun Id  Status      Local Id                        Remote Id
1      2       Active      /c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-A  /c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-B
2      2       Active      2.2.2.2-2.2.2.2                 2.2.2.3-2.2.2.3

Phase  Tun Id  Status      Local Id                        Remote Id
1      3       Active      /c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-A  /c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-C
2      3       Active      3.3.3.3-3.3.3.3                 3.3.3.4-3.3.3.4

Phase  Tun Id  Status      Local Id                        Remote Id
1      3       Active      /c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-G  /c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-D
2      3       Active      4.4.4.4-4.4.4.4                 4.4.4.5-4.4.4.5

Phase  Tun Id  Status      Local Id                        Remote Id
1      3       Active      /c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-G  /c=IN/st=KA/l=BA/o=IBM/ou=ISL/cn=CERT-E
2      3       Active      5.5.5.5-5.5.5.5                 5.5.5.6-5.5.5.6