HP-UX IPSec version A.02.00 Administrator’s Guide HP-UX 11i version 1 and HP-UX 11i version 2 Manufacturing Part Number : J4256-90009 June 2004 United States © Copyright 2004 Hewlett-Packard Development Company L.P.
Legal Notices The information in this document is subject to change without notice. Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. U.S. Government License Confidential computer software.
Contents Preface: About This Document 1. HP-UX IPSec Overview Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication Header (AH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Transport and Tunnel Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Transport Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Step 2: Loading the HP-UX IPSec Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 3: Setting the HP-UX IPSec Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Re-establishing the HP-UX IPSec Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 4: Completing Post-Installation Migration Requirements . . . . . . . . . . . . . . . . .. .. .. .. 53 55 55 56 Maximizing Security . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents -tunnel tunnel_policy_name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 -action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 -flags flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Host IPSec Policy Configuration Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Maximizing Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ipsec_config add bypass Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip_address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -ltype local_id_type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -lvalue local_id. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -rtype remote_id_type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -rid remote_id . . .
Contents Filtering Audit File Output by Entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Reporting Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Troubleshooting Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 HP-UX IPSec Incorrectly Passes Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Problem . . . . . . . . . . . . .
Contents Manual Keys Fail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Symptoms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 7. HP-UX IPSec and HP-UX Mobile IPv6 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Mobile Node and Home Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Care-of Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Correspondent Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Step 2C: Return Routability Messages: Configuring the Home Agent - Mobile Node Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MC/ServiceGuard Heartbeat Requirement and Recommendation . . . . . . . . . . . . . Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 1: Configuring a Common HP-UX IPSec Password . . . . . . . . . . . . . . . . . . . . . . . Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard . . . . . . . .
Contents Cluster Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cluster Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IKE ID Configuration on Cluster Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents ESP-3DES-HMAC-SHA1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESP-AES128 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESP-AES128-HMAC-MD5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESP-AES128-HMAC-SHA1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ESP-NULL-HMAC-MD5 . . . . . . . . . . . . . . . . . . . . . . . .
Contents Cat Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents xvi
Tables Table 1. Publishing History Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Table 3-1. ipsec_config Service Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72 Table 3-2. ipsec_config Transforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76 Table 3-3. ipsec_config add host Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78 Table 5-1. Getting General Information . .
Tables xviii
Figures Figure 1-1. Symmetric Key Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Figure 1-2. AH in Transport Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Figure 1-3. AH in Tunnel Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Figure 1-4. Symmetric Key Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Figure 1-5. ESP Encryption in Transport Mode. . . . .
Figures Figure C-2. Example 1: telnet BA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296 Figure C-3. Example 2: Network IPSec Policy with Exceptions . . . . . . . . . . . . . . . .299 Figure C-4. Host to Gateway Configuration Example . . . . . . . . . . . . . . . . . . . . . . . .
Preface: About This Document This document describes how to install, configure, and troubleshoot HP-UX IPSec. The document printing date and part number indicate the document’s current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date. The document part number will change when extensive changes are made. Document updates may be issued between editions to correct errors or document product changes.
• The default Oakley group (Diffie-Hellman group) is now 2. • Preshared keys are configured in authentication records. • Administrators can now configure preshared keys for remote subnets. • IKE ID parameters can now be configured for IKE negotiations when using preshared keys. • Certificate IDs are configured as IKE ID information in authentication records. The authentication records are indexed and searched by remote IP address.
Publishing History Table 1 Publishing History Details Document Manufacturing Part Number Operating Systems Supported Supported Product Versions Publication Date J4256-90009 11i version 1 (B.11.11) 11i version 2 (B.11.23) A.02.00 June 2004 J4256-90005 11i version 1 (B.11.11) A.01.07 August 2003 J4256-90003 11i version 2 (B.11.23) A.01.06 July 2003 J4256-90001 11.0 11.04 11i version 1 (B.11.11) A.01.05 August 2002 J4255-9011 11.0 11.04 11i version 1 (B.11.11) A.01.
Appendix B Migrating from Previous Versions of HP-UX IPSec Use this appendix to find out how to migrate from previous versions of HP-UX IPSec. Appendix C HP-UX IPSec Configuration Examples Use this appendix to see configuration parameters for simple topologies. Typographical Conventions This document uses the following conventions. audit (5) An HP-UX manpage. In this example, audit is the name and 5 is the section in the HP-UX Reference.
HP Encourages Your Comments HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs. Please send comments to: netinfo_feedback@cup.hp.com Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document. Also, please include what we did right so we can incorporate it into other documents.
OpenSSL Copyright Notice HP-UX IPSec includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) NOTE HP-UX IPSec uses specific portions of OpenSSL code to enable support for the Baltimore PKI. HP-UX IPSec does not contain a complete version of OpenSSL software. HP does not support the use of the complete OpenSSL software package with HP-UX IPSec. Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscape SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code.
xxviii
1 Chapter 1 HP-UX IPSec Overview 25
HP-UX IPSec Overview This chapter describes HP-UX IPSec features and topologies.
HP-UX IPSec Overview Introduction Introduction The IP security (IPSec) protocol suite was defined by the Internet Engineering Task Force (IETF) to provide security for IP networks. The IPSec protocol suite provides the following security services for IP networks: • Data Integrity Guarantee data consistency; prevent unauthorized creation, modification, or deletion of data between source and destination.
HP-UX IPSec Overview Introduction 28 • Internet Key Exchange (IKE) protocol, for generating and distributing cryptography keys for ESP and AH. IKE also authenticates the identity of the remote system, so AH and authenticated ESP with IKE keys provides data origin authentication. • Manual Keys, an alternative to IKE. Instead of dynamically generating and distributing cryptography keys for ESP and AH, the cryptography keys are static and manually distributed.
HP-UX IPSec Overview Authentication Header (AH) Authentication Header (AH) The IPSec Authentication Header (AH) provides integrity and authentication but no privacy--the IP data is not encrypted. The AH contains an authentication value based on a symmetric-key hash function. Symmetric key hash functions are a type of cryptographic hash function that take the data and a key as input to generate an authentication value.
HP-UX IPSec Overview Authentication Header (AH) the values match, the recipient is assured that the sender knows the same secret key, confirming the identity of the sender. The recipient is also assured that the data was not altered during transit.
HP-UX IPSec Overview Authentication Header (AH) IPv6 In IPv6 AH transport mode, IPSec inserts the AH after the following headers and extensions: • the basic IPv6 header • hop-by-hop options • any destination options needed to interpret the AH header • routing extensions • fragment extensions The items listed below follow the AH: • any destination options needed only for the “final” destination and not needed to interpret the AH header • the IP data or payload (e.g.
HP-UX IPSec Overview Authentication Header (AH) Tunnel Mode In tunnel mode, IPSec encloses, or encapsulates, the original IP datagram, including the original IP header, within a second IP datagram. All of the original IP datagram, including all fields of the original header, is authenticated. IPv6 In IPv6 AH tunnel mode, the packet layout is the same as IPv4 AH tunnel mode, except that the original and new (outer) IP headers may include header extensions.
HP-UX IPSec Overview Encapsulating Security Payload (ESP) Encapsulating Security Payload (ESP) The IPSec Encapsulating Security Payload (ESP) provides data privacy. The ESP protocol also defines an authenticated format that provides data authentication and integrity, with data privacy (described in “Authenticated ESP” on page 36). ESP Encryption ESP takes the data carried by IP, such as a TCP packet, and encrypts it using an encryption algorithm and cryptographic key.
HP-UX IPSec Overview Encapsulating Security Payload (ESP) AES128-CBC is the most secure form of encryption for HP-UX IPSec. AES128-CBC encryption throughput rates are comparable to or better than DES-CBC and 3DES-CBC. For more information about HP-UX IPSec performance, refer to the HP-UX IPSec Sizing and Performance document available at www.docs.hp.com. DES-CBC has been cracked (data encoded by DES has been decoded by a third party).
HP-UX IPSec Overview Encapsulating Security Payload (ESP) • Figure 1-5 the IP data or payload (e.g., TCP or UDP packet) ESP Encryption in Transport Mode Tunnel Mode In tunnel mode, IPSec encloses, or encapsulates, the original IP datagram, including the original IP header, within a second IP datagram. All of the original IP datagram, including the original header, is encrypted.
HP-UX IPSec Overview Encapsulating Security Payload (ESP) ESP with Authentication and Encryption The ESP encryption algorithms by themselves not provide authentication or guarantee data integrity, so you should use ESP encryption with an authentication and data integrity service.
HP-UX IPSec Overview Encapsulating Security Payload (ESP) Nested ESP in AH An ESP packet can be nested within an AH packet. For example, a 3DES-CBC ESP packet can be nested within an HMAC-MD5 packet. IPSec uses 3DES-CBC to build an ESP packet with the payload data encrypted using a symmetric key. IPSec then nests the ESP packet within an AH packet, using a second symmetric key. All the contents of the packet are authenticated, except the mutable fields of the IP header.
HP-UX IPSec Overview Internet Key Exchange (IKE) Internet Key Exchange (IKE) Before IPSec sends authenticated or encrypted IP data, both the sender and receiver must agree on the protocols, encryption algorithms and keys to use. HP-UX IPSec uses the Internet Key Exchange (IKE) protocol to negotiate the encryption and authentication methods, and generate shared encryption keys.
HP-UX IPSec Overview Internet Key Exchange (IKE) Using the secure communication channel provided by the ISAKMP/MM SA, negotiate one or more SAs for IPSec transforms (AH or ESP). A Phase Two negotiation typically negotiates two SAs for an IPSec transform: one for inbound and one for outbound traffic.
HP-UX IPSec Overview Internet Key Exchange (IKE) public value to generate a new value. Because of the mathematical properties of the numbers, each party will generate the same value, which can then be used as a symmetric key.
HP-UX IPSec Overview Internet Key Exchange (IKE) • Digital Signatures IKE Preshared Key Authentication With preshared key authentication, you must manually configure the same, shared symmetric key on both systems, a preshared key. The preshared key is used only for the primary authentication. The two negotiating entities then generate dynamic shared keys for the IKE SAs and IPSec/QM SAs. Preshared keys do not require a Certificate Authority or Public Key Infrastructure.
HP-UX IPSec Overview Manual Keys Manual Keys Manual keys are an alternative to IKE. Instead of using IKE to dynamically generate and distribute cryptography keys for ESP and AH, the cryptography keys are static and manually distributed. Because manual keys are static, using them is less secure than using IKE. Manual keys are typically used only when the remote system does not support IKE, or in Mobile IPv6 topologies.
HP-UX IPSec Overview HP-UX IPSec Topologies HP-UX IPSec Topologies IPSec can be employed between hosts (that is, end nodes), between gateways, or between a host and a gateway in an IP network. HP-UX IPSec can only be installed on end nodes. Installing HP-UX IPSec on an HP-UX system that is a router or gateway is not supported, except when the system is used as an HP-UX Mobile IPv6 Home Agent. See Chapter 7, “HP-UX IPSec and HP-UX Mobile IPv6,” on page 199 for more information.
HP-UX IPSec Overview HP-UX IPSec Topologies NOTE In an Host-to-Gateway topology, the gateway cannot be an HP-UX system unless the gateway is an HP-UX Mobile IPv6 Home Agent, and the gateway functionality is used only to forward packets for Mobile IPv6. Host-to-Host Tunnel Topology Two end hosts with HP-UX IPSec protection can configure a tunnel policy that securely protects traffic between them.
HP-UX IPSec Overview HP-UX IPSec Topologies Gateway-to-Gateway Topology Two hosts each reside upon insecure networks (such as insecure intranets). These hosts need to communicate securely over an insecure public network (such as the Internet). HP-UX IPSec can be used over a tunnel between two (non-HP) IPSec gateways to provide additional end-to-end security.
HP-UX IPSec Overview HP-UX IPSec Configuration and Management Features HP-UX IPSec Configuration and Management Features The HP-UX IPSec product includes the configuration and management features listed below. • Easy-to-use configuration utilities You configure HP-UX IPSec using ipsec_config, which allows batch mode operation. To configure security certificates, use ipsec_mgr, which has a graphical user interface (GUI) and online help.
HP-UX IPSec Overview HP-UX IPSec Configuration and Management Features The ipsec_policy utility takes a packet definition (local and remote IP addresses, upper-layer protocol, local and remote port numbers) as input and reports the IPSec policy that HP-UX IPSec would apply to packets matching the definition. • Audit logging HP-UX IPSec maintains an audit log of events, including events that may indicate attempts to compromise network security.
HP-UX IPSec Overview HP-UX IPSec Configuration and Management Features 48 Chapter 1
2 Chapter 2 Installing HP-UX IPSec 49
Installing HP-UX IPSec This chapter describes installation prerequisites and procedures for installing HP-UX IPSec software.
Installing HP-UX IPSec HP-UX IPSec Product Requirements HP-UX IPSec Product Requirements Prior to installing the HP-UX IPSec product, check that your system can accommodate the following product requirements. Disk Requirements The total size of the disk space required for the HP-UX IPSec product is 112 Mbytes. Requirements for variable-length user files are listed below: • Configuration database file (/var/adm/ipsec/config.db): minimum of 50 kbytes per policy file.
Installing HP-UX IPSec Step 1: Verifying HP-UX IPSec Installation and Configuration Prerequisites Step 1: Verifying HP-UX IPSec Installation and Configuration Prerequisites 1. Verify that the operating system version is HP-UX 11i version 1 (B.11.11) or HP-UX 11i version 2 (B.11.23). To obtain information about the OS, execute the command: uname -a 2. Check the latest HP-UX IPSec release note for patch information. To obtain information about a patch, execute the command: swlist -i 3.
Installing HP-UX IPSec Step 2: Loading the HP-UX IPSec Software Step 2: Loading the HP-UX IPSec Software Follow the steps below to load HP-UX IPSec software using the HP-UX swinstall program. 1. Log in as root. 2. Insert the HP-UX IPSec disk into the appropriate drive, or locate the directory into which you downloaded the software from HP Software Depot. 3. Run the swinstall program using the command: swinstall This opens the Software Selection window and the Specify Source window.
Installing HP-UX IPSec Step 2: Loading the HP-UX IPSec Software swinstall loads the fileset, runs the control scripts for the fileset, and builds the kernel. Estimated time for processing: 3 to 5 minutes. 10. Click OK on the Note window to reboot the system. The user interface disappears and the system reboots. 11. When the system reboots, check the log files in /var/adm/sw/swinstall.log and /var/adm/sw/swagent.log to make sure the installation was successful.
Installing HP-UX IPSec Step 3: Setting the HP-UX IPSec Password Step 3: Setting the HP-UX IPSec Password When you install HP-UX IPSec, the HP-UX IPSec password is set to ipsec. You must change the HP-UX IPSec password after installing the product to use the autoboot feature and to load and configure security certificates.
Installing HP-UX IPSec Step 4: Completing Post-Installation Migration Requirements Step 4: Completing Post-Installation Migration Requirements If you are migrating from a previous version of HP-UX IPSec, complete the post-installation migration procedures in Appendix B, “Post-Installation Migration Instructions” on page 291.
3 Chapter 3 Configuring HP-UX IPSec 57
Configuring HP-UX IPSec This chapter describes how to configure HP-UX IPSec, including preshared key configuration. If you are using RSA signature authentication for IKE, you must also see Chapter 4, “Using Certificates with HP-UX IPSec,” on page 113 for instructions on configuring certificates. This chapter also describes how to maximize HP-UX IPSec security and how to use the HP-UX IPSec configuration utility, ipsec_config.
Configuring HP-UX IPSec Maximizing Security Maximizing Security A system may have both “public” interface IP addresses and “private” interface IP addresses. A public interface IP address is an IP address configured on a Network Interface Card (NIC) connected to a public network. A private interface IP address is an IP address configured on a NIC connected to a private internal network.
Configuring HP-UX IPSec Maximizing Security ndd -set /dev/ip ip_strong_es_model 1 You can also enable the RFC 1122 Strong End-System model at system startup time by editing the /etc/rc.config.d/nddconf file. Refer to the ndd (1M) manpage for more information.
Configuring HP-UX IPSec Using ipsec_config Using ipsec_config The ipsec_config utility adds, deletes and displays HP-UX IPSec configuration objects stored in the configuration database, /var/adm/ipsec/config.db. If HP-UX IPSec is active and running, ipsec_config also adds and deletes configuration information in the runtime policy database.
Configuring HP-UX IPSec Using ipsec_config ipsec_config batch The ipsec_config batch command allows you to use ipsec_config in batch mode. In batch mode, ipsec_config reads add and delete operations from a file. Batch mode allows administrators to add and delete multiple configuration objects in one operation. This is useful if you are adding or deleting configuration records that affect other operations. HP recommends that you use a batch file to add configuration information.
Configuring HP-UX IPSec Using ipsec_config ipsec_config delete The ipsec_config delete command deletes objects from the configuration and runtime databases. For example, the following command deletes the host IPSec policy my_host_policy from the configuration database: ipsec_config delete host my_host_policy ipsec_config show The ipsec_config delete command displays objects in the configuration database.
Configuring HP-UX IPSec Using ipsec_config Using a Profile File with a Batch File The profile argument is illegal inside batch files (you cannot specify the profile argument as part of a statement inside a batch file). You can specify the profile argument as part of the ipsec_config batch command line and ipsec_config will apply it to all entries in the batch file. Refer to the ipsec_config (1M) manpage for more information.
Configuring HP-UX IPSec Using ipsec_config Multihomed Nodes with Private Interfaces If the local system is multihomed with one public IP interface and one or more private IP interfaces, you may want to secure only the one public IP interface. In this case, you can set the default source parameter value to the address of the public IP interface in the HostPolicy-Defaults, GWPolicy-Defaults, and TunnelPolicy-Defaults sections of the profile file.
Configuring HP-UX IPSec Configuration Overview Configuration Overview There are seven main configuration components: • Host IPSec Policies Host IPSec policies specify HP-UX IPSec behavior for IP packets sent or received by the local system as an end host. A host IPSec policy contains address specifications used to select the host IPSec policy for a packet.
Configuring HP-UX IPSec Configuration Overview The bypass list specifies the local IPv4 addresses that IPSec will bypass or ignore. The system will not attempt to find an IPSec policy for packets sent or received using an IP address in the bypass list, and will process these packets as if HP-UX IPSec was not enabled.
Configuring HP-UX IPSec Configuration Overview Step 5. Configure security certificates and IKE ID information, if you are using RSA signatures for IKE authentication. See Chapter 4, “Using Certificates with HP-UX IPSec,” on page 113 for a description of this step. Step 6. Configure the bypass list of local IPv4 addresses (optional). See “Step 6: Configuring the Bypass List (Local IPv4 Addresses)” on page 101 for a description of this step. Step 7. Verify the batch file.
Configuring HP-UX IPSec Step 1: Configuring Host IPSec Policies Step 1: Configuring Host IPSec Policies Host IPSec policies specify HP-UX IPSec behavior for IP packets sent or received by the local system as an end host. Each host IPSec policy includes address specifications used to select the host IPSec policy for a packet, and the action for packets using the policy: pass the packets in clear text, discard the packets, or apply an IPSec transform (AH or ESP) to the packets.
Configuring HP-UX IPSec Step 1: Configuring Host IPSec Policies Automatic Priority Increment You can explicitly set the priority of an IPSec policy with the priority argument, or you can use the automatic priority increment value for host policies in the profile file (the priority parameter value in the HostPolicy-Defaults section of the profile file).
Configuring HP-UX IPSec Step 1: Configuring Host IPSec Policies • in and out (inbound and outbound SA information for manual keys) Refer to the ipsec_config (1M) manpage for full syntax information. host_policy_name The host_policy_name is the user-defined name for the host IPSec policy. This name must be unique for each host IPSec policy and is case-sensitive. Acceptable Values: 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen (-), or underscore (_).
Configuring HP-UX IPSec Step 1: Configuring Host IPSec Policies prefix The prefix is the prefix length, or the number of leading bits that must match when comparing the IP address in a packet with ip_addr. For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in both addresses must match. This prefix length is equivalent to an address mask of 255.255.255.255. Use a value less than 32 to specify a subnet address filter.
Configuring HP-UX IPSec Step 1: Configuring Host IPSec Policies Table 3-1 ipsec_config Service Names (Continued) Service Name Port Protocol FTP-CONTROL 21 TCP HTTP-TCP 80 TCP HTTP-UDP 80 UDP NTP 123 UDP REXEC 512 TCP RLOGIN 513 TCP RWHO 513 UDP REMSH 514 TCP REMPRINT 515 TCP SMTP 25 TCP TELNET 23 TCP TFTP 69 UDP -protocol protocol_id The protocol_id is the value or name of the upper-layer protocol that HP-UX IPSec uses in the address filter to select an IPSec policy f
Configuring HP-UX IPSec Step 1: Configuring Host IPSec Policies ICMP ICMPV6 IGMP MH (Mobile IPv6 Mobility Headers) ALL (any protocol) The protocols ICMP and IGMP are valid with IPv4 addresses only. The protocols ICMPV6 and MH are valid with IPv6 addresses only. The protocol_id must be TCP or UDP if port is non-zero. Default: ALL.
Configuring HP-UX IPSec Step 1: Configuring Host IPSec Policies -action The action argument specifies the action HP-UX IPSec will perform on packets using this policy. The action must be PASS (pass in clear text) if this is an end system in a host-to-host tunnel topology. Default: The action defined for the action parameter in the HostPolicy-Defaults section of the profile file used. The default definition for action is DISCARD.
Configuring HP-UX IPSec Step 1: Configuring Host IPSec Policies Where: transform_name The transform_name is one of the following AH (Authentication Header) or ESP (Encapsulation Security Payload) transform specifications, or a nested AH and ESP transform formed by joining an AH transform and an ESP transform with a plus sign (+). For example, AH_MD5+ESP_3DES. TIP AES128 is the most secure form of encryption, with performance comparable to or better than DES and 3DES.
Configuring HP-UX IPSec Step 1: Configuring Host IPSec Policies Table 3-2 ipsec_config Transforms (Continued) Transform Name Description ESP_DES_HMAC_SHA1 ESP DES, authenticated with HMAC-SHA1. ESP_3DES ESP with triple-DES CBC, three encryption iterations, each with a different 56-bit key, 3DES-CBC. ESP_3DES_HMAC_MD5 ESP 3DES, authenticated with HMAC-MD5. ESP_3DES_HMAC_SHA1 ESP 3DES, authenticated with HMAC-SHA1. ESP_NULL_HMAC_MD5 ESP with null encryption and authenticated with HMAC-MD5.
Configuring HP-UX IPSec Step 1: Configuring Host IPSec Policies CAUTION HP recommends that you do not specify an infinite value for lifetime_seconds (0) with a finite value for lifetime_kbytes. -flags flags The flags are additional options for this policy. Join multiple flags with a plus sign (+). Table 3-3 ipsec_config add host Flags Flag EXCLUSIVE Description Specifies session-based keying. Session-based keying uses a different pair of IPSec/QM SAs per connection or session.
Configuring HP-UX IPSec Step 1: Configuring Host IPSec Policies Default: The value of the flags parameter in the HostPolicy-Defaults section of the profile file used. The default flags value is NONE. Host IPSec Policy Configuration Examples The following batch file entry configures a host IPSec policy that requires all traffic between 10.1.1.1 (the local system) and 10.5.5.5 to use ESP with AES128 encryption and HMAC SHA-1 authentication: add host apple_banana -source 10.1.1.1 \ -destination 10.5.5.
Configuring HP-UX IPSec Step 1: Configuring Host IPSec Policies clear text (no transform) for the transport. See “Tunnel IPSec Policy Configuration Example” on page 87 for the batch file entry used to configure the tunnel IPSec policy my_host_host_tunnel. The priority is 30 to ensure that HP-UX IPSec selects this policy instead of the policies for telnet and the TCP port 50000 application when the local system is communicating with 10.2.2.2. add host to_orange -source 10.1.1.1 \ -destination 10.2.2.
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPSec Policies Step 2: Configuring Tunnel IPSec Policies Complete this step only if you are using IPSec tunnels. If you are not using IPSec tunnels, continue to “Step 3: Configuring IKE Policies” on page 89. Tunnel IPSec policies specify HP-UX IPSec behavior for IP packets tunneled by the local system. In an IPSec tunnel, a tunnel endpoint system encapsulates the original packet in a new IPSec packet with an AH or ESP header.
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPSec Policies HP recommends that you use an ipsec_config batch file to configure HP-UX IPSec.
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPSec Policies -source and -destination ip_addr[/prefix[/port_number|service_name]] HP-UX IPSec uses the ip_addr, prefix, and port_number or service_name] with the protocol argument to form an address identifier. When negotiating an outbound IPSec tunnel SA, HP-UX IPSec uses the source address identifier as the proxy source ID, and uses the destination address identifier as the proxy destination ID.
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPSec Policies prefix The prefix is the prefix length, or the number of leading bits that must match when comparing the IP address in a packet with ip_addr. For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in both addresses must match. This prefix length is equivalent to an address mask of 255.255.255.255. Use a value less than 32 to specify a subnet address filter.
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPSec Policies -protocol protocol_id The protocol is the value or name of the upper-layer protocol that HP-UX IPSec uses in the address filter to select an IPSec policy for a packet. You cannot specify protocol and service_name in the same policy. Specifying ICMPV6 affects only the following ICMPv6 messages: Echo Request, Echo Reply, Mobile Prefix Solicitation, Mobile Prefix Advertisement.
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPSec Policies -action transform_list A transform specifies the IPSec authentication and encryption applied to packets using AH (Authentication Header) and ESP (Encapsulation Security Payload) headers. A transform list specifies the transforms acceptable for packets using the policy. The HP-UX IPSec IKE daemon proposes the transform list when negotiating the transform for IPSec Security Associations (SAs) with a remote system.
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPSec Policies ESP transforms without authentication (such as ESP-AES128) do not provide data integrity and should not be used. Default: The transform defined for the action parameter in the TunnelPolicy-Defaults section of the profile file used. The default action is ESP_AES128_HMAC_SHA1. lifetime_seconds The lifetime_seconds is the maximum lifetime for the IPSec SA, in seconds.
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPSec Policies ipsec_config add tunnel my_host_host_tunnel \ -tsource 10.1.1.1 -tdestination 10.2.2.2 \ -source 10.1.1.1 -destination 10.2.2.
Configuring HP-UX IPSec Step 3: Configuring IKE Policies Step 3: Configuring IKE Policies Complete this step only if you are using dynamic keys for IPSec. You do not need to configure IKE policies if you are using only manual keys for IPSec, or if you are only using HP-UX IPSec to discard packets.
Configuring HP-UX IPSec Step 3: Configuring IKE Policies If you are configuring the first IKE policy and do not specify a priority argument, ipsec_config assigns the automatic priority increment value as the priority.
Configuring HP-UX IPSec Step 3: Configuring IKE Policies -remote ip_addr[/prefix] The ip_addr and prefix are the IP address and network prefix length that specifies the remote system or subnet for this policy. HP recommends that you do not specify a wildcard address (0.0.0.0/0 or 0::0/0). Wildcard addresses allow unauthorized systems to engage the local systems in IKE negotiations. Where: ip_addr The ip_addr is the remote IP address.
Configuring HP-UX IPSec Step 3: Configuring IKE Policies Range: 1 - 2147483647. Default: If you do not specify a priority, ipsec_config assigns a priority value that is set to the current highest priority value (lowest priority) for IKE policies in the configuration data base, incremented by the automatic priority increment value (priority) for IKE policies specified in the HostPolicy-Defaults section of the profile file (this policy will be the last policy evaluated before the default policy).
