HP-UX IPSec version A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

291

292

293

294

295

296

297

298

299

300

Migrating from Previous Versions of HP-UX IPSec

Pre-Installation Migration Instructions

Appendix B

289

Pre-Installation Migration Instructions

Before installing HP-UX IPSec version A.02.00, verify that your installation meets the

following conditions:

• MD5 version compatibility: If you are using MD5 transforms, all HP-UX IPSec

systems must be version A.01.04 or higher. For more information, refer to “MD5

Version Compatibility” on page 289.

• Migrating from HP-UX IPSec versions prior to A.01.003 (such as A.01.01 or A.01.02):

You must follow the procedure listed in “Migrating from Versions Prior to A.01.03”

on page 289.

MD5 Version Compatibility

HP-UX IPSec versions A.01.04 and higher fix a defect in the HP-UX IPSec MD5

algorithm. If you are using an earlier version of HP-UX IPSec (A.01.03 or earlier) to

communicate with IPSec version A.01.04, A.01.05, A.01.06, or A.01.07 and using a

transform with MD5, the authentication will intermittently fail and HP-UX IPSec will

drop the packet and report an error.

If you are currently using HP-UX IPSec with any of the following transforms, you must

simultaneously upgrade all your systems to HP-UX IPSec version A.01.04 or higher.

• AH-MD5 transforms

• ESP transforms that are authenticated using MD5:

— ESP-DES-HMAC-MD5

— ESP-3DES-HMAC-MD5

— ESP-AES128-HMAC-MD5

• Nested AH and ESP transforms that use MD5

If MD5 authentication fails between HP-UX IPSec version A.01.04 or higher and an

earlier version of HP-UX IPSec, you will see entries similar to the following in the

HP-UX IPSec log file:

Msg: 31 From: SECPOLICYD Lvl: ALERT Date: Friday Oct 19 16:12:30 2001

Event: Integrity Check Value failure - SPI: 1C97D8 IP addr: 15.13.136.52:15.1

3.136.171 proto: 51.

To view an HP-UX IPSec log file, use the command

ipsec_report -audit

audit_file_name

[-file

output_file_name

]

By default, HP-UX IPSec log files are located in the /var/adm/ipsec directory. The log

file name format is audit

date_information

.log.

Migrating from Versions Prior to A.01.03

If you are updating to HP-UX IPSec version A.02.00 from a version released prior to

A.01.03 (such as version A.01.01 or A.01.02) and want to re-use your configuration files,

you must use the following procedure to first update to HP-UX IPSec version A.01.05,

then update to version A.02.00: