Tunnel context entries

A tunnel context entry defines the properties of an IPSec tunnel (and its Security Associations).

Tunnel context entries are configured by entering the tunnel parameters into the configuration file

    %ETC%\SECURITY\FWMCTX.MAN

Note: It is possible to use a different file name; however, doing so will cause an error in CFGFILT when the filter rules are activated.

A context entry within the configuration file has the following fields, one per line:

Line 1 Partner's IP address

Line 2 Local IP address

Line 3 Tunnel ID

Line 4 Partner's SA for ESP

Line 5 Partner's SA for AH

Line 6 Local SA for ESP

Line 7 Local SA for AH

Line 8 Local encryption algorithm

Line 9 Local encryption key length

Line 10 Local encryption key

Line 11 Partner's encryption algorithm

Line 12 Partner's encryption key length

Line 13 Partner's encryption key

Line 14 Local authentication algorithm

Line 15 Local authentication key length

Line 16 Local authentication key

Line 17 Partner's authentication algorithm

Line 18 Partner's authentication key length

Line 19 Partner's authentication key

Line 20 Start time

Line 21 End time

Line 22 Reserved

Any text following '#' on a line is considered a comment.

Multiple tunnel context entries can be defined in this file by specifying them one after another.

Connecting two MPTS IPSec hosts

If you are creating a tunnel between two hosts running MPTS V5.3 or above, you (and/or the administrator on the partner host) can use the tunnel context definition on one host as the basis for the corresponding definition on the other host.

To do this, create the tunnel context definition on the first host; then, copy the file FWMCTX.MAN over to the other host. Edit the copy of FWMCTX.MAN on the other host, and swap the following values:

Line 1 and Line 2 Line 4 and Line 6
Line 5 and Line 7
Line 8 and Line 11
Line 9 and Line 12 (These should both be 8, so there is no need to swap)
Line 10 and Line 13
Line 14 and Line 17 (These should both be KEYED_MD5, so there is no need to swap)
Line 15 and Line 18 (These should both be 16, so there is no need to swap)
Line 16 and Line 19

Activating the tunnel

To activate a tunnel, the HAND_K command is used to load the context entries into the IPSec driver:

    hand_k fwmctx.man

from within the directory where FWMCTX.MAN is located.

If this command is successful, it will return with no output. Any output produced by the HAND_K command indicates an error. Typical causes of errors include syntax errors in FWMCTX.MAN, or one of the required device drivers not being loaded.

The tunnel must also be activated on the partner host, according to whatever method is appropriate for the partner's VPN software.

[Back] [Next]

Line 1	Partner's IP address
Line 2	Local IP address
Line 3	Tunnel ID
Line 4	Partner's SA for ESP
Line 5	Partner's SA for AH
Line 6	Local SA for ESP
Line 7	Local SA for AH
Line 8	Local encryption algorithm
Line 9	Local encryption key length
Line 10	Local encryption key
Line 11	Partner's encryption algorithm
Line 12	Partner's encryption key length
Line 13	Partner's encryption key
Line 14	Local authentication algorithm
Line 15	Local authentication key length
Line 16	Local authentication key
Line 17	Partner's authentication algorithm
Line 18	Partner's authentication key length
Line 19	Partner's authentication key
Line 20	Start time
Line 21	End time
Line 22	Reserved