HP-UX IPSec version A.02.00 Administrator's Guide

HP-UX IPSec and MC/ServiceGuard

Step 6: Verifying and Testing the HP-UX IPSec Configuration

Chapter 8 265

Step 6: Verifying and Testing the HP-UX IPSec

Configuration

Start and verify HP-UX IPSec on the cluster node on which you

configured IPSec using the procedure in Chapter 3, “Step 8: Committing

the Batch File Configuration and Verifying Operation” on page 105.

Use ipsec_policy to test your configuration to ensure it meets the

following conditions:

• HP-UX IPSec allows messages sent between the heartbeat IP

addresses to pass in clear text, including MC/ServiceGuard

heartbeat messages (TCP and UDP destination port 5300).

• HP-UX IPSec does not discard control messages for optional

MC/ServiceGuard services, including Quorum Server and

ServiceGuard Manager messages. Table 8-1 on page 254 lists the

port numbers and protocols for MC/ServiceGuard services control

messages.

To verify that all messages sent between the heartbeat IP addresses pass

in clear text, run ipsec_policy specify only the source and destination

IP addresses (use the default wildcard values for the other parameters).

For example, you could use the following command on node 15.1.1.1 to

verify that all messages sent to 15.2.2.2 pass in clear text:

ipsec_policy -sa 15.1.1.1 -da 15.2.2.2

You can also explicitly verify that HP-UX IPSec will pass heartbeat

messages in clear text. The example below tests if MC/ServiceGuard

TCP heartbeat messages (port 5300) will pass in clear text to node

15.1.1.1 from node 15.2.2.2. The dummy value 65535 is used for the

dynamically assigned source port number (-sp 65535).

ipsec_policy -sa 15.1.1.1 -sp 65535 -da 15.2.2.2

-dp 5300 -p tcp