HP-UX Containers (SRP) A.03.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)

111

112

113

114

115

116

117

118

119

120

114

For example:

# ipfstat -io

pass out quick proto tcp from 192.0.2.1/32 to any keep state

pass out quick proto udp from 192.0.2.1/32 to any keep state

pass out quick proto icmp from 192.0.2.1/32 to any keep state

pass in quick proto icmp from any to 192.0.2.1/32

block in quick from any to 192.0.2.1/32

18.3.6 Verifying IPSec data

Enter the following IPSec commands to verify IPSec data:

• Use the following ipsec_report command to view the host rules:

ipsec_report -host

The output should include a host policy with the name

SRP-container_name-base-1

For example:

----------------- Configured Host Policy Rule -------------------

Rule Name: SRP-web2-base-1 ID: 7 Priority: 30

Src IP Addr: 192.0.2.1 Prefix: 32 Port number: 0

Dst IP Addr: 10.2.2.2 Prefix: 32 Port number: 0

Network Protocol: All Action: Dynamic key SA

Number of SA(s) Needed: 1 Pair(s)

Proposal 1: Transform: ESP-AES128-HMAC-SHA1

Lifetime Seconds: 28800

Lifetime Kbytes: 0

• Use the following ipsec_report command to view the IKE rules:

ipsec_report -ike

The output should include an IKE policy with the name

SRP-container_name-base-1. For

example:

---------------------------- IKE Rule -----------------------------

Rule Name: SRP-web2-base-1 Priority: 30 Cookie: 6

Remote IP Address: 10.2.2.2 Prefix: 32

Group Type: 2 Authentication Method: Pre-shared Keys

Authentication Algorithm: HMAC-MD5 Encryption Algorithm: 3DES-CBC

Number of Quick Modes: 100 Lifetime (seconds): 28800

Action: Secure

• Use the following ipsec_config command to view the authentication records:

ipsec_config show auth

The output should include an IKE policy with the name

SRP-container_name-base-1. For

example:

auth SRP-web2-base-1

-remote 10.2.2.2/32

-preshared myPresharedKey

-exchange MM

• You can also use the ipsec_policy utility to verify the IPSec host rule selected for a packet

from the peer address. In the following example, the container address is 19.2.0.2.1 and

the peer address is 10.2.2.2. The ipsec_policy command queries IPSec to determine

which IPSec and IKE policies are selected for an outbound packet (-dir out) with source IP

address (-sa) 192.0.2.1 and destination IP address (-da) 10.2.2.2.

# ipsec_policy -sa 192.0.2.1 -da 10.2.2.2 -dir out

------------------- Active Host Policy Rule ---------------------