Manual tunnels

A manual tunnel is the basic tunnel type defined by the IPSec standards.

In theory, it should be possible to connect to any IPSec-compliant system using a manual tunnel configuration. However, whether this holds true depends largely upon whether compatible tunnel parameters can be found.

According to IBM RedBook SG24-5201-00: A Comprehensive Guide to Virtual Private Networks, Volume I: IBM Firewall, Server and Client Solutions, manual tunnel connections have been successfully tested with the following IPSec platforms:

• IBM SecureWay (eNetwork) Firewall for AIX

• AIX V4.3

• OS/390 Server

• SecureWay (eNetwork) Communications Suite for Windows

• OS/2 with MPTS V5.3 or higher

Note: 'SecureWay' is a rebranding of the 'eNetwork' product line. The two brand names should be considered interchangeable.

The main limitations of manual tunnels are:

• The tunnel endpoints are defined in the configuration files by IP address. Each endpoint is therefore assumed to have a fixed (static) address. This is a reasonable assumption in the case of a server or firewall; however, for single client workstations (especially those using dial-up connections), this may not be feasible.

• There is no provision for automating the exchange of encryption keys in advance. Since each endpoint must agree on an encryption key and algorithm before a tunnel can be established, the VPN administrator will need to arrange some means of exchanging this information manually.

• For security reasons, these encryption keys have limited lifespans (typically just a few hours). There is no built-in mechanism for renewing them once they expire.

The Internet Key Exchange (IKE) protocol has now been developed in order to address these issues. However, an IKE implementation is not included in the firewall.

Without an IKE implementation, the only real way around these limitations is to use dynamic tunnels.