HP-UX IPSec version A.02.00 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_admin(1M) ipsec_admin(1M)

(HP-UX IPSec Software Required)

NAME

ipsec_admin - HP-UX IPSec administration utility

SYNOPSIS

/usr/sbin/ipsec_admin -start

|st

[-audit

au audit _directory][

-auditlvl

alert

|error

|warning|informative|debug]

[

-maxsize|

ms max_audit_ﬁle_size ]

[

-traceon

|tn tcp

udp

|igmp|all]

[

-spi_min

spi_min_value ][

-spi_max

spi_max_value ][

-spd_soft

spd_soft_limit][

-spd_hard

spd_hard_limit]

/usr/sbin/ipsec_admin -stop

/usr/sbin/ipsec_admin -status

/usr/sbin/ipsec_admin -silentstatus

|ss

/usr/sbin/ipsec_admin -newpasswd

np password

/usr/sbin/ipsec_admin -audit

audit_directory [

-start

st]

/usr/sbin/ipsec_admin -auditlvl

|al alert

error|

warning|informative|debug

[

-start

|st

]

/usr/sbin/ipsec_admin -maxsize

|ms

max_audit_ﬁle_size [

-start

|st

]

/usr/sbin/ipsec_admin -traceon

|tn tcp

|udp|

igmp|all

[-start|

st]

/usr/sbin/ipsec_admin -traceoff

|tf tcp

|udp

|igmp|all

/usr/sbin/ipsec_admin

[-start|

st][-spd_soft

spd_soft_limit]

/usr/sbin/ipsec_admin

[

-start|

st][

-spd_hard spd_hard_limit]

/usr/sbin/ipsec_admin -flushsa

|fa

/usr/sbin/ipsec_admin -flushp

|fp

/usr/sbin/ipsec_admin -deletesa

|da

remote_ip_address

DESCRIPTION

ipsec_admin

is a utility for performing HP-UX IPSec administration tasks such as starting and stop-

ping the HP-UX IPSec subsystem and getting the status of the HP-UX IPSec subsystem. The HP-UX

IPSec subsystem includes the user-space key management daemon, audit daemon, policy daemon, and

the HP-UX IPSec kernel portion. You can also use

ipsec_admin to perform the following tasks:

• Set the audit level.

• Change the audit directory.

• Set the maximum audit ﬁle size.

• Get status on the HP-UX IPSec system.

• Enable or disable Level 4 training for TCP, UDP or IGMP.

• Delete the IKE and IPSec SAs for a give peer node.

• Set the "soft" and "hard" limits for the size of the Security Policy Database (SPD).

• Set the range from which HP-UX IPSec assigns Security Parameters Index (SPI) numbers for

inbound, dynamic key Security Associations (SAs). You can only change the SPI range when

you start HP-UX IPSec.

• Change the HP-UX IPSec password. HP-UX IPSec does not have to be running when you

change the password.

ipsec_admin requires the optional HP-UX IPSec software.

You must have superuser capabilities to run

ipsec_admin.

In order to change the HP-UX IPSec password, you must provide the existing HP-UX IPSec password.

The HP-UX IPSec password must be entered from the keyboard; it cannot be redirected from a ﬁle.

Options

ipsec_admin recognizes the following command-line options and arguments:

HP-UX IPSec A.02.00 − 1 − Hewlett-Packard Company 1

Summary of content (54 pages)

PAGE 1
ipsec_admin(1M) ipsec_admin(1M) (HP-UX IPSec Software Required) NAME ipsec_admin - HP-UX IPSec administration utility SYNOPSIS /usr/sbin/ipsec_admin -start|st [-audit|au audit_directory] [-auditlvl|al alert|error|warning|informative|debug] [-maxsize|ms max_audit_file_size ] [-traceon|tn tcp|udp|igmp|all] [-spi_min spi_min_value ] [-spi_max spi_max_value ] [-spd_soft spd_soft_limit ] [-spd_hard spd_hard_limit ] /usr/sbin/ipsec_admin -stop|sp /usr/sbin/ipsec_admin -status|s /usr/sbin/ipsec_admin -silentsta
PAGE 2
ipsec_admin(1M) ipsec_admin(1M) (HP-UX IPSec Software Required) -start|st Starts the HP-UX IPSec subsystem, including all user-space daemons. If the configuration file to be used does not have the correct version, ipsec_admin issues an error message and exits. You can migrate the configuration file to the correct version using ipsec_migrate. -stop|sp Stops the HP-UX IPSec subsystem, including all user-space daemons. -status|s Reports the current status of the HP-UX IPSec subsystem.
PAGE 3
ipsec_admin(1M) ipsec_admin(1M) (HP-UX IPSec Software Required) -spi_min spi_min_value Specifies the lower bound for inbound, dynamic key Security Parameters Index (SPI) numbers in hexadecimal, prefixed by 0x, or decimal. Range: 1 - 4294967295 (0x1 - 0xFFFFFFFF hexadecimal). Default: None. -spi_max spi_max_value Specifies the upper bound for inbound, dynamic key Security Parameters Index (SPI) numbers in hexadecimal, prefixed by 0x, or decimal. Range: 1 - 4294967295 (0x1 - 0xFFFFFFFF hexadecimal).
PAGE 4
ipsec_admin(1M) ipsec_admin(1M) (HP-UX IPSec Software Required) EXAMPLES ipsec_admin produces the following report for the command ipsec_admin -status: ----------------- IPSec Status Report ----------------Time: Thu Dec 24 15:21:37 1998 secauditd program: Running and responding secpolicyd program: Running and responding ikmpd program: Running and responding IPSec kernel: Up IPSec Audit level: Error IPSec Audit file: /var/adm/ipsec/auditThu-Dec-24-15-21-49-1998.
PAGE 5
ipsec_config(1M) ipsec_config(1M) NAME ipsec_config - add, delete, and show HP-UX IPSec configuration objects in the HP-UX IPSec configuration database SYNOPSIS ipsec_config add object_type argument_list ipsec_config batch argument_list ipsec_config delete object_type argument_list ipsec_config help [operation [object_type ]] ipsec_config show object_type argument_list DESCRIPTION The ipsec_config command adds, deletes and shows HP-UX IPSec configuration objects in the HPUX IPSec configuration database,
PAGE 6
ipsec_config(1M) ipsec_config(1M) Synopsis ipsec_config add auth auth_name [-nocommit|nc] [-rem[ote] ip_address [/prefix]] [-ltype local_id_type ] [-lid local_id ] [-rtype remote_id_type] [-rid remote_id ] [-preshared|psk preshared_key ] Description Authentication records contain preshared key and IKE identification information. You must configure authentication records if you are using preshared keys for IKE authentication.
PAGE 7
ipsec_config(1M) ipsec_config(1M) The following table shows the range and default for IPv4 and IPv6 addresses. The defaults apply to non-zero addresses. Type IPv4 IPv6 Range 0 - 32 0 - 128 Default 32 (0 for all-zero addresses) 128 (0 for all-zero addresses) The default prefix is zero (0) if the address is all zeros. Warning: Specifying a subnet address filter and a preshared key allows you to configure a single preshared key for an entire subnet.
PAGE 8
ipsec_config(1M) ipsec_config(1M) For remote_id_type, the value of the remote_id follows: IPV4 An IPv4 address in dotted-decimal notation. If you are using security certificates and RSA signatures (RSASIG) for IKE authentication, this must match the IPv4 address in the SubjectAlternativeName of the remote system’s certificate. IPV6 An IPv6 address in colon-hexadecimal notation. FQDN A Fully Qualified Domain Name, also known as Domain Name Server or DNS name, such as myhost.hp.com.