Configuring HP-UX IPSec Step 3: Configuring IKE Policies -hash MD5|SHA1 The hash argument specifies the hash algorithm for authenticating IKE messages. This must match the hash algorithm configured on the remote system. Acceptable Values: MD5 (128-bit key Hashed Message Authentication Code using RSA Message Digest-5, HMAC-MD5) SHA1 (160-bit key HMAC using Secure Hash Algorithm-1, HMAC-SHA1) Default: The value of the hash parameter in the IKE-Defaults section of the profile file used.
Configuring HP-UX IPSec Step 3: Configuring IKE Policies If the value of max_quick_modes is 1, IKE provides Perfect Forward Secrecy (PFS) for the IPSec SA keys and the identities of the ISAKMP negotiating parties (and identities of any parties for which the ISAKAMP parties are acting as proxies). With PFS, the exposure of one key permits access only to data protected by that key.
Configuring HP-UX IPSec Step 4: Configuring Preshared Keys Using Authentication Records Step 4: Configuring Preshared Keys Using Authentication Records Complete this step only if you configured PSK (preshared keys) as an IKE authentication method in “Step 3: Configuring IKE Policies” on page 89. If you configured RSASIG (RSA signatures) as the IKE authentication method in all IKE policies, skip this step, and go to Chapter 4, “Using Certificates with HP-UX IPSec,” on page 113.
Configuring HP-UX IPSec Step 4: Configuring Preshared Keys Using Authentication Records authentication record. For preshared key authentication, the authentication record contains the preshared key value and can also contain the following IKE ID information: • local ID type • local ID value • remote ID type • remote ID value If the authentication record matching the remote address includes local ID information, HP-UX IPSec sends the configured local ID information in an ISAKMP ID payload.
Configuring HP-UX IPSec Step 4: Configuring Preshared Keys Using Authentication Records • nocommit (verify the syntax but do not commit the information to the database) • profile (alternate profile file) • ltype and lid (local ID type and value) • rtype and rid (remote ID type and value) Refer to the ipsec_config (1M) manpage for full syntax information. auth_name The auth_name user-defined name for the authentication record. This name must be unique for each record and is case-sensitive.
Configuring HP-UX IPSec Step 4: Configuring Preshared Keys Using Authentication Records For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in both addresses must match. This prefix length is equivalent to an address mask of 255.255.255.255. Use a value less than 32 to specify a subnet address filter. For IPv6 addresses, a prefix length of 128 bits indicates that all the bits in both addresses must match. Use a value less than 128 to specify a subnet address filter.
Configuring HP-UX IPSec Step 4: Configuring Preshared Keys Using Authentication Records The following batch file entries configure authentication records with preshared key authentication for a remote multihomed HP-UX IPSec system, with addresses 10.8.8.8 and 11.8.8.8. add auth -remote 10.8.8.8 -preshared my_hostA_hostX_key add auth -remote 11.8.8.
Configuring HP-UX IPSec Step 5: Configuring Certificates Step 5: Configuring Certificates See Chapter 4, “Using Certificates with HP-UX IPSec,” on page 113 for information on configuring certificate information if you are using RSA signatures for IKE authentication. After you have configured certificate information, go to “Step 6: Configuring the Bypass List (Local IPv4 Addresses)” on page 101.
Configuring HP-UX IPSec Step 6: Configuring the Bypass List (Local IPv4 Addresses) Step 6: Configuring the Bypass List (Local IPv4 Addresses) The bypass list specifies local IPv4 addresses that IPSec will bypass or ignore. The system will not attempt to find an IPSec policy for packets sent or received using an IP address in the bypass list, and the system will process these packets as if HP-UX IPSec was not enabled. The bypass list improves transmission rates for addresses in the bypass list.
Configuring HP-UX IPSec Step 6: Configuring the Bypass List (Local IPv4 Addresses) application (16.1.1.1 and 16.2.2.2), and configure the critical application to use only the specific logical interfaces. You can then configure the remaining logical interfaces in the bypass list (15.1.1.1 and 15.2.2.2). Figure 3-1 Bypass List Example Node2 Node1 bypass 15.1.1.1 (lan0:0) 16.1.1.1 (lan0:1) 15.2.2.2 (lan0:0) secure 16.2.2.
Configuring HP-UX IPSec Step 6: Configuring the Bypass List (Local IPv4 Addresses) add bypass ip_address The full ipsec_config add bypass syntax also allows you to specify the nocommit argument (verify the syntax but do not commit the information to the database). Refer to the ipsec_config (1M) manpage for full syntax information. ip_address The ip_address is the IPv4 address to bypass.
Configuring HP-UX IPSec Step 7: Verify Batch File Syntax Step 7: Verify Batch File Syntax Use the following command to verify the contents of the ipsec_config batch file without committing the configuration: ipsec_config batch batch_file_name -nocommit The ipsec_config utility displays the following message to indicate the profile file used: Using default profile file /var/adm/ipsec/.ipsec_profile If there are no syntax errors in the batch file, ipsec_config returns without displaying any other messages.
Configuring HP-UX IPSec Step 8: Committing the Batch File Configuration and Verifying Operation Step 8: Committing the Batch File Configuration and Verifying Operation Use the following procedure to verify your installation of HP-UX IPSec. 1. Commit the batch file operations to the configuration database with the following command: ipsec_config batch batch_file_name 2.
Configuring HP-UX IPSec Step 8: Committing the Batch File Configuration and Verifying Operation ipsec_admin -status You will see a display similar to the following: ----------------- IPSec Status Report ----------------Time: Thu Dec 24 15:21:37 1998 secauditd program: Running and responding secpolicyd program: Running and responding ikmpd program: Running and responding IPSec kernel: Up IPSec Audit level: Error IPSec Audit file: /var/adm/ipsec/auditThu-Dec-24-15-21-49-1998.
Configuring HP-UX IPSec Step 8: Committing the Batch File Configuration and Verifying Operation After doing so, enter the following commands: ipsec_report -host ipsec_report -sad Or, run: ipsec_report -all From the output of ipsec_report, you can verify the status of the outbound IPSec SA for the packets using the IPSec policy you are verifying. Check the active host IPSec policies (ipsec_report -host output) for entries that correspond to the IPSec policy you are verifying.
Configuring HP-UX IPSec Step 8: Committing the Batch File Configuration and Verifying Operation --- Current Lifetimes --bytes processed: 6256 addtime (seconds): 3 usetime (seconds): 30 --- Hard Lifetimes --bytes processed: 0 addtime (seconds): 28800 usetime (seconds): 28800 The information for the inbound IPSec SA corresponds to inbound traffic from the remote system (the source address is 15.2.2.2).
Configuring HP-UX IPSec Step 9: Configuring HP-UX IPSec to Start Automatically Step 9: Configuring HP-UX IPSec to Start Automatically After you have verified your HP-UX IPSec configuration is properly operating, you can configure HP-UX IPSec so that it starts automatically at system startup time. TIP HP recommends that you configure HP-UX IPSec to start automatically at system startup time once you have a known, good HP-UX IPSec configuration. This allows HP-UX IPSec to secure your system at all times.
Configuring HP-UX IPSec Step 9: Configuring HP-UX IPSec to Start Automatically • spi_max (upper bound for inbound, dynamic key Security Parameters Index) • spd_soft (the “soft” limit for the size of the Security Policy Database) • spd_hard (the “hard” limit for the size of the Security Policy Database) Refer to the ipsec_config (1M) manpage for full syntax information.
Configuring HP-UX IPSec Step 10: Creating Backup Copies of the Batch File and Configuration Database Step 10: Creating Backup Copies of the Batch File and Configuration Database Create backup copies of your batch file and the configuration database files on removable media and store them in a secure place. The configuration database file path is: • /var/adm/ipsec/config.
Configuring HP-UX IPSec Step 10: Creating Backup Copies of the Batch File and Configuration Database 112 Chapter 3
4 Chapter 4 Using Certificates with HP-UX IPSec 113
Using Certificates with HP-UX IPSec This chapter describes how to use security certificates with HP-UX IPSec.
Using Certificates with HP-UX IPSec Overview Overview You must use security certificates if you are using digital signatures (RSA signatures) for IKE authentication. HP-UX IPSec uses the certificates to obtain cryptography keys for digital signatures and to verify the digital signatures. If you are not using digital signatures for IKE authentication, you can skip this chapter.
Using Certificates with HP-UX IPSec Overview Certificates are issued with a specific lifetime, defined by a start date/time and an expiration date/time. However, situations can arise, such as a compromised key value, that necessitate the revocation of the certificate. In this case, the certificate authority can revoke the certificate.
Using Certificates with HP-UX IPSec Overview negotiation and each entity may get the other entity’s certificate from a CA or certificate directory service. The method used varies according to the CA used and the services provided by the CA. Requirements To use security certificates, your topology must meet the following requirements: • The systems using certificates must use IPv4 addresses for IPSec. IKE digital signature authentication is not supported with IPv6 addresses.
Using Certificates with HP-UX IPSec Using VeriSign Certificates Using VeriSign Certificates Overview There are three main components in the VeriSign Managed PKI architecture. • A VeriSign Managed PKI Certificate Authority (CA), which is located at a VeriSign data center and administered by VeriSign. The Managed PKI CA creates and manages certificates and Certificate Revocation Lists (CRLs). The VeriSign Managed PKI CA is accessed through the VeriSign Managed PKI Control Center website.
Using Certificates with HP-UX IPSec Using VeriSign Certificates 3. The local Managed PKI Administrator uses a web browser to visit the Managed PKI Control Center website and approve the certificate request. This sends an Approve Request message to the Managed PKI CA. 4. The IPSec administrator requests ipsec_mgr to check on the certificate request. The ipsec_mgr program sends a message to the Managed PKI Control Center to retrieve the certificate. 5. The Managed PKI CA sends the certificate to ipsec_mgr.
Using Certificates with HP-UX IPSec Using VeriSign Certificates Step 4. Request and retrieve a VeriSign certificate. You must do this on each HP-UX IPSec system using VeriSign certificates. Step 5. Configure authentication records with IKE IDs. This task is described in “Configuring Authentication Records with IKE IDs” on page 134. Step 6. Configure your system to automatically retrieve the Certificate Revocation List (CRL), or manually retrieve the CRL.
Using Certificates with HP-UX IPSec Using VeriSign Certificates • Hostname of the proxy server • Port number on which the proxy server receives internal requests • User name for the proxy server, if the proxy server requires user name and password authentication • Password for the proxy server, if the proxy server requires user name and password authentication Step 2: Configuring Web Proxy Server Parameters If you need to use a web proxy server to access the VeriSign Managed PKI Control Center, use
Using Certificates with HP-UX IPSec Using VeriSign Certificates The Proxy Server Settings window opens. Complete the fields with the parameters for your web proxy server: a. Local Hostname: hostname of the proxy server b. Local Port: port number on which the proxy server receives internal requests, such as 80, the IANA port registered for the HTTP service. c. User Name: the user name for the proxy server, if the proxy server requires user name and password authentication d.
Using Certificates with HP-UX IPSec Using VeriSign Certificates 2. The number of certificates must be equal the number of IPSec systems that will be using certificate-based primary authentication for IKE (such as RSA signatures). Step 4: Requesting and Receiving Certificates Each HP-UX IPSec system that will use a certificate-based primary authentication method for IKE must request and get its own certificate before starting the HP-UX IPSec subsystem.
Using Certificates with HP-UX IPSec Using VeriSign Certificates 2. Click Request Certificate in lower-left corner of the Certificates screen. The Request Certificate screen appears. 3. Enter the interface IP address for the certificate being created in the IP Address field. The default is the first IP address ipsec_mgr finds for the local system. The IP address specified in this field will be the SubjectAlternativeName field for the local system’s certificate.
Using Certificates with HP-UX IPSec Using VeriSign Certificates 12. After the Managed PKI Administrator has approved the certificate request and the Managed PKI Control Center has processed the approval, click the Check on Request button on the Certificate screen (actual address information captured in the screen image below was obscured for publication): The ipsec_mgr program retrieves the certificate from the Managed PKI Control Center if the request was granted.
Using Certificates with HP-UX IPSec Using Baltimore Certificates Using Baltimore Certificates If you are using the Baltimore CA for authentication with IPSec, you must first purchase the Baltimore UniCERT 3.5 package. For more information about any of the prerequisites below, see the documentation you received from Baltimore. Baltimore Certificate Tasks To use Baltimore certificates, you must complete the following tasks: Step 1. Complete and verify the prerequisite requirements. Step 2.
Using Certificates with HP-UX IPSec Using Baltimore Certificates NOTE You do not need to install any Baltimore software on the IPSec hosts that will use Baltimore certificates. 2. Set up the PKI structure on the Baltimore CA host. The PKI structure is a part of the Certificate Authority Operator (CAO) component. 3. Enable LDAP. 4. From the PKI view, right click on the icon for your CA. Select Attributes. Click on the Certificate CRL and Directory Options tab.
Using Certificates with HP-UX IPSec Using Baltimore Certificates Step 2: Requesting the Baltimore Certificate Before you configure a Baltimore certificate using ipsec_mgr, you must obtain a PKCS#12 file from the Baltimore Certificate Authority. The Baltimore CA Administrator at your site must use the Face to Face method to request the certificate, and must note certain information during the request and retrieval process. To request a certificate as the Baltimore CA Administrator: 1.
Using Certificates with HP-UX IPSec Using Baltimore Certificates 10. Choose PKCS#12 encoded certificate as the format in which to save the certificate. 11. Save the certificate to the same file you saved the request with the secret key. The message Do you want to replace this file will appear. Select Yes. The file is not replaced; the new information is appended to the original file.
Using Certificates with HP-UX IPSec Using Baltimore Certificates Using a Remote Display Device The ipsec_mgr configuration GUI requires a graphical display device. If you are using a remote graphical display device, be sure that you: • Set the DISPLAY environment variable to your display device. For example, if you are using the KORN shell, the command is: export DISPLAY=display_device:0.0 • Execute the ipsec_mgr program from the system console. 2.
Using Certificates with HP-UX IPSec Using Baltimore Certificates The Baltimore Certificate Import screen appears. 4. Enter the IP address of the CA provided by the Baltimore CA Administrator into the CA’s IP Address field. 5. Enter the full path for the PKCS#12 file you received from the Baltimore CA Administrator into the File Name field. You can use the Browse button to locate the PKCS#12 file if you do not know the full path. 6.
Using Certificates with HP-UX IPSec Using Baltimore Certificates a. Enter the server name or IP address of the LDAP server where the Certificate Revocation List (CRL) for the Baltimore PKI is stored. b. Enter the TCP port number used for connecting to the LDAP server where the CRL is stored. The standard port number for an LDAP server is 389. c. Enter the search base values for the CRL for the CA. The search base is not case sensitive. You can obtain the search base values from your LDAP Administrator.
Using Certificates with HP-UX IPSec Using Baltimore Certificates The following are examples of search filter values. Each example corresponds to the search base example in step C. The syntax of these examples is precise, including delimiting commas between attributes and lack of other punctuation. • cn=unicertpki1 • cn=unicertpki1, ou=ipsec • cn=unicertpki1, ou=ipsec, o=hp 8. Click OK. The certificate configuration is saved. Go on to “Configuring Authentication Records with IKE IDs” on page 134.
Using Certificates with HP-UX IPSec Configuring Authentication Records with IKE IDs Configuring Authentication Records with IKE IDs HP-UX IPSec uses IKE ID information to verify the identity that the remote system sends as part of the ISAKMP negotiation. HP-UX IPSec also verifies the IKE ID with the information in the remote system’s certificate. HP-UX IPSec stores IKE information in authentication records.
Using Certificates with HP-UX IPSec Configuring Authentication Records with IKE IDs If the matching authentication record has remote ID information, HP-UX IPSec uses it to verify what the remote system sends in the ISAKMP ID payload. HP-UX IPSec also verifies that the remote ID information matches ID information in the remote system’s certificate.
Using Certificates with HP-UX IPSec Configuring Authentication Records with IKE IDs Determining the IPv4 Address in the SubjectAlternativeName You can use the following procedures to determine the SubjectAlternativeName for the local system’s certificate. VeriSign To determine the SubjectAlternativeName for a VeriSign certificate, select the certificate for the 127.0.0.1 address from the ipsec_mgr Certificates screen, then click Details.
Using Certificates with HP-UX IPSec Configuring Authentication Records with IKE IDs add auth auth_name -remote ip_addr[/prefix] [-ltype local_id_type] [-lid local_id] [-rtype remote_id_type] [-rid remote_id] The full ipsec_config add auth syntax specification also allows you to specify the following arguments: • nocommit (verify the syntax but do not commit the information to the database) • profile (alternate profile file) • preshared (preshared key) Refer to the ipsec_config (1M) manpage for full s
Using Certificates with HP-UX IPSec Configuring Authentication Records with IKE IDs For IPv6 addresses, a prefix length of 128 bits indicates that all the bits in both addresses must match. Use a value less than 128 to specify a subnet address filter. Range: 0 - 32 for an IPv4 address; 0 - 128 for an IPv6 address. If you are using manual keys, prefix must be 32 if ip_addr is an IPv4 address or 128 if ip_addr is an IPv6 address.
Using Certificates with HP-UX IPSec Configuring Authentication Records with IKE IDs -rtype remote_id_type The remote_id_type is the ID type used to verify the ID type sent by the remote system when negotiating a ISAKMP/MM SA). This must match what is configured on the remote system. You do not have to configure the remote ID type if the remote system is an HP-UX system or a non-HP system that uses IPv4 addresses as the ID type, and is not multihomed.
Using Certificates with HP-UX IPSec Configuring Authentication Records with IKE IDs For remote_id_type USER-FQDN, remote_id is the User-Fully Qualified Domain Name (User-FQDN) in SMTP format, such as user@myhost.hp.com. This must match the subject of the certificate. For remote_id_type X500-DN, remote_id is the X.500 Distinguished Name. This must match the Subject distinguishedName (Subject DN) of the certificate.
Using Certificates with HP-UX IPSec Configuring Authentication Records with IKE IDs add auth Zebra1 -remote 10.20.20.20 -rtype IPV4 \ -rid 10.20.20.20 add auth Zebra2 -remote 192.6.2.21 -rtype IPV4 \ -rid 10.20.20.20 You do not have to specify local ID information in the above entries because Black is not multihomed, and uses its IPv4 address as its ID. On Zebra, you add the following entry to the ipsec_config batch file: add auth Black -remote 10.10.10.10 -ltype IPV4 \ -lid 10.20.20.
Using Certificates with HP-UX IPSec Retrieving the Certificate Revocation List (CRL) Retrieving the Certificate Revocation List (CRL) If you are using VeriSign or Baltimore certificates, you must add an entry to the root user’s crontab file, located in /var/spool/cron/crontabs/root to periodically retrieve the Certificate Revocation List (CRL) from the VeriSign or Baltimore Certificate Authority. Alternately, you can manually retrieve the CRL using ipsec_mgr.
Using Certificates with HP-UX IPSec Retrieving the Certificate Revocation List (CRL) [min] [hr] [mon_day] [month] [wkday] /var/adm/ipsec_gui/cron/baltimoreCRL.cron The fields in brackets are placeholders. Replace them with appropriate values when you enter the lines into the crontab file.
Using Certificates with HP-UX IPSec Retrieving the Certificate Revocation List (CRL) 3. Once the IPSec system has retrieved the CRL, a success message appears.
5 Chapter 5 Troubleshooting HP-UX IPSec 145
Troubleshooting HP-UX IPSec This chapter describes the procedures to troubleshoot HP-UX IPSec software. It contains the following sections: • “IPSec Operation” on page 147 • “Troubleshooting Utilities Overview” on page 155 • “Troubleshooting Procedures” on page 160 • “Reporting Problems” on page 168 • “Troubleshooting Scenarios” on page 170.
Troubleshooting HP-UX IPSec IPSec Operation IPSec Operation To troubleshoot HP-UX IPSec, it is useful to understand a few key points about its operation. This section contains high-level descriptions of how IPSec establishes Security Associations (SAs) and how IPSec processes packets.
Troubleshooting HP-UX IPSec IPSec Operation addresses as ID values by default). This is part of the establishment of an ISAKMP or Main Mode SA (ISAKMP/MM SA), as described in the next step. 2. Establish ISAKMP/MM SA The two systems complete the establishment of the ISAKMP/MM SA. The ISAKMP/MM SA is the “master” SA that the two systems use as a secure channel to negotiate the SAs for AH and/or ESP packets. 3.
Troubleshooting HP-UX IPSec IPSec Operation Internal Processing This section provides an a high-level description of how HP-UX IPSec processes packets. This information is useful to further troubleshoot HP-UX IPSec and analyze the data reported by the HP-UX IPSec troubleshooting tools. Figure 5-2 Outbound Processing Policy Manager Daemon (secpolicyd) IKE Daemon (ikmpd) Policy DB ISAKMP SA DB 2 3 4 Kernel 1 Policy Engine SA Engine Policy Engine Cache IPSec SA DB 5 Outbound Data 1.
Troubleshooting HP-UX IPSec IPSec Operation On an end system (the local system is the source for the outbound packet), the Policy Manager sequentially searches the host IPSec policies in priority order for the first policy with an IP packet filter that matches the packet. If no match is found, HP-UX IPSec uses the default host IPSec policy. On a gateway system (the local system is forwarding the outbound packet), the Policy Manager sequentially searches the gateway IPSec policies in priority order.
Troubleshooting HP-UX IPSec IPSec Operation For the IPSec/QM SAs to be successfully established, both systems must agree on the type of transform (AH, ESP), including the authentication or encryption algorithm used. They must also negotiate SA lifetimes. 5. Add IPSec/QM SAs to the Kernel SA Database The IPSec/QM SAs are added to the kernel SA database by the IKE daemon. Each SA includes an SPI (Security Parameters Index) a number assigned by the receiving system to reference the SA.
Troubleshooting HP-UX IPSec IPSec Operation attempt to re-establish a new SAs. If the remote system does not delete the SAs, an administrator on the remote system must manually delete the SAs.
Troubleshooting HP-UX IPSec IPSec Operation • Clear Text Packet If the inbound packet has no AH or ESP (it is a normal IP packet in clear text), HP-UX IPSec must still determine whether the packet should be dropped or passed in clear text. HP-UX IPSec checks the kernel policy engine cache for an existing decision on the action to take (drop or pass in clear text) for the packet based on the IP addresses, protocol, and port numbers.
Troubleshooting HP-UX IPSec IPSec Operation SA uses manual keys, HP-UX IPSec also verifies that the SA SPI for the tunnel policy referenced in the host or gateway policy matches the SPI in the outer (tunnel) packet.
Troubleshooting HP-UX IPSec Troubleshooting Utilities Overview Troubleshooting Utilities Overview HP-UX IPSec provides three troubleshooting utilities: ipsec_admin Returns status information and allows the administrator to change the audit level, audit file directory, audit file size, and enable or disable level 4 (TCP, UDP, IGMP) data tracing. ipsec_policy Allows the administrator to determine which IPSec policy will be used for a given packet.
Troubleshooting HP-UX IPSec Troubleshooting Utilities Overview Getting General Information Table 5-1 Getting General Information Task Command Get status of HP-UX IPSec components. ipsec_admin -status Show all active and configured IPSec policies, IKE policies, cache entries, SAs, active IP interfaces, bypass interfaces, and display current audit file. ipsec_report -all Getting SA Information Table 5-2 Getting SA Information Task Command Show current ISAKMP (Main Mode) SAs.
Troubleshooting HP-UX IPSec Troubleshooting Utilities Overview Table 5-3 Getting Policy Information (Continued) Task Chapter 5 Command Show configured host IPSec policies in the policy database. ipsec_report -host configured Show gateway IPSec policies in the configuration database. ipsec_config show gateway Show active gateway IPSec policies. ipsec_report -gateway ipsec_report -gateway [active] Show configured gateway IPSec policies in the policy database.
Troubleshooting HP-UX IPSec Troubleshooting Utilities Overview Getting Interface Information Table 5-4 Getting Interface Information Task Command Show active IP (configured, UP or DOWN) interfaces, and whether or not HP-UX IPSec is enabled for each interface. ipsec_report -ip Show bypass list entries. ipsec_report -bypass Viewing and Configuring Audit Information Table 5-5 Viewing and Configuring Audit Information Task Display contents of the audit file.
Troubleshooting HP-UX IPSec Troubleshooting Utilities Overview Table 5-5 Viewing and Configuring Audit Information Task Command Change the maximum audit file size (in kilobytes). ipsec_admin -m[axsize] max_audit_file_size Configure audit parameters for startup time. ipsec_config add startup argument_list Enabling and Disabling Tracing Table 5-6 Enabling and Disabling Tracing Task Chapter 5 Command Enable level four data tracing.
Troubleshooting HP-UX IPSec Troubleshooting Procedures Troubleshooting Procedures This section describes the following troubleshooting procedures: • “Checking Status” on page 160 • “Isolating HP-UX IPSec Problems from Upper-layer Problems” on page 162 • “Checking Policy Configuration” on page 163 • “Isolating HP-UX IPSec Problems from Upper-layer Problems” on page 162 • “Checking Policy Configuration” on page 163 • “Configuring HP-UX IPSec Auditing” on page 164 Checking Status HP-UX IPSec has f
Troubleshooting HP-UX IPSec Troubleshooting Procedures • Queries the kernel Security Association (SA) engine for active IPSec/QM SAs on this system. If there is no peer IPSec system and/or no active IPSec/QM SAs, the kernel SA engine will respond that there are no IPSec/QM SAs to report. You can also do this by entering the command: ipsec_report -sad • Queries the IKE daemon for ISAKMP/MM SAs.
Troubleshooting HP-UX IPSec Troubleshooting Procedures • Queries the policy daemon and reports the active (configured UP or DOWN, plumbed) IP interfaces, and whether or not HP-UX IPSec is enabled for each interface. You can also do this by entering the following command: ipsec_report -ip • Queries the kernel policy engine and reports the contents of its cache. The cache records the most recent decisions that the kernel policy engine has made for the traffic that has passed in and out of the system.
Troubleshooting HP-UX IPSec Troubleshooting Procedures Checking Policy Configuration There are two methods for determining which policy HP-UX IPSec uses for a packet: • Use the ipsec_policy command to query the policy daemon to determine which policy HP-UX IPSec would use for the packets. • Generate packets and examine policy cache and policy entries to determine which policy HP-UX IPSec used for the packets.
Troubleshooting HP-UX IPSec Troubleshooting Procedures host policy on 192.1.1.1 is misconfigured, so the system sends the packets in clear text. The output from the ipsec_report -cache command shows the following entry: -------------------Cache Policy Rule ----------------------Cache Policy Record: 9 Cookie: 1 Src IP Address: 192.1.1.1 Src Port number: 56122 Dst IP Address: 192.1.1.
Troubleshooting HP-UX IPSec Troubleshooting Procedures NOTE • error: Error audit entries report error events including recoverable error conditions, syntax errors, unsupported features, bad packets, and unknown message types. • warning: Warning audit entries report non-intrusive security events. • informative: Informative audit entries provide detailed event logging for troubleshooting. • debug: Debug audit entries provide very detailed event logging for debugging and troubleshooting.
Troubleshooting HP-UX IPSec Troubleshooting Procedures audit _level can be alert, error, warning, informative, or debug. A selected audit level includes all the lower audit levels. audit_directory is the fully-qualified path name for the audit directory. max_size is the maximum size for each audit file, in kilobytes. The range is 1 - 4294967294.
Troubleshooting HP-UX IPSec Troubleshooting Procedures ipsec_report -audit audit_file Filtering Audit File Output by Entity You can filter the audit file output so ipsec_report shows only entries recorded by specified entities. ipsec_report -audit audit_file -entity entity_name [entity_name ...
Troubleshooting HP-UX IPSec Reporting Problems Reporting Problems Be sure to include the following information when reporting problems: • A complete description of the problem and any error messages. Include information about: — the local system (IP addresses) — IP addresses of relevant remote systems — routing table information (netstat -rn output) if appropriate Also include a description of what works as well as what does not work. NOTE 168 • Output from ipsec_admin -status.
Troubleshooting HP-UX IPSec Reporting Problems using netfmt can only be parsed for the IP header. The netfmt utility displays any data following the IP header as hexadecimal values. • Relevant configuration files. HP-UX IPSec configuration database: /var/adm/ipsec/config.db A formatted listing of the configuration database. Use the following command to get a listing: ipsec_config show all Security certificate files, if you are using them: — /var/adm/ipsec/cainfo.txt — /var/adm/ipsec/.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Troubleshooting Scenarios This section contains information about the following common troubleshooting scenarios, including their symptoms and resolutions: • “HP-UX IPSec Incorrectly Passes Packets” on page 170 • “HP-UX IPSec Incorrectly Attempts to Encrypt/Authenticate Packets” on page 172 • “HP-UX IPSec Attempts to Encrypt/Authenticate and Fails” on page 172 • “ISAKMP/MM SA Negotiation Fails (Main Mode processing failed, MM negotiation timeout)
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Symptoms No error message or interruptions to user service, but no SAs are established, or IPSec is passing packets that should be discarded to upper layers.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios HP-UX IPSec Incorrectly Attempts to Encrypt/Authenticate Packets Problem IPSec is attempting to encrypt or authenticate (apply a transform) packets that should not be encrypted or authenticated. Symptoms Link errors (unable to connect or connection timeouts) on traffic that should not be encrypted/authenticated.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Symptoms Link errors (unable to connect) and ipsec_report -sad shows no IPSec/QM SAs. Solution Determine if ISAKMP/MM SA negotiations are succeeding. Run the following commands: ipsec_report -mad ipsec_report -audit file Check for Main Mode processing failed, MM negotiation timeout error messages in the log file.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Msg: 413 From: IKMPD Lvl: ERROR Date: Fri Mar 15 07:14:18 2002 Event: MM negotiation timeout, src 15.2.2.2 If there is a mismatch in IKE policies, some IKE daemons do not respond to negotiation attempts. This causes a MM negotiation timeout error on the connecting system. ISAKMP/MM SA Negotiation Fails (Main Mode processing failed, MM negotiation timeout) Problem ISAKMP/MM SA negotiation fails.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Determine whether or not the ISAKMP/MM SA is being established by checking the audit log file. IKMPD error entries with the message Main Mode processing failed indicate that the ISAKMP/MM SA is not being established. Informative entries with the message MM negotiation complete with the peer ip_address indicate that the ISAKMP/MM SA is being established.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios ISAKMP Primary Authentication with Preshared Key Fails Problem ISAKMP primary authentication with preshared key fails. Symptoms Output from the ipsec_report -mad command does not show the ISAKMP/MM SA. The audit log contains a Main Mode process failed message. Solution Verify that the preshared key values match. Use the ipsec_config show auth command to verify the preshared key configured on the local system.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Check for the /var/adm/ipsec/javabeans.txt (VeriSign) or /var/adm/ipsec/.Bsec file (Baltimore). Details Check the audit log for messages indicating that the certificate for the local or remote system has expired, has been revoked, or has X.509 encoding errors. You can also try using preshared keys for primary authentication. You will need to configure the same preshared key on both systems. Check that you have a certificate for the remote system.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Symptoms Output from the ipsec_report -sad command does not show IPSec/QM SAs and the audit log contains Quick Mode processing failed or QM negotiation timeout error messages. Solution Run ipsec_policy to determine the IPSec policy that HP-UX IPSec is using, or execute the ipsec_report -cache and ipsec_report -host commands. Check the transform list and lifetimes. Check the audit file.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios The audit file may show errors when HP-UX IPSec starts or when a manual key is added such as PF_KEY: SADB_ADD for SPI 0xnnnn returns EEXIST and PF_KEY: Invalid SADB_ADD, SPI 0xnnnn, errno 22. If the HP-UX IPSec audit level is set to warning or higher, the audit file may show entries such as No SPI for received packet. STREAMS log records may show entries from HP-UX IPSec STREAMS modules (ipsec_aaaa), such as Bad cipher SA init or Padding checks failed.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios PF_KEY: Invalid SADB_ADD, SPI 0xnnnn, errno 22 Verify that the SPI number in the audit message matches a manual key SPI. Examine the STREAMS log messages to verify that the error is caused by a weak encryption key, as described in “Examining STREAMS Logging Records” on page 180. See Chapter 7, “Selecting Encryption Keys” on page 209 for information on generating strong encryption keys.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios You may see entries similar to the following, which indicate mis-matched cryptographic keys in an inbound packet: 24 01:36:26 78194680 1 T.. 0 0 ipsec_ip_rput_local_esp: Can't pullup pad/protocol (1 76 185) 25 01:36:30 78194986 1 T.. 0 0 ipsec_ip_rput_local_esp: Padding checks failed Examining Additional Audit Entries Set the HP-UX IPSec audit level to WARNING or higher to see additional entries for manual key problems.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Symptoms The ipsec_admin -start command fails. The ipsec_admin utility returns one of the following messages: IPSEC_ADMIN: Failed to read IPSec admin file, error: %nn. Did you set the password with -np? IPSEC_ADMIN: Failed to open IPSec admin file, error: %nn. Did you set the password with -np? IPSEC_ADMIN: ERROR-read_admin_info(): Failed to verify ipsec password.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Corrupt or Missing Configuration Database Problem The configuration database file (/var/adm/ipsec/config.db) is corrupt or missing. Symptoms The symptom vary according to when the problem is detected. HP-UX IPSec modules will log error messages to the audit log file and user utilities will also display the error messages to stdout.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios • Restore the skeleton configuration database file and re-enter the configuration data. Using ipsec_migrate You can only use this method if you still have a configuration file from a previous release. Step 1. Stop HP-UX IPSec: ipsec_admin -stop Step 2. Re-create the database file by migrating the configuration file from a previous release, such as a /var/adm/ipsec/policies.txt file: ipsec_migrate -s old_config_file -d new_config_file Step 3.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Autoboot is Not Working Properly Problem Autoboot fails. Symptoms HP-UX IPSec does not start automatically at system boot-up time. Solution Use the following procedure: Step 1. Set the HP-UX IPSec password using the ipsec_admin -newpasswd command if it is not already set. Step 2. Use ipsec_config to configure HP-UX to start automatically at system boot-up time: ipsec_config add startup -autoboot ON Step 3. Check that your configuration file is valid.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Symptoms The administrator cannot get a certificate using ipsec_mgr. ipsec_mgr shows no certificate entry or an incomplete entry. The audit file shows the following error: Unable to obtain public/private key pair! Solution Check stdout for ipsec_mgr errors. Check the VeriSign Managed PKI Control Center for a pending request or existing certificate.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios using a web proxy server to access the VeriSign Managed PKI Control Center, verify the proxy server configuration (run ipsec_mgr, click on the Options menu, select System, then select Proxy Information). Have the Managed PKI Administrator use the View Certificates area of the Managed PKI Control Center to check for an existing certificate. If a certificate already exists for your system, the VeriSign CA rejects any requests for a new certificate.
Troubleshooting HP-UX IPSec Troubleshooting Scenarios When the size of the SPD exceeds the soft limit, HP-UX IPSec logs an alert message to the system console and the audit file, and logs an additional alert message for each 1000 SPD entries added. You will see log messages are similar to the following: Msg: 20 From: SECPOLICYD Lvl: ALERT Date: Tue Apr 20 11:30:39 2004 Event: Kernel Policy Cache Threshold reached nnnn records. where nnnn is the soft limit.
6 Chapter 6 HP-UX IPSec and IPFilter 189
HP-UX IPSec and IPFilter This chapter describes how HP-UX IPFilter and IPSec/9000 work together.
HP-UX IPSec and IPFilter IPFilter and IPSec Basics IPFilter and IPSec Basics You can use HP-UX IPSec and HP-UX IPFilter on the same system. However, there are situations in which one product might block traffic for the other. The following figure shows the positions of IPFilter and IPSec in the network stack: Figure 6-1 IPFilter and IPSec IPSec IPFilter IPFilter, which is below IPSec in the networking stack, filters network packets before they reach IPSec.
HP-UX IPSec and IPFilter IPFilter and IPSec Basics There is no overlap in the configurations of IPFilter and IPSec in this network topology, so there are no conflicts in Scenario One. CAUTION 192 IPSec and NAT are not compatible. If you are using HP-UX IPFilter with IPSec, do not use NAT functionality.
HP-UX IPSec and IPFilter IPSec UDP Negotiation IPSec UDP Negotiation You can configure IPSec and IPFilter so that there is some overlap in the configurations. However, you must be sure the overlapping configurations do not block each other. IPSec negotiates between two machines on a connection using the UDP protocol from port 500 to port 500. If the IPFilter configuration is so broad that it is blocking all UDP traffic, then IPSec cannot complete negotiations.
HP-UX IPSec and IPFilter IPSec UDP Negotiation When TCP traffic is initiated from A to B or from B to A, IPSec on both machines communicates through a UDP/500 connection. You must configure IPFilter on machine A to let this traffic through. To do so, add the following rules to your IPFilter configuration: pass in quick proto UDP from 15.15.15.15 port = 500 to 10.10.10.10 port = 500 pass out quick proto UDP from 10.10.10.10 port = 500 to 15.15.15.
HP-UX IPSec and IPFilter When Traffic Appears to be Blocked When Traffic Appears to be Blocked In the following scenario there is overlap in the configurations of IPFilter and IPSec. To get this negotiation through, you must configure IPFilter rules to let TCP traffic through. Figure 6-4 Scenario Three A 10.10.10.10 B 15.15.15.
HP-UX IPSec and IPFilter Allowing Protocol 50 and Protocol 51 Traffic Allowing Protocol 50 and Protocol 51 Traffic When IPSec encrypts packets, it creates a new packet with a protocol number of 50. When it authenticates packets, it creates a new packet with a protocol number of 51.
HP-UX IPSec and IPFilter Allowing Protocol 50 and Protocol 51 Traffic If the IPFilter configuration is so broad that it blocks protocol 50 or protocol 51 traffic, then IPSec traffic will not get through. Figure 6-7 Scenario Four A 10.10.10.10 B 15.15.15.15 IPSec <---------------> TCP <-----------------> IPSec IPFilter -----block !TCP----- In Scenario Four, IPSec is configured to encrypt TCP traffic between the two machines and IPFilter is configured to block non-TCP traffic.
HP-UX IPSec and IPFilter IPSec Gateways IPSec Gateways You can configure IPSec to encrypt and authenticate traffic to a gateway between two end hosts. A configuration that encrypts IPSec packets to a gateway is called an IPSec tunnel. IPFilter can coexist with IPSec tunnels with out conflict. However, you must configure IPFilter to allow IPSec traffic to and from the gateway instead of the end node.
7 Chapter 7 HP-UX IPSec and HP-UX Mobile IPv6 199
HP-UX IPSec and HP-UX Mobile IPv6 HP-UX IPSec can secure Mobile IPv6 packets when the HP-UX system is a Mobile IPv6 Home Agent. This chapter describes how to configure HP-UX IPSec to secure packets between the local system—the Home Agent—and Mobile IPv6 Mobile Node clients.
HP-UX IPSec and HP-UX Mobile IPv6 Introduction Introduction Mobile IPv6 provides transparent routing of IP data-packets to a mobile IP device or node, such as a portable computer, regardless of the mobile node’s point of attachment to the network. HP provides Mobile IPv6 functionality with the HP-UX Mobile IPv6 product. For more information about HP-UX Mobile IPv6, refer to the HP-UX Mobile IPv6 product documentation available at the following URL: http://www.docs.hp.com/netcom/index.
HP-UX IPSec and HP-UX Mobile IPv6 Introduction Mobile Node’s current Care-of Address and its home address. The Home Agent also forwards packets addressed to the Mobile Node’s home address to the Mobile Node’s Care-of Address as needed. Home Agents and Basic Operation In Mobile IPv6 Basic Operation, the Correspondent Node sends data-packets to the Mobile Node using the Mobile Node’s home address.
HP-UX IPSec and HP-UX Mobile IPv6 Introduction The Mobile Node sends data packets to the Correspondent Node through its Home Agent in Basic Operation, as shown in Figure 7-2, “Mobile IPv6 Basic Operation: Mobile Node to Correspondent Node.” Figure 7-2 Mobile IPv6 Basic Operation: Mobile Node to Correspondent Node Home Agent Mobile Node Correspondent Node Route Optimization In addition to Basic Operation, Mobile IPv6 can operate using Route Optimization.
HP-UX IPSec and HP-UX Mobile IPv6 Introduction Securing Mobile IPv6 with HP-UX IPSec You can configure HP-UX IPSec to secure Mobile IPv6 packets between a Home Agent and Mobile Node on systems that are HP-UX Mobile IPv6 Home Agents. There are four types of Mobile IPv6 packets to secure with IPSec: 1. Binding Messages between the Home Agent and Mobile Node The Binding Messages are Binding Update and Binding Acknowledgement messages. 2.
HP-UX IPSec and HP-UX Mobile IPv6 Introduction IPv6 Type 2 Routing Header—therefore, the binding messages are processed as if the appropriate source and destination address fields contain the Mobile Node’s Home Address. Only Binding Update and Binding Acknowledgement messages exchanged between the Home Agent and Mobile Node can be secured using IPSec; Binding Update and Binding acknowledgement messages exchanged between the Mobile Node and Correspondent Nodes are secured using a Mobile IPv6 mechanism.
HP-UX IPSec and HP-UX Mobile IPv6 Introduction Prefix Discovery Packets Between the Home Agent and Mobile Node RFC 3776 specifies that you should use ESP to secure ICMPv6 Mobile Prefix Solicitation and Mobile Prefix Advertisement messages between the Home Agent and Mobile Node. (See Appendix A, “RFC 3776 Mandatory Support” on page 279 for the RFC 3776 extract.) Prefix Discovery allows a Mobile Node to get network prefix information about its Home Network and to configure its Home Address if needed.
HP-UX IPSec and HP-UX Mobile IPv6 Configuration Overview Configuration Overview This section contains general information about two HP-UX IPSec configuration objects used for HP-UX Mobile IPv6: • gateway IPSec policies • manual keys This section also provides an overview of the procedure for configuring HP-UX IPSec for HP-UX Mobile IPv6.
HP-UX IPSec and HP-UX Mobile IPv6 Configuration Overview Understanding Gateway IPSec Policies Gateway IPSec policies specify forwarding behavior on gateways, or nodes that forward IP packets. HP-UX IPSec A.02.00 supports gateway IPSec policies only on HP-UX Mobile IPv6 Home Agents that use the policies to forward IP packets to and from Mobile IPv6 clients. You configure two gateway IPSec policies for each end-to-end address pair.
HP-UX IPSec and HP-UX Mobile IPv6 Configuration Overview Using Manual Keys Mobile IPv6 uses manual key Security Associations (SAs). Manual key SAs do not use IKE to generate and distribute encryption keys. Instead, the administrator manually configures and distributes the encryption keys. Selecting Encryption Keys You should configure strong, random, encryption keys for manual key SAs.
HP-UX IPSec and HP-UX Mobile IPv6 Configuration Overview Step 1. (Required) Configure a host IPSec policy to secure binding messages (Binding Update and Binding Acknowledgement) messages between the Home Agent and the Mobile Node. See “Step 1: (Required) Securing Binding Messages Between the Home Agent and Mobile Node” on page 211 for a description of this step. Step 2.
HP-UX IPSec and HP-UX Mobile IPv6 Step 1: (Required) Securing Binding Messages Between the Home Agent and Mobile Node Step 1: (Required) Securing Binding Messages Between the Home Agent and Mobile Node RFC 3776 specifies that you must use IPSec to secure binding messages between the Home Agent and Mobile Node. To secure binding messages, configure a host IPSec policy on the Home Agent to secure Mobile IPv6 Mobility Header (MH) packets between the Home Agent and the Mobile Node.
HP-UX IPSec and HP-UX Mobile IPv6 Step 1: (Required) Securing Binding Messages Between the Home Agent and Mobile Node -source home_agent_addr The home_agent_addr is the Home Agent’s IP address and cannot be a wildcard or subnet address. -destination mn_home_addr The mn_home_addr is the Mobile Node’s home address. This cannot be a wildcard or subnet address. -protocol MH The protocol must be MH (Mobile IPv6 Mobility Headers).
HP-UX IPSec and HP-UX Mobile IPv6 Step 1: (Required) Securing Binding Messages Between the Home Agent and Mobile Node Manual key SPI numbers must be outside the range for dynamic key SPI numbers. In installations using the default range for dynamic key SPI numbers (300 - 2500000), the ranges for inbound manual key SPI numbers are 1 - 299 and 2500001 - 4294967295. auth_key is the hexadecimal authentication key, prefixed by 0x. For MD5, auth_key is 32 hexadecimal digits.
HP-UX IPSec and HP-UX Mobile IPv6 Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent RFC 3776 specifies that you should use IPSec to secure Return Routability Home Test Init and Home Test messages routed through the Home Agent. The data paths for Home Test Init and Home Test messages is shown in Figure 7-5.
HP-UX IPSec and HP-UX Mobile IPv6 Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent Step 2A: Configure a gateway IPSec policy for the data path segments between the Home Agent and the Correspondent Node (2A in Figure 7-5). Step 2B: Configure a gateway IPSec policy for the data path segments between the Home Agent and the Mobile Node (2B in Figure 7-5).
HP-UX IPSec and HP-UX Mobile IPv6 Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent gwy_policy_name The gwy_policy_name is the user-defined name for the gateway IPSec policy. The gwy_policy_name must be unique for each gateway IPSec policy and is case-sensitive. The name must be 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen (-), or underscore (_). -source mn_home_addr The mn_home_addr is the Mobile Node’s home address.
HP-UX IPSec and HP-UX Mobile IPv6 Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent • You must specify the name of the tunnel policy between the Home Agent and the Mobile Node for Return Routability packets (rr_tunnel_name). You configure this tunnel in the next section (Step 2C: Return Routability Messages: Configuring the Home Agent - Mobile Node Tunnel).
HP-UX IPSec and HP-UX Mobile IPv6 Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent Step 2C: Return Routability Messages: Configuring the Home Agent - Mobile Node Tunnel Configure the tunnel between the Home Agent and Mobile Node used for Return Routability packets. Syntax You can use the following ipsec_config add tunnel syntax on the Home Agent to configure the tunnel in most topologies.
HP-UX IPSec and HP-UX Mobile IPv6 Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent -action transform_name The transform_name must be an authenticated ESP transform with a non-null authentication method, according to the Mobile IPv6 protocol specification. For example, ESP_AES128_HMAC_SHA1. The transform cannot be a nested transform.
HP-UX IPSec and HP-UX Mobile IPv6 Step 3: (Recommended) Securing Prefix Discovery Messages Between the Home Agent and Mobile Node Step 3: (Recommended) Securing Prefix Discovery Messages Between the Home Agent and Mobile Node If the Mobile Node supports prefix discovery, RFC 3776 specifies that you should use IPSec to secure the ICMPv6 Mobile Prefix Solicitation and Mobile Prefix Advertisement messages. You can skip this step if the Mobile Nodes do not support prefix discovery.
HP-UX IPSec and HP-UX Mobile IPv6 Step 3: (Recommended) Securing Prefix Discovery Messages Between the Home Agent and Mobile Node -destination mn_home_addr The mn_home_addr is the Mobile Node’s home address. This cannot be a wildcard or subnet address. -priority priority_number The priority_number is the priority value HP-UX IPSec uses when selecting a host IPSec policy (a lower priority value has a higher priority). The priority must be unique for each host IPSec policy. The range is 1 - 2147483647.
HP-UX IPSec and HP-UX Mobile IPv6 Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent RFC 3776 specifies that you may use IPSec to secure data (payload) packets between Mobile Nodes and Correspondent Nodes when these packets are forwarded through the Home Agent (this is the data path for Basic Operation, used when Route Optimization is not established).
HP-UX IPSec and HP-UX Mobile IPv6 Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent NOTE • The protocol argument value is ALL. • The priority_number must be greater (lower priority) than the policy configured in “Step 2A: Return Routability Messages: Configuring the Gateway IPSec Policy for Home Agent Correspondent Node Segments” on page 215.
HP-UX IPSec and HP-UX Mobile IPv6 Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent -flags MIPV6 The flags must include MIPV6. Step 4B: Payload Packets: Configuring the Gateway IPSec Policy for Home Agent - Mobile Node Segments The second gateway IPSec policy is for the data path segments between the Home Agent and the Mobile Node.
HP-UX IPSec and HP-UX Mobile IPv6 Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent -source cn_addr The cn_addr is the Correspondent Node’s address. In many cases, there will be a large number of possible Correspondent Nodes and you may want to use the IPv6 wildcard address instead (0::0). -destination mn_home_addr The mn_home_addr is the Mobile Node’s home address.
HP-UX IPSec and HP-UX Mobile IPv6 Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent Syntax ipsec_config add tunnel payload_tunnel_name -tsource home_agent_addr -tdestination mn_home_addr -source cn_addr -destination mn_home_addr -protocol ALL -action transform_name -in manual_key_sa_specification -out manual_key_sa_specification payload_tunnel_name The payload_tunnel_name is the user-defined name for the payload tunnel IPSec policy.
HP-UX IPSec and HP-UX Mobile IPv6 Mobile IPv6 Configuration Example Mobile IPv6 Configuration Example This section contains ipsec_config batch file entries for a Mobile IPv6 Home Agent. • The local system’s (Home Agent) IP address is 3ffe::83ff:fef7:1111. • The Mobile Node’s IP address is 3ffe::83ff:fef7:2222.
HP-UX IPSec and HP-UX Mobile IPv6 Mobile IPv6 Configuration Example Gateway IPSec Policy for Home Agent - Correspondent Node Segments add gateway mn2222_rr_to_cn \ -source 3ffe::83ff:fef7:2222 \(Mobile Node’s Home Address) -destination 0::0 \(wildcard for any Correspondent Node) -protocol MH -pri 200 -action FORWARD -flags MIPV6 Gateway IPSec Policy for Home Agent - Mobile Node Segments add gateway mn2222_rr_to_mobile_node \ -source 0::0 \(wildcard for any Correspondent Node) -destination 3ffe::83ff:fef7:22
HP-UX IPSec and HP-UX Mobile IPv6 Mobile IPv6 Configuration Example add host mn2222_prefix \ -source 3ffe::83ff:fef7:1111 \(Home Agent) -destination 3ffe::83ff:fef7:2222 \(Mobile Node’s Home Address) -proto ICMPV6 -pri 210 -action ESP_AES128_HMAC_SHA1 \ -flags MIPV6\ -in ESP/2500007/0x1234567890123456789012345678901234567890\ /0x12345678901234567890123456789012/0x1234567890123456 \ -out ESP/2500008/0x0123456789012345678901234567890123456789\ /0x01234567890123456789012345678901/0x0123456789012345 (Optional
HP-UX IPSec and HP-UX Mobile IPv6 Mobile IPv6 Configuration Example Payload Tunnel IPSec Policy Configure the tunnel between the local system (Home Agent) and the Mobile Node. This is similar to the tunnel configured for Return Routability messages, except protocol is ALL and the manual key SPI numbers (inbound SPI numbers must be unique) and the keys are different. add tunnel mn2222_payload_tunnel \ -tsource 3ffe::83ff:fef7:1111 \(Home Agent) -tdestination 3ffe::83ff:fef7:1111 \(Mobile Node’s Home Addr.
HP-UX IPSec and HP-UX Mobile IPv6 Batch File Template Batch File Template You can use the following template to create an ipsec_config batch file for configuring HP-UX IPSec for Mobile IPv6. ###################################################################### # Sample ipsec_config batch file for securing HP-UX Mobile IPv6 with # HP-UX IPSec. # Replace the parameters in angle brackets (<>) with the appropriate # values for your configuration.
HP-UX IPSec and HP-UX Mobile IPv6 Batch File Template -source \ -destination \ -protocol MH -priority \ -action FORWARD -flags MIPV6 ##################################################################### # Gateway policy for Home Test/Home Test Init HA <-> MN data path. # Configure one for each Mobile Node.
HP-UX IPSec and HP-UX Mobile IPv6 Batch File Template # multicast group membership control protocols, the IPSec implementation # MUST support payload protection, but using it is not mandatory. # # Configure two gateway IPSec policies for each Mobile Node. # Configure one tunnel IPSec policy for each Mobile Node.
HP-UX IPSec and HP-UX Mobile IPv6 Batch File Template 234 Chapter 7
8 Chapter 8 HP-UX IPSec and MC/ServiceGuard 235
HP-UX IPSec and MC/ServiceGuard HP-UX IPSec can secure HP-UX MC/ServiceGuard network traffic. This chapter describes how to configure HP-UX IPSec as an MC/ServiceGuard package service so a package will fail or fail over if HP-UX IPSec terminates.
HP-UX IPSec and MC/ServiceGuard Introduction Introduction An MC/ServiceGuard cluster is a networked group of HP 9000 or Integrity servers (host systems known as nodes) with redundant hardware and software so that a single point of failure does not significantly disrupt service. Application packages (individual HP-UX processes) can be grouped together in failover packages.
HP-UX IPSec and MC/ServiceGuard Introduction Each package can have one or more unique package addresses. A package address is a relocatable IP address that is dynamically assigned to the cluster node on which the package is currently running. In Figure 8-1, the package pkgA is currently running on Node1, and its relocatable package address, 15.98.98.98, is assigned to an interface on Node1. The package clients connect to or access the packages using the package addresses.
HP-UX IPSec and MC/ServiceGuard Introduction If a package client is an HP-UX system using a version of HP-UX IPSec released prior to A.01.07, or if it is not an HP-UX system, the package client may not delete SA information when it receives the INITIAL-CONTACT notify message. In these cases, an administrator must manually delete the SAs on the package client.
HP-UX IPSec and MC/ServiceGuard Configuration Overview Configuration Overview Requirements To use HP-UX IPSec with MC/ServiceGuard, your topology must meet the following requirements: • The same version of HP-UX IPSec (A.01.07 or A.02.00) must be installed on all cluster nodes. (For information on using HP-UX IPSec A.01.07 with MC/ServiceGuard, refer to the HP-UX IPSec A.01.07 product documentation.) • MC/ServiceGuard version A.11.16 or later must be installed on all cluster nodes.
HP-UX IPSec and MC/ServiceGuard Configuration Overview Configuration Steps When configuring HP-UX IPSec for MC/ServiceGuard, configure HP-UX IPSec using an ipsec_config batch file according to the instructions in Chapter 3, “Configuring HP-UX IPSec,” on page 57 on one cluster node. Additional configuration requirements are listed below and described in the following sections. After you have verified the HP-UX IPSec configuration on one node, copy the configuration files to the other cluster nodes.
HP-UX IPSec and MC/ServiceGuard Configuration Overview • “Step 5: Configuring Authentication Records for Certificates” on page 261 The authentication records contain IKE ID information to verify the ID information in the security certificates. • “Step 6: Verifying and Testing the HP-UX IPSec Configuration” on page 265 Verify and test the HP-UX IPSec configuration on the node on which you configured IPSec before distributing the IPSec configuration files.
HP-UX IPSec and MC/ServiceGuard Step 1: Configuring a Common HP-UX IPSec Password Step 1: Configuring a Common HP-UX IPSec Password If you are using certificate-based IKE authentication, you must assign the same HP-UX IPSec password on all nodes in the MC/ServiceGuard cluster. Use the following command to set the HP-UX IPSec password on each system: ipsec_admin -newpasswd See Chapter 2, “Step 3: Setting the HP-UX IPSec Password” on page 55 for more information.
HP-UX IPSec and MC/ServiceGuard Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard Overview Use the procedure described in Chapter 3, “Step 1: Configuring Host IPSec Policies” on page 69 to configure host IPSec policies, with the following additional requirements: • Configure PASS host IPSec policies for all packets sent between the heartbeat IP addresses.
HP-UX IPSec and MC/ServiceGuard Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard • “Configuring Host IPSec Policies for ServiceGuard Manager” on page 251 • “Configuring Host IPSec Policies for Cluster Object Manager (COM)” on page 253 • “Summary: MC/ServiceGuard Port Numbers and Protocols” on page 254 Determining MC/ServiceGuard Cluster Information Before configuring IPSec policies, determine the following information about the MC/ServiceGuard cluster: • Heartbeat IP addresses The he
HP-UX IPSec and MC/ServiceGuard Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard Specify the following values for the remaining filter fields in the host IPSec policies: • Protocol: ALL • Source and destination ports: 0 (all ports) For the cluster shown in Figure 8-1 on page 237, one way to configure PASS host ipsec policies for the heartbeat address pairs is to configure six host ipsec policies with the following filter specifications: CAUTION Source IP Address/ Prefix Destination I
HP-UX IPSec and MC/ServiceGuard Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard subnet. For example, you could replace the policies for the first three address pairs in the above table with one host IPSec policy that has the following filter: Source IP Address/ Prefix 10.0.0.0/8 Destination IP Address/ Prefix 10.0.0.
HP-UX IPSec and MC/ServiceGuard Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard Quorum Server IPSec Policies If HP-UX IPSec is installed on the Quorum Server, configure host IPSec policies for the packets listed below with actions (PASS or transform lists) that match the policies on the cluster nodes.
HP-UX IPSec and MC/ServiceGuard Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard The cluster nodes also initiate TCP connections to the remote command clients using dynamically assigned source and destination ports, as listed below. You must configure HP-UX IPSec so it does not discard the packets listed below, however, HP recommends that you do not allow the packets to pass in clear text. For more information, see “Maximizing Security” on page 59.
HP-UX IPSec and MC/ServiceGuard Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard For remote execution of the cmscancl command, HP-UX IPSec must not discard the following packets: Source IP Address Destination IP Address cluster node address (or wildcard) remote command client address Protocol Source Port TCP 514 Destination Port 0 Remote Command Client Host IPSec Policies If HP-UX IPSec is installed on the remote command clients, configure host IPSec policies for the packets listed
HP-UX IPSec and MC/ServiceGuard Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard packets listed below, however, HP recommends that you do not allow the packets to pass in clear text. For more information, see “Maximizing Security” on page 59.
HP-UX IPSec and MC/ServiceGuard Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard Cluster Node Host IPSec Policies for ServiceGuard Manager For each cluster node, configure host IPSec policies so HP-UX IPSec does not discard (the transform list contains any transform except DISCARD) the packets listed below. If HP-UX IPSec is not installed on the ServiceGuard Manager system, configure PASS host IPSec policies for these packets.
HP-UX IPSec and MC/ServiceGuard Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard Configuring Host IPSec Policies for Cluster Object Manager (COM) If you are using a Cluster Object Manager (COM) on a system outside of the cluster to provide connections to COM clients, such as ServiceGuard Manager, configure HP-UX IPSec so it does not discard the packets listed in the sections below.
HP-UX IPSec and MC/ServiceGuard Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard You must also configure HP-UX IPSec so it does not discard packets to COM clients, as listed below. Source IP Address COM system address (or wildcard) Destination IP Address COM client address Protocol Source Port TCP 0 Destination Port 5303 Configure corresponding host IPSec policies on the COM clients as appropriate.
HP-UX IPSec and MC/ServiceGuard Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard Table 8-1 MC/ServiceGuard Port Numbers and Protocols (Continued) Port Protocols Service 1476 TCP HA - Logical Volume Manager. Used as the destination port between the cluster nodes. 5300 TCP, UDP HA Cluster Heartbeat (hacl-hb). Used as the destination port between cluster nodes. 5301 TCP HA Cluster General Services (hacl-gs). Used as the destination port between cluster nodes.
HP-UX IPSec and MC/ServiceGuard Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard Table 8-1 MC/ServiceGuard Port Numbers and Protocols (Continued) Port NOTE 256 Protocols Service 5408 TCP HA Distributed Lock Manager (ha-dlm). Used as the destination port between cluster nodes. dynamic (49152-65535 by default) TCP MC/ServiceGuard network probes. Used as the source and destination port between cluster nodes. This list of MC/ServiceGuard services may not be exhaustive.
HP-UX IPSec and MC/ServiceGuard Step 3: Configuring HP-UX IPSec IKE policies Step 3: Configuring HP-UX IPSec IKE policies Configure IKE policies as described in Chapter 3, “Step 3: Configuring IKE Policies” on page 89. Cluster IKE policies The cluster nodes must have IKE policies with remote address specifications for the cluster clients. Cluster Client IKE policies The cluster clients must have IKE policies with remote address specifications that include the package addresses.
HP-UX IPSec and MC/ServiceGuard Step 4: Configuring Authentication Records for Preshared Keys Step 4: Configuring Authentication Records for Preshared Keys This section describes configuration requirements for authentication records if you are using preshared keys for IKE authentication. If you are not using preshared keys for IKE authentication, go to “Step 5: Configuring Authentication Records for Certificates” on page 261. The preshared key information must be the same on all nodes in the cluster.
HP-UX IPSec and MC/ServiceGuard Step 4: Configuring Authentication Records for Preshared Keys • Node1 (10.1.1.1 and 15.1.1.1) • Node2 (10.2.2.2 and 15.2.2.2) • Node3 (10.3.3.3 and 15.3.3.3) The 10.*.*.* network is a dedicated heartbeat LAN. The 15.*.*.* network is a shared heartbeat and data LAN. The cluster also has two packages: • pkgA (15.98.98.98) • pkgB (15.99.99.99) There are two package clients: • Client1 (15.4.4.4) • Client2 (15.5.5.
HP-UX IPSec and MC/ServiceGuard Step 4: Configuring Authentication Records for Preshared Keys Remote IP Address 260 Key 16.98.98.98 (pkgA) client2_key 16.99.99.
HP-UX IPSec and MC/ServiceGuard Step 5: Configuring Authentication Records for Certificates Step 5: Configuring Authentication Records for Certificates This section describes configuration requirements for authentication records if you are using security certificates (RSA signatures) for IKE authentication. If you are not using security certificates for IKE authentication, go to “Step 6: Verifying and Testing the HP-UX IPSec Configuration” on page 265.
HP-UX IPSec and MC/ServiceGuard Step 5: Configuring Authentication Records for Certificates Cluster Node On each cluster node, add entries to the ipsec_config batch file with add auth operations to configure an authentication record for each cluster client as follows: • Remote IP Address (-remote): The cluster client address. • Local ID type (-ltype): IPV4. • Local ID value(-lid): The IP address in the SubjectAlternativeName field of the certificate for the cluster.
HP-UX IPSec and MC/ServiceGuard Step 5: Configuring Authentication Records for Certificates — You do not need to enter this argument if the cluster client is an HP-UX system and is not multihomed. HP-UX IPSec will use IPV4 as the ID type. — If the cluster client is a multihomed HP-UX system, specify IPV4. — If the cluster client is not an HP-UX system, enter the value sent by the cluster client. • Local ID value (-lid): The IKE ID value sent by the cluster client.
HP-UX IPSec and MC/ServiceGuard Step 5: Configuring Authentication Records for Certificates • Client1 (15.4.4.4) • Client2 (15.5.5.5) HP-UX IPSec is securing the traffic between the clients and the package addresses. IKE ID Configuration on Cluster Nodes On each cluster node, the ipsec_config batch file contains the following entries: add auth client1 -remote 15.4.4.4 -ltype IPV4 -lid 15.1.1.1 add auth client2 -remote 15.5.5.5 -ltype IPV4 -lid 15.1.1.
HP-UX IPSec and MC/ServiceGuard Step 6: Verifying and Testing the HP-UX IPSec Configuration Step 6: Verifying and Testing the HP-UX IPSec Configuration Start and verify HP-UX IPSec on the cluster node on which you configured IPSec using the procedure in Chapter 3, “Step 8: Committing the Batch File Configuration and Verifying Operation” on page 105.
HP-UX IPSec and MC/ServiceGuard Step 7: Configuring HP-UX IPSec Start-up Options Step 7: Configuring HP-UX IPSec Start-up Options HP-UX IPSec must be running on all nodes in the cluster before MC/ServiceGuard starts. After you have verified the configuration, you can configure HP-UX IPSec to start automatically at system startup time. See Chapter 3, “Step 9: Configuring HP-UX IPSec to Start Automatically” on page 109 to configure HP-UX IPSec to start automatically at system boot-up time.
HP-UX IPSec and MC/ServiceGuard Step 8: Distributing HP-UX IPSec Configuration Files Step 8: Distributing HP-UX IPSec Configuration Files After you have verified and tested the HP-UX IPSec configuration on one node, distribute the HP-UX IPSec configuration database file, /var/adm/ipsec/config.db, to the other nodes in the cluster. NOTE Do not redistribute the configuration database file if HP-UX IPSec is running.
HP-UX IPSec and MC/ServiceGuard Step 8: Distributing HP-UX IPSec Configuration Files • /var/adm/ipsec/cainfo.txt • /var/adm/ipsec/certs.txt • /var/adm/ipsec/javabeans.txt To periodically retrieve the CRL from the VeriSign CA, you must also modify the root user’s crontab file (/var/spool/cron/crontabs/root) to execute the /var/adm/ipsec_gui/crl.cron file. Re-submit the crontab file.
HP-UX IPSec and MC/ServiceGuard Step 9: Configuring MC/ServiceGuard Step 9: Configuring MC/ServiceGuard Configure MC/ServiceGuard according to the MC/ServiceGuard product documentation, with the additional requirements listed below. Verify the MC/ServiceGuard configuration using the cmcheckconf command, as described in the MC/ServiceGuard product documentation. Cluster Configuration HP strongly recommends that you do not secure heartbeat messages using IPSec (with AH or ESP).
HP-UX IPSec and MC/ServiceGuard Step 9: Configuring MC/ServiceGuard Monitor Script Polling Interval By default, the HP-UX IPSec monitor script polls IPSec every 60 seconds to verify that it is available. To modify the polling interval, change the value of the IPSEC_POLLING_INVERVAL parameter in the monitor script file, /var/adm/ipsec/ipsec_status.sh.
HP-UX IPSec and MC/ServiceGuard Step 10: Starting HP-UX IPSec and MC/ServiceGuard Step 10: Starting HP-UX IPSec and MC/ServiceGuard HP-UX IPSec must be running on all cluster nodes with the same HP-UX IPSec configuration files before you start the MC/ServiceGuard cluster. Use the following procedure to start HP-UX IPSec and MC/ServiceGuard. 1. Start HP-UX IPSec. There are two ways to start HP-UX IPSec: • Manually, using the ipsec_admin -start command. • Automatically, at system boot-up time.
HP-UX IPSec and MC/ServiceGuard Step 10: Starting HP-UX IPSec and MC/ServiceGuard 272 Chapter 8
9 Chapter 9 HP-UX IPSec and Linux 273
HP-UX IPSec and Linux This chapter includes the following information about HP-UX interoperation with Linux FreeSwan: 274 • “Limitations of HP-UX IPSec Interoperating with Linux FreeSwan” on page 275 • “Configuration Example” on page 276 Chapter 9
HP-UX IPSec and Linux Limitations of HP-UX IPSec Interoperating with Linux FreeSwan Limitations of HP-UX IPSec Interoperating with Linux FreeSwan HP-UX IPSec can be configured to interoperate with Linux FreeSwan version 1.96. The following are limitations of Linux FreeSwan that affect interoperability with HP-UX IPSec: • Linux FreeSwan does not support DES encryption. You must use 3DES or AES encryption. • Linux FreeSwan does not support port and protocol specified IPSec rules.
HP-UX IPSec and Linux Configuration Example Configuration Example The following is an example of a Linux FreeSwan configuration in /etc/ipsec.conf. The file is properly configured to interoperate with HP-UX IPSec using preshared key authentication: conn_hp_sample type=transport left=192.12.12.23 leftnexthop=192.12.12.1 right=192.12.13.7 rightnexthop=192.12.13.
A Appendix A Product Specifications 277
Product Specifications This appendix lists the HP-UX IPSec product specifications.
Product Specifications IPSec RFCs IPSec RFCs The HP-UX IPSec product conforms to the Internet Engineering Task Force (IETF) RFCs listed below: Table A-1 Supported IPSec RFCs RFC Number RFC Title RFC 2401 Security Architecture for the Internet Protocol RFC 2402 IP Authentication Header RFC 2403 The Use of HMAC-MD5-96 within ESP and AH RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH RFC 2405 The ESP DES-CBC Cipher Algorithm with Explicit IV RFC 2406 IP Encapsulating Security Payload (ESP)
Product Specifications IPSec RFCs 280 • Automatic key management with IKE [4] MAY be supported. Only IKEv1 is discussed in this document. Other automatic key management mechanisms exist and will appear beyond IKEv1, but this document does not address the issues related to them. • ESP encapsulation of Binding Updates and Acknowledgements between the mobile node and home agent MUST be supported and MUST be used.
Product Specifications Product Restrictions Product Restrictions HP-UX IPSec product restrictions are described below: • HP-UX IPSec systems cannot act as IP or IPSec gateways unless the local system is an HP-UX Mobile IPv6 Home Agent forwarding Mobile IPv6 packets to Mobile Node clients. • You cannot use an end-to-end or transport transform in a host-to-host tunnel topology. The action for the host policy in a host-to-host topology must be PASS.
Product Specifications Product Restrictions When using certificate-based ISAKMP authentication (RSA signatures), HP-UX IPSec checks that the identity sent by the other node in the Main Mode (MM) negotiation matches information in the other node’s certificate. HP-UX IPSec always sends its local IP address as its ID value and the appropriate IP address type (IPv4 or IPv6) as the ID type as the ISAKMP ID payload in MM exchanges.
Product Specifications Product Restrictions The transmission of ICMP Source Quench messages is controlled by the IP kernel parameter ip_send_source_quench. By default, this feature is enabled on all HP-UX systems. Refer to the ndd (1M) manpage for information on checking or changing this parameter value.
Product Specifications HP-UX IPSec Transforms HP-UX IPSec Transforms Comparative Key Lengths Below is a table showing the key lengths of AH and ESP algorithms. In general, the longer the key length, the more secure the encryption algorithm will be. AES encryption provides the most secure encryption, but should be used with some form of authentication, such as the ESP-AES128-HMAC-SHA1 transform. NOTE DES has been cracked (data encoded using DES has been decoded by a third party).
Product Specifications HP-UX IPSec Transforms Encryption Algorithms These algorithms are used to encrypt the IP payload for an IPSec Encapsulating Security Payload (ESP). The ESP provides confidentiality (encryption). In addition, there are authenticated ESP algorithms, which include an encryption algorithm and an authentication algorithm. The authentication algorithm is used to compute an Integrity Check Value (ICV) to authenticate the ESP header and IP data.
Product Specifications HP-UX IPSec Transforms ESP-NULL-HMAC-MD5 ESP header and trailer, but nothing is encrypted. An ICV is generated using HMAC-MD5. ESP-NULL-HMAC-SHA1 ESP header and trailer, but nothing is encrypted. An ICV is generated using HMAC-SHA1. Transform Lifetime Negotiation The transform lifetimes configured are the preferred lifetimes. The actual lifetimes used depends on negotiations with the remote system.
B Migrating from Previous Versions of HP-UX IPSec This appendix provides information on migrating to the current version of HP-UX IPSec from previous versions.
Migrating from Previous Versions of HP-UX IPSec • 288 “Post-Installation Migration Instructions” on page 291 Appendix B
Migrating from Previous Versions of HP-UX IPSec Pre-Installation Migration Instructions Pre-Installation Migration Instructions Before installing HP-UX IPSec version A.02.00, verify that your installation meets the following conditions: • MD5 version compatibility: If you are using MD5 transforms, all HP-UX IPSec systems must be version A.01.04 or higher. For more information, refer to “MD5 Version Compatibility” on page 289. • Migrating from HP-UX IPSec versions prior to A.01.003 (such as A.01.01 or A.
Migrating from Previous Versions of HP-UX IPSec Pre-Installation Migration Instructions 1. Verify that HP-UX IPSec is already configured with a valid IPSec password and configuration file. To do this, use the ipsec_admin -start command to start HP-UX IPSec. After you have verified HP-UX IPSec, stop it using the ipsec_admin -stop command. 2. Check the automatic boot-up setting in the ipsec_mgr GUI under the Options menu. If it is enabled, deselect Boot-up Options. 3. Install HP-UX IPSec version A.01.05.
Migrating from Previous Versions of HP-UX IPSec Post-Installation Migration Instructions Post-Installation Migration Instructions Configuration File HP-UX IPSec version A.02.00 stores configuration data in a configuration database instead of a policy file. To migrate a policy configuration file from an earlier version of HP-UX IPSec to an A.02.00 configuration database, use the following procedure. Step 1. Run the ipsec_migrate utility after you have installed HP-UX IPSec A.02.00.
Migrating from Previous Versions of HP-UX IPSec Post-Installation Migration Instructions 292 Appendix B
C Appendix C HP-UX IPSec Configuration Examples 293
HP-UX IPSec Configuration Examples This appendix provides configuration examples for four topologies: • “Example 1: telnet Between Two Systems” on page 295 shows example ipsec_config batch files for encrypting and authenticating all telnet traffic between two systems using dynamic keys and preshared keys for IKE authentication.
HP-UX IPSec Configuration Examples Example 1: telnet Between Two Systems Example 1: telnet Between Two Systems You have two systems, Apple (15.1.1.1) and Banana (15.2.2.2) on a private, isolated LAN. You want to use authenticated ESP with AES encryption and SHA-1 authentication for all telnet traffic from Apple to Banana, and for all telnet traffic from Banana to Apple. By default, all other network traffic will pass in clear text.
HP-UX IPSec Configuration Examples Example 1: telnet Between Two Systems Apple Configuration Host IPSec Policies On Apple, you configure two host IPSec policies. The first host IPSec policy (telnetAB) is for outbound telnet requests from Apple to Banana (users on Apple using the telnet service to Banana). Note that since the telnet clients on Apple may use any non-reserved TCP port number, you do not specify a port number in the source address.
HP-UX IPSec Configuration Examples Example 1: telnet Between Two Systems add host telnetAB \ -source 15.1.1.1 \ -destination 15.2.2.2/32/TELNET \ -priority 20 -action ESP_AES128_HMAC_SHA1 add host telnetBA \ -source 15.1.1.1/32/TELNET \ -destination 15.2.2.2 \ -priority 30 -action ESP_AES128_HMAC_SHA1 IKE Policy You configure an IKE policy, banana, to use when Apple negotiates ISAKMP/MM Security Associations (SAs) with Banana. The ipsec_config batch file entry is listed below: add ike banana -remote 15.2.
HP-UX IPSec Configuration Examples Example 1: telnet Between Two Systems # IKE Policy add ike apple -remote 15.1.1.1 -authentication psk # Auth record with preshared key add auth apple -remote 15.1.1.
HP-UX IPSec Configuration Examples Example 2: Authenticated ESP with Exceptions Example 2: Authenticated ESP with Exceptions You have a system, Carrot, on a LAN with the network address 192.1.1.*. You want to limit access to this LAN from outside nodes. There is one system outside the LAN with IPSec, Potato, that you will allow to communicate with the nodes in your network using AES with SHA1. All other packets from external nodes will be discarded.
HP-UX IPSec Configuration Examples Example 2: Authenticated ESP with Exceptions Carrot Configuration The ipsec_config batch file on Carrot contains the following entries. Host IPSec Policies You configure four host IPSec policies on Carrot. 1. potato: accepts all packets to and from system Potato using ESP-AES-HMAC-SHA1. add host potato -destination 193.3.3.3 -priority 20 \ -action ESP_AES128_HMAC_SHA1 2. pass_icmp: allows all ICMP packets within the 192.1.1.* network to pass in clear text.
HP-UX IPSec Configuration Examples Example 2: Authenticated ESP with Exceptions ipsec_config Batch File Entries add host potato -destination 193.3.3.3 -priority 20 \ -action ESP_AES128_HMAC_SHA1 add host pass_icmp -destination 192.1.1.0/24 \ -protocol ICMP -priority 30 -action pass add host aes_lan -destination 192.1.1.
HP-UX IPSec Configuration Examples Example 3: Host to Gateway Example 3: Host to Gateway On system Blue (15.5.5.5), you configure HP-UX IPSec to communicate back to Home1 (17.7.7.7) using a secure IPSec tunnel to a gateway (a router), accessed using its 16.6.6.6 address. The end-to-end packets pass in clear text. Blue must use the router as the gateway to Home1. You may need to configure an explicit IP route to Home1 that specifies 16.6.6.6 as the gateway address.
HP-UX IPSec Configuration Examples Example 3: Host to Gateway Tunnel IPSec Policy The end source address specification for the tunnel IPSec policy is 17.0.0.0/8, so this tunnel IPSec policy can be used for host policies to other nodes in the 17.*.*.* network. add tunnel torouter \ -src 15.5.5.5 \ -dst 17.0.0.0/8 \ -tsrc 15.5.5.5 \ -tdst 16.6.6.6 \ -action ESP_DES_HMAC_MD5 IKE Policy The router in this topology uses Oakley group (Diffie-Hellman group) 1 and DES encryption for IKE parameters.
HP-UX IPSec Configuration Examples Example 4: Manual Keys Example 4: Manual Keys You want to secure rlogin sessions from the system Dog (10.2.2.2) to the system Cat (10.4.4.4) using manual keys. There is no configuration for rlogin sessions from Cat to Dog; these sessions will use the default host IPSec policy and pass in clear text. Dog Configuration The ipsec_config batch file on Dog contains only one host IPSec policy.
Glossary 3DES Triple Data Encryption Standard. Uses a 168-bit key for symmetric key block encryption. It is suitable for encrypting large amounts of data. Last certified by the US government (NIST) as a standard in 1999. It must be re-certified every 5 years. confirms the identity of the holder (person, device, or other entity) of the corresponding private key. The CA digitally signs the certificate with the CA’s private key, so the certificate can be verified using the CA’s public key.
Glossary Diffie-Hellman DES has been cracked (data encoded using DES has been decoded by a third party). Diffie-Hellman Method to generate a symmetric key where two parties can publicly exchange values and generate the same symmetric key. Start with prime p and generator g, which may be publicly known (typically these numbers are from a well-known “Diffie-Hellman Group”). Each party selects a private value (a and b) and generates a public value (g**a mod p) and (g**b mod p). They exchange the public values.
Glossary Perfect Forward Secrecy (PFS) IPSec/Quick Mode Security Association (IPSec/QM SA) A secure communication channel for IPSec, including encryption and authentication methods, encryption keys and lifetimes. ISAKMP HP supports the Internet Security Association and Key Management Protocol (ISAKMP) in conjunction with the Oakley Key Exchange Protocol to establish an authenticated key exchange.
Glossary Preshared Key configured to create a new ISAKMP/MM SA for each IPSec/QM negotiation). HP-UX IPSec does not support PFS for keys only (the ISAKMP/MM SA is re-used for multiple IPSec/QM negotiations, with a new Diffie-Hellman key exchange for each IPSec/QM negotiation). Preshared Key An ASCII string agreed upon by two systems for encryption or authentication.
Numerics 3DES (Triple Data Encryption Standard), 33, 305 A Advanced Encryption Standard See AES advanced troubleshooting, 149 AES (Advanced Encryption Standard), 33, 305 Linux interoperability, 285 AH (Authentication Header) algorithms, 30, 284 configuring in host IPSec policies, 75 configuring in tunnel IPSec policies, 86 definition, 305 description, 29 negotiation, 147 processing, 151 RFC, 279 asymmetric key, 115 public/private, 305 audit file, 178 determining the name of current, 158 audit level changi
GUI display requirements, 121, 130 host IPSec policies, 70 IKE policies, 89 manual keys, 209 prerequisites, 52 pre-shared keys, 95 startup options, 109 tunnel IPSec policies, 81 VeriSign certificates, 123 Correspondent Node (Mobile IPv6) defined, 201 CRL See Certificate Revocation List CRON job, 142 cron(1M), 142 D daemons IPSec, 160 Data Encryption Standard See DES DES (Data Encryption Standard), 33, 305 RFC, 279 Diffie-Hellman, 38, 41, 174 , 306 group, 306 configuring in IKE policies, 92 digital signature
RFC, 279 installing loading software, 53 prerequisites, 52 verifying, 105 Internet Control Message Protocol messages.
key asymmetric, 115 lengths, 284 management using IKE, 38 private, 115 public, 115 shared, 29, 33, 41 symmetric, 33 keying, dynamic, 38 Mobile Node (Mobile IPv6) defined, 201 L lifetime kilobytes configuring in host IPSec policies, 77 configuring in tunnel IPSec policies, 87 lifetime seconds configuring in host IPSec policies, 77 configuring in IKE policies, 93 configuring in tunnel IPSec policies, 87 lifetimes, 178, 286 link errors, 174 Linux AES (Advanced Encryption Standard), 285 encryption options, 28
ISAKMP, 281 product requirements, 51 disk, 51 protocol configuring in host IPSec policies, 73 proxy identifiers configuring in tunnel IPSec policies, 83 proxy server configuration, 121 public key, 41, 115 Q Quick Mode (QM) definition, 308 R random number generator for generating encryption keys, 209 reporting problems, 168 RFCs, 279 Route Optimization (Mobile IPv6) defined, 203 RSA cryptosystem, 308 RSA signatures configuring as an authentication method in IKE policies, 92 S SA See Security Association Secu
mode AH (Authentication Header), 32 ESP (Encapsulating Security Payload), 35 U UDP port for IPSec, 193 uname(1), 52 unsupported features lockd, 281 multiple destination addresses, 281 NFS, 281 NIS, 281 PFS, 281 V verifying the installation, 105 VeriSign and ipsec_mgr, 118 certificate request, 123 configuration, 118 CRL, 142 OnSite administrator, 120 PKI architecture, 118 PKI components, 118 prerequisites, 120 proxy server configuration, 121 registering the Administrator, 122 troubleshooting, 176, 185 VPN ho
