HP-UX IPSec A.02.00.01 Release Notes HP-UX 11i v2 update 2 Documentation Web Site: http://www.docs.hp.com Manufacturing Part Number : J4256-90011 September 2004 U.S.A. © Copyright 2004 Hewlett-Packard Development Company L.P.
Legal Notices The information in this document is subject to change without notice. Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. U.S. Government License Confidential computer software.
HP-UX IPSec Release Notes Announcement 1 HP-UX IPSec Release Notes Announcement HP-UX IPSec provides transparent encryption for IP-based applications. It also enhances the privacy of Internet communications. HP-UX IPSec supports PKI-based authentication, rule-based access control, and the Internet Key Exchange (IKE) protocol.
HP-UX IPSec Release Notes What’s in This Version What’s in This Version The HP-UX IPSec version A.02.00.01 product is the HP-UX IPSec Version A.02.00 product updated for support on HP-UX 11i v2 update 2 (v2UD2) systems, and includes the defect fixes listed in “Patches and Fixes in This Version” on page 15. In addition, the -homeclear option for Mobile IPv6 now works as documented. HP-UX IPSec version A.02.00.01 has the same features as HP-UX IPSec version A.02.00. HP-UX IPSec version A.02.
HP-UX IPSec Release Notes What’s in This Version • Certificate IDs are configured in authentication records. The authentication records are indexed and searched by remote IP address. There is no longer a certificate ID record for the local system (127.0.0.0). • The ipsec_report utility supports the following new options: • -entity (used with the -audit option): The -entity option allows you to specify one or more entities when displaying an audit file (-audit).
HP-UX IPSec Release Notes What’s in This Version There is no HP-UX IPSec J4255AA version A.02.00.01 product for HP-UX 11i. The HP-UX IPSec J4256AA product is a superset of J4255AA. J4256AA is available for export worldwide except to countries under U.S. and/or U.N. economic embargo including the following countries: Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria (this list is subject to change).
HP-UX IPSec Release Notes Known Problems and Workarounds Known Problems and Workarounds • The lower bound for IPSec SA lifetime seconds (lifetime_seconds) is 600 seconds for HP-UX IPSec version A.02.00 and 300 seconds for version A.02.00.01. The range for IPSec SA lifetime_seconds configured in a transform is listed as 0 (infinite), or 600 - 4294967294 seconds on pages 77 and 87 of HP-UX IPSec version A.02.00 Administrator’s Guide. For release A.02.00.
HP-UX IPSec Release Notes Known Problems and Workarounds — The /etc/nsswitch.conf file must specify files as the first database for resolving hostnames. You can then specify other sources (such as DNS) as backup databases, as shown in the example below: hosts: files [NOTFOUND=continue] dns — The /etc/hosts file must contain an entry for the local hostname mapped to its IP address an entry for localhost and loopback mapped to the IP address 127.0.0.1, as shown in the example below: 192.6.1.1 127.0.0.
HP-UX IPSec Release Notes Pre-Installation Migration Instructions Pre-Installation Migration Instructions Before installing HP-UX IPSec version A.02.00.01, verify that your installation meets the following conditions: • MD5 version compatibility: If you are using MD5 transforms, all HP-UX IPSec systems must be version A.01.04 or higher. For more information, refer to “MD5 Version Compatibility” on page 9. • Migrating from HP-UX IPSec versions prior to A.01.03 (such as A.01.01 or A.01.
HP-UX IPSec Release Notes Pre-Installation Migration Instructions By default, HP-UX IPSec log files are located in the /var/adm/ipsec directory. The log file name format is auditdate_information.log. Migrating from Versions Prior to A.01.03 If you are updating to HP-UX IPSec version A.02.00.01 from a version released prior to A.01.03 (such as version A.01.01 or A.01.02) and want to re-use your configuration files, you must use the following procedure to first update to HP-UX IPSec version A.01.
HP-UX IPSec Release Notes Post-Installation Migration Instructions Post-Installation Migration Instructions Configuration File HP-UX IPSec version A.02.00.01 stores configuration data in a configuration database instead of a policy file. To migrate a policy configuration file from an earlier version of HP-UX IPSec to an A.02.00.01 configuration database, use the following procedure. Step 1. Run the ipsec_migrate utility after you have installed HP-UX IPSec A.02.00.01.
HP-UX IPSec Release Notes Post-Installation Migration Instructions Step 6.
HP-UX IPSec Release Notes Compatibility Information and Installation Requirements Compatibility Information and Installation Requirements Software Requirements You can obtain HP-UX IPSec version A.02.00.01 from the HP Software Depot at http://software.hp.com. The system must have HP-UX 11i v2 update 2 (v2UD2) installed. No additional patches are required. Installing HP-UX 11i v2 update 2 HP-UX 11i v2 update2 is not compatible with versions of HP-UX IPSec prior to A.02.00.
HP-UX IPSec Release Notes Common Mistakes or Gotchas Common Mistakes or Gotchas • The local and remote node must have a common transform configured (at least one transform must match). • IPSec uses IP protocol numbers 50 and 51. IKE uses UDP port 500.
HP-UX IPSec Release Notes Patches and Fixes in This Version Patches and Fixes in This Version The following bug fixes have been integrated into the A.02.00.01 release: • JAGaf20785: When using ESP with IPv6, the IPSec SA lifetime byte count is incorrect. If the IPSec SA has a hard (non-infinite) lifetime byte count, transmission will fail if the byte count reaches the hard lifetime on the receiver but not the sender. The receiver will drop the packets.
HP-UX IPSec Release Notes Patches and Fixes in This Version Event: request OAKLEY_RULE with seq 6, peer :: Msg: 1101 From: IKMPD Lvl: ERROR Date: Fri Jul 16 13:12:55 2004 Event: Received OAKLEY_RULE for seq 6 but no ISAKMP SA is required. Existing IPSec/Quick Mode Security Associations (IPSec/QM SAs) will continue to operate, but any network activity that requires new IPSec/QM SAs will fail and the application layer will receive a connection timeout error.
HP-UX IPSec Release Notes List of Documents Available with HP-UX IPSec List of Documents Available with HP-UX IPSec The list below contains documentation related to the HP-UX IPSec version A.02.00.01 product, available from the HP Technical Documentation Web Site at http:/docs.hp.com/hpux/internet/index.html#HP-UX%20IPSec. • HP-UX IPSec version A.02.00 Administrator’s Guide (J4256-90009) The HP-UX IPSec version A.02.