PAGE 9
ipsec_config(1M) ipsec_config(1M) Configure authentication records preshared key authentication for a remote multihomed HP-UX IPSec system, with addresses 10.8.8.8 and 11.8.8.8. ipsec_config add auth -remote 10.8.8.8 \ -preshared my_hostA_hostX_key ipsec_config add auth -remote 11.8.8.8 \ -preshared my_hostA_hostX_key Configure an authentication record for RSA signature (security certificate) authentication with remote system 192.1.1.1, which uses X.500 Distinguished Names (X500-DN) for ID types.
PAGE 10
ipsec_config(1M) ipsec_config(1M) Remarks Use this option only when the local system is an HP-UX Mobile IPv6 Home Agent. Description Use the ipsec_config add gateway command to configure gateway IPSec policies. Do not use this command unless the local system is an HP-UX Mobile IPv6 Home Agent. Gateway IPSec policies specify HP-UX IPSec behavior when the local system is acting as a gateway (forwarding packets that the local system receives with a non-local destination IP address).
PAGE 11
ipsec_config(1M) ipsec_config(1M) HP-UX IPSec compares the source address filter with the end-to-end source address fields in the packet, and the destination address filter with the end-to-end destination address fields in the packet. You must configure two gateway IPSec policies for each end-to-end source and destination address pair; you configure one gateway IPSec policy for the data path between the gateway and each endpoint.
PAGE 12
ipsec_config(1M) FTP-DATA FTP-CONTROL HTTP-TCP HTTP-UDP NTP REXEC RLOGIN RWHO REMSH REMPRINT SMTP TELNET TFTP ipsec_config(1M) 20 21 80 80 123 512 513 513 514 515 25 23 69 TCP TCP TCP UDP UDP TCP TCP UDP TCP TCP TCP TCP UDP -prot[ocol] protocol_id Upper-layer protocol. Value or name of the upper-layer protocol that HP-UX IPSec in the address filter to select an IPSec policy for a packet. You cannot specify the -protocol argument and a service_name in the same policy.
PAGE 13
ipsec_config(1M) ipsec_config(1M) FORWARD|FW Forward packets in clear text using this gateway IPSec policy. DISCARD Discard packets using this gateway IPSec policy. This is the default action. The action must be FORWARD if you specify the -tunnel argument. Default: The action defined for the action parameter in the GWPolicy-Defaults section of the profile file used. The default definition for action is DISCARD in /var/adm/ipsec/.ipsec_profile. -flags flags Additional options for this policy.
PAGE 14
ipsec_config(1M) ipsec_config(1M) IPSEC_CONFIG COMMAND Name add host - configure host IPSec policies Synopsis host host_policy_name [-nocommit|nc] [-prof[ile] profile_name ] ip_address [/prefix[/port_number|service_name]]] [-destination|dst ip_address [/prefix[/port_number|service_name]]] [-prot[ocol] protocol_id ] [-pri[ority] priority_number] [-tunnel tunnel_policy_name] [-act[ion] PASS|DISCARD | transform_list] [-flags flags] [-in manual_key_sa_specification [-in manual_key_sa_specification ]] [-out m
PAGE 15
ipsec_config(1M) ipsec_config(1M) in the packet, and the destination address filter with the destination address fields in the packet. For an inbound packet, HP-UX IPSec compares the source address filter specification with the destination address fields in the packet, and the destination address filter with the source address fields in the packet.
PAGE 16
ipsec_config(1M) ipsec_config(1M) FTP-CONTROL HTTP-TCP HTTP-UDP NTP REXEC RLOGIN RWHO REMSH REMPRINT SMTP TELNET TFTP 21 80 80 123 512 513 513 514 515 25 23 69 TCP TCP UDP UDP TCP TCP UDP TCP TCP TCP TCP UDP -prot[ocol] protocol_id Upper-layer protocol. Value or name of the upper-layer protocol that HP-UX IPSec in the address filter to select an IPSec policy for a packet. You cannot specify the -protocol argument and a service_name in the same policy.
PAGE 17
ipsec_config(1M) ipsec_config(1M) The values are defined as follows: PASS|DISCARD PASS Allow packets using this host IPSec policy to pass in clear text with no alteration. The default host IPSec policy shipped with the product specifies -action PASS. DISCARD Discard packets using this host IPSec policy. transform_list A transform specifies the IPSec authentication and encryption applied to packets using AH (Authentication Header) and ESP (Encapsulation Security Payload) headers.
PAGE 18
ipsec_config(1M) ipsec_config(1M) ESP_3DES_HMAC_SHA1 (ESP 3DES, authenticated with HMAC-SHA1.) ESP_AES128 (ESP with 128-bit Advanced Encryption Standard CBC.) ESP_AES128_HMAC_MD5 (ESP AES128, authenticated with HMAC-MD5.) ESP_AES128_HMAC_SHA1 (ESP AES128, authenticated with HMAC-SHA1.) ESP_NULL_HMAC_MD5 (ESP, with null encryption and authenticated with HMAC-MD5.) ESP_NULL_HMAC_SHA1 (ESP, with null encryption and authenticated with HMAC-SHA1.
PAGE 19
ipsec_config(1M) ipsec_config(1M) You cannot specify the EXCLUSIVE flag with manual keys, or if the action is PASS or DISCARD. NONE no additional options. Default: The value of the flags parameter in the HostPolicy-Defaults section of the profile file used. The default flags value is NONE in /var/adm/ipsec/.ipsec_profile.
PAGE 20
ipsec_config(1M) ipsec_config(1M) Default: 0x0000000000000000. Examples Configure a host IPSec policy that requires all outbound rlogin sessions (where the local system is an rlogin client) to use authenticated ESP, with AES128 encryption and HMAC SHA-1 authentication. ipsec_config add host rlogin_out -destination 0.0.0.0/0/RLOGIN \ -pri 100 -action ESP_AES128_HMAC_SHA1 Configure a host IPSec policy that requires all telnet requests (where the local system is the telnet server) from subnet 10.0.0.
PAGE 21
ipsec_config(1M) ipsec_config(1M) IPSEC_CONFIG COMMAND Name add ike - configure Internet Key Exchange (IKE) policies Synopsis ipsec_config add ike ike_policy_name [-nocommit|nc] [-prof[ile] profile_name ] [-rem[ote] ip_addr [/prefix]] [-pri[ority] priority_number] [-auth[entication] PSK|RSASIG] [-group 1|2] [-hash MD5|SHA1] [-enc[ryption] DES|3DES] [-life lifetime_seconds] [-maxqm|mq max_quick_modes] Description Use the ipsec_config add ike command to configure Internet Key Exchange (IKE) policies.
PAGE 22
ipsec_config(1M) ipsec_config(1M) For IPv6 addresses, a prefix length of 128 bits indicates that all the bits in both addresses must match. Use a value less than 128 to specify a subnet address filter. The following table shows the range and default for IPv4 and IPv6 addresses. The defaults apply to non-zero addresses. Type IPv4 IPv6 Range 0 - 32 0 - 128 Default 32 (0 if address is all-zeros) 128 (0 if address is all-zeros) The default is 0 (match any address) if ip_addr is an all-zeros address ( 0.0.
PAGE 23
ipsec_config(1M) ipsec_config(1M) -enc[ryption] DES|3DES Specifies the encryption algorithm for encrypting IKE messages. This must match the encryption algorithm configured on the remote system. Acceptable values: DES 56-bit Data Encryption Standard, Cipher Block Chaining Mode, DES-CBC 3DES triple-DES CBC, three encryption iterations, each with a different 56-bit key, 3DES-CBC Default: The value of the the encryption parameter in the IKE-Defaults section of the profile file used.
PAGE 24
ipsec_config(1M) ipsec_config(1M) -auto[boot] ON|OFF Starts HP-UX automatically at system boot-up time. Acceptable values: OFF or ON. Default: The value of the -autoboot parameter in the StartUp-Defaults section of the profile file used. The default -autoboot value is OFF in /var/adm/ipsec/.ipsec_profile. -auditlvl|al audit_level Specifies the audit level for the HP-UX IPSec subsystem.
PAGE 25
