HP-UX IPSec A.02.01 Release Notes HP-UX 11i version 1 and HP-UX 11i version 2 Documentation Web Site: http://www.docs.hp.com Manufacturing Part Number : J4256-90016 October 2005 U.S.A. © Copyright 2005 Hewlett-Packard Development Company L.P.
Legal Notices The information in this document is subject to change without notice. Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. U.S. Government License Confidential computer software.
HP-UX IPSec Release Notes Announcement 1 HP-UX IPSec Release Notes Announcement HP-UX IPSec provides transparent encryption for IP-based applications. It also enhances the privacy of Internet communications. HP-UX IPSec supports PKI-based authentication, rule-based access control, and the Internet Key Exchange (IKE) protocol.
HP-UX IPSec Release Notes What’s in This Version What’s in This Version The HP-UX IPSec Version A.02.01 product (J4256AA) is supported on HP-UX 11i version 1 (B.11.11) and HP-UX 11i v2 Update 2 (v2UD2) systems. This version of HP-UX IPSec includes the following new and changed features: • HP-UX IPSec now supports IKE Aggressive Mode (AM) for IKE Phase 1 negotiations in addition to Main Mode (MM) negotiations. In Aggressive Mode negotiations, the IKE initiator sends ID information in the first packet.
HP-UX IPSec Release Notes What’s in This Version — ipsec_config add certificate: Adds certificates for the local system and the CA to the HP-UX IPSec storage scheme. — ipsec_config add crl: Adds a Certificate Revocation List to the HP-UX IPSec storage scheme. The source can be a local file or an entry in a Lightweight Directory Access Protocol (LDAP) directory. — ipsec_config delete certificate: Deletes the certificate for the local system and the CA’s certificate from the HP-UX IPSec storage scheme.
HP-UX IPSec Release Notes What’s in This Version HP-UX IPSec searches for the Java runtime components in the directory /opt/java1.4. If you install the JRE in another directory, you must set the JAVA_HOME environment variable to the appropriate location. • The ipsec_config command no longer allows you to configure transforms for Encapsulated Security Protocol (ESP) without authentication.
HP-UX IPSec Release Notes What’s in This Version • -sa [all]: The -sa all or -sa option displays IKE and IPSec SAs (It is equivalent to specifying -sa ike and -sa ipsec.) The ipsec_report options -mad and -sad are still supported, but only for backwards compatibility and are not documented. • The ipsec_config command now supports spaces in X.500 Distinguished Name (DN) specifications if the DN is enclosed by double quotes (““). For example, “CN=Joe Strummer,C=UK,O=Clampdown Corp,OU=Lab”.
HP-UX IPSec Release Notes Compatibility Information and Installation Requirements Compatibility Information and Installation Requirements OS Platform and Version Compatibility HP-UX 11i version 1 (B.11.11) or HP-UX 11i v2 Update 2 (v2UD2). Software Requirements You can obtain HP-UX IPSec version A.02.01 from the HP Software Depot at http://www.hp.
HP-UX IPSec Release Notes Compatibility Information and Installation Requirements Installing TOUR TOUR version 2.0 and later is not compatible with versions of HP-UX IPSec prior to A.02.00. You cannot install TOUR version 2.0 or later on a system with a release of HP-UX IPSec prior to A.02.00. If you have a prior version of HP-UX IPSec installed, you must install TOUR and HP-UX IPSec A.02.00 at the same time. Alternatively, you can remove (swremove) the prior version of HP-UX IPSec before installing TOUR.
HP-UX IPSec Release Notes Known Problems and Workarounds Known Problems and Workarounds • If you are using DNS, NIS or NIS+ to resolve hostnames to IP addresses and you have an IPSec policy that discards, encrypts or authenticates packets to the DNS, NIS or NIS+ server, you must make sure that the hostname resolution services are configured as follows: — The /etc/nsswitch.conf file must specify files as the first database for resolving hostnames.
HP-UX IPSec Release Notes Pre-Installation Migration Instructions Pre-Installation Migration Instructions Before installing HP-UX IPSec version A.02.01, verify that your installation meets the following conditions: • MD5 version compatibility: If you are using MD5 transforms, all HP-UX IPSec systems must be version A.01.04 or higher. For more information, refer to “MD5 Version Compatibility” on page 11. • Migrating from HP-UX IPSec versions prior to A.01.03 (such as A.01.01 or A.01.
HP-UX IPSec Release Notes Pre-Installation Migration Instructions By default, HP-UX IPSec log files are located in the /var/adm/ipsec directory. The log file name format is auditdate_information.log. Migrating from Versions Prior to A.01.03 If you are updating to HP-UX IPSec version A.02.00 from a version released prior to A.01.03 (such as version A.01.01 or A.01.02) and want to re-use your configuration files, you must use the following procedure to first update to HP-UX IPSec version A.01.
HP-UX IPSec Release Notes Post-Installation Migration Instructions Post-Installation Migration Instructions Configuration File Beginning with version A.02.00, HP-UX IPSec stores configuration data in a configuration database instead of a policy file. To migrate a policy configuration file from an earlier version of HP-UX IPSec to a configuration database, use the following procedure. Step 1. Run the ipsec_migrate utility after you have installed HP-UX IPSec A.02.01.
HP-UX IPSec Release Notes Post-Installation Migration Instructions ipsec_config add startup -autoboot on Step 5. Start HP-UX IPSec: ipsec_admin -start Certificate Files Beginning with release A.02.01, HP-UX IPSec stores certificate files in a generic (not vendor-specific) storage scheme. The ipsec_migrate utility performs the following tasks when migrating to HP-UX IPSec version A.02.01 from previous versions: • Modifies the format of the file /var/adm/ipsec/cainfo.txt and adds a version string.
HP-UX IPSec Release Notes Common Mistakes or Gotchas Common Mistakes or Gotchas • The local and remote node must have a common transform configured (at least one transform must match). • IPSec uses IP protocol numbers 50 and 51. IKE uses UDP port 500.
HP-UX IPSec Release Notes Patches and Fixes in This Version Patches and Fixes in This Version The fixes for the following Service Requests (SRs) are included in the A.02.01 release: SR Number Description 8606-386100 (JAGaf46254) HP-UX IPSec installation failure caused by checkinstall scripts. 8606-377766 (JAGaf38024) Configuring a space in the search base for LDAP CRL retrieval causes the retrieval to fail. 8606-400090 (JAGaf60046) Problem in anti-replay implementation.
HP-UX IPSec Release Notes Patches and Fixes in This Version SR Number Description 8606-385177 (JAGaf45331) Problem with manual key syntax. 8606-388808 (JAGaf48956) Active gateway rule with tunnel is not updated after a network interface is de-activiated. 8606-403163 (JAGaf63097) Problem with ESP in tunnel mode. 8606-397770 (JAGaf57752) Ignite-UX build fails with HP-UX IPSec in build. 8606-411881 (JAGaf71746) Problem handling the IKE SPI.
HP-UX IPSec Release Notes List of Documents Available with HP-UX IPSec List of Documents Available with HP-UX IPSec Document titles for HP-UX IPSec version A.02.01 are listed below. All documents are available from the HP Technical Documentation Web Site at http:/docs.hp.com/hpux/internet/index.html#HP-UX%20IPSec. • HP-UX IPSec version A.02.01 Administrator’s Guide (J4256-900015) • HP-UX IPSec version A.02.01 manpages • HP-UX IPSec Performance Whitepaper • HP-UX IPSec version A.02.