ipsec_config(1M) ipsec_config(1M) When the size of the SPD exceeds the soft limit, HP-UX IPSec logs a warning message to the system console, and logs an additional warning message to the system console for each 1000 SPD entries added. The spd_soft_limit is measured in units of 1000 entries. Range: 1 - 1000000 units of 1000 entries (1000 - 1000000000 entries).
PAGE 26
ipsec_config(1M) ipsec_config(1M) tunnel_policy_name The user-defined name for the tunnel IPSec policy. This name must be unique for each tunnel IPSec policy and is case-sensitive. Acceptable values: 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen (-), or underscore (_). -nocommit|nc The ipsec_config utility verifies the tunnel IPSec policy, but does not add it to the configuration database.
PAGE 27
ipsec_config(1M) ipsec_config(1M) notation within a specified IPv6 address to denote a number of zeros (0) within an address. The address cannot be a broadcast, subnet broadcast, multicast, or anycast address. prefix Specifies the prefix length, or the number of leading bits that must match when comparing the IP address of a packet with ip_addr. For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in both addresses must match.
PAGE 28
ipsec_config(1M) ipsec_config(1M) protocol_id must be TCP or UDP if port_number is specified and is not zero. The protocol_id must be ALL or 0 if the corresponding host policy the host policy that references this tunnel policy (uses a transform (the corresponding host policy action is not PASS). ICMPV6: Specifying ICMPV6 affects only the following ICMPv6 messages: Echo Request, Echo Reply, Mobile Prefix Solicitation, Mobile Prefix Advertisement.
PAGE 29
ipsec_config(1M) ipsec_config(1M) ESP_DES_HMAC_SHA1 (ESP DES, authenticated with HMAC-SHA1.) ESP_3DES (ESP with triple-DES CBC, three encryption iterations, each with a different 56-bit key, 3DES-CBC.) ESP_3DES_HMAC_MD5 (ESP 3DES, authenticated with HMAC-MD5.) ESP_3DES_HMAC_SHA1 (ESP 3DES, authenticated with HMAC-SHA1.) ESP_AES128 (ESP with 128-bit Advanced Encryption Standard CBC.) ESP_AES128_HMAC_MD5 (ESP AES128, authenticated with HMAC-MD5.
PAGE 30
ipsec_config(1M) ipsec_config(1M) type Type of IPSec transform. Acceptable values: AH (Authentication Header) or ESP (Encapsulating Security Payload). spi Security Parameters Index (SPI) number, used to identify the SA. You can specify the SPI in hexadecimal, prefixed by 0x (0xhhhhhhhh), or decimal.
PAGE 31
ipsec_config(1M) ipsec_config(1M) ipsec_config add tunnel my_mipv6_tunnel \ -tsource 3ffe::83ff:fef7:1111 -tdestination 3ffe::83ff:fef7:2222 \ -source 0::0 -destination 3ffe::83ff:fef7:2222 \ -protocol MH \ -action ESP_AES128_HMAC_SHA1 \ -in ESP/2500010/0x1234567890123456789012345678901234567890\ /0x12345678901234567890123456789012/0x1234567890123456 \ -out ESP/2500011/0x0123456789012345678901234567890123456789\ /0x01234567890123456789012345678901/0x0123456789012345 IPSEC_CONFIG COMMAND Name batch - allow
PAGE 32
ipsec_config(1M) ipsec_config(1M) # authenticate all outbound telnet sessions to 10.2.2.2 add host telnet_out -destination 10.2.2.2/32/TELNET \ -pri 100 -action AH_SHA1 # authenticate all inbound telnet sessions from 10.2.2.2 add host telnet_in -source 0.0.0.0/0/TELNET \ -destination 10.2.2.2 -pri 110 -action AH_SHA1 # IKE policy add ike all_ike -remote 10.2.2.2 -pri 10000 -auth psk # preshared key for 10.2.2.2 add auth aloha -remote 10.2.2.
PAGE 33
ipsec_config(1M) ipsec_config(1M) IPSEC_CONFIG COMMAND Name show - displays gateway IPSec, host IPSec, and IKE policies in descending priority order Synopsis ipsec_config show all ipsec_config show auth [auth_name ] ipsec_config show bypass|bp [ip_address ] ipsec_config show gateway|gwy [gw_policy_name] ipsec_config show host [host_policy_name] ipsec_config show ike [ike_policy_name] ipsec_config show start[up] ipsec_config show tun[nel] [tunnel_policy_name] Description The ipsec_config show command disp
PAGE 34
ipsec_config(1M) • ipsec_config(1M) one authentication record The first host IPSec policy, telnetAB, secures outbound telnet connections (Apple is the telnet client). You do not need to specify the source argument, since it will default to any IP address and any port, and the telnet client port number is dynamically allocated. The second policy, telnetBA, secures inbound telnet connections (Apple is the telnet server).
PAGE 35
ipsec_mgr(1M) ipsec_mgr(1M) (HP-UX IPSec Software Required) NAME ipsec_mgr - HP-UX IPSec utility for loading and configuring security certificates used for Internet Key Exchange (IKE) authentication. SYNOPSIS /usr/sbin/ipsec_mgr DESCRIPTION The ipsec_mgr command starts a graphical tool that loads and configures security certificates used for IKE authentication.
PAGE 36
ipsec_migrate(1M) ipsec_migrate(1M) (HP-UX IPSec Software Required) NAME ipsec_migrate - HP-UX IPSec configuration file migration tool SYNOPSIS /usr/sbin/ipsec_migrate -s config_file -d new_config_file [-r rev] DESCRIPTION ipsec_migrate is a utility for migrating HP-UX IPSec configuration files to the current version (the default) or to any version that is greater than or equal to the version of the input configuration file.
PAGE 37
ipsec_migrate(1M) ipsec_migrate(1M) (HP-UX IPSec Software Required) • Command used incorrectly - Usage message is returned. • The user is not the superuser. • The file specified in the -s option does not exist. • The file specified in the -s option is not a regular file. • The file specified in the -s option is not readable. • The file specified in the -s option is not an valid configuration file. • The file specified in the -d option exists.
PAGE 38
ipsec_policy(1M) ipsec_policy(1M) (HP-UX IPSec Software Required) NAME ipsec_policy - HP-UX IPSec policy tester program SYNOPSIS /usr/sbin/ipsec_policy [-sa|saddr src_ip_addr ] [-da|daddr dst_ip_addr ] [-sp|sport src_port ] [-dp|dport dst_port ] [-p|protocol ICCMP|ICMPV6|IGMP|MH|TCP|UDP] [dir|direction out|in|forward|fwd] DESCRIPTION ipsec_policy is a utility program that allows the HP-UX IPSec Administrator to query the active policy database to determine which host or gateway IPSec Policy will be used
PAGE 39
ipsec_policy(1M) ipsec_policy(1M) (HP-UX IPSec Software Required) -dp|dport dst_port Specifies the destination port number (dst_port ) of the packet. If the direction is out, this is the remote port number. If the direction is in, this is the local port number. Range: An unsigned integer in the range 1 - 65535. Default: If omitted, any port number is assumed.
PAGE 40
ipsec_policy(1M) ipsec_policy(1M) (HP-UX IPSec Software Required) ipsec_policy -sa fe80::260:b0ff:fec4:ace8 -sp 65535 \ -da fe80::260:b0ff:fec4:ace7 -dp 23 -p tcp -dir in On gateway G, you have two gateway IPSec configured for packets between end system 10.1.1.1 and end system 192.6.2.2. The first gateway IPSec policy is for the data path segment between the local system and 10.1.1.1. To verify that policy, enter the following command: ipsec_policy -sa 192.6.2.2 -da 10.1.1.
PAGE 41
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) NAME ipsec_report - report information about IPSec SYNOPSIS /usr/sbin/ipsec_report [-all] [-bypass] [-cache] [-mad] [-sad] [-host [act|active | conf | configured ]] [-gw|gateway [act|active | conf|configured ]] [-tun[nel]] [-ike] [-ip] [-audit audit_file [-entity ipsec_admin | ipsec_report | ipsec_policy | ipsec_mgr | secauditd | ikmpd | secpolicyd]] [-file report_file ] DESCRIPTION The ipsec_report utility reports information about the active H
PAGE 42
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) -file report_file Redirects all report output to a report file. If the report file already exists, ipsec_report overwrites the file; otherwise ipsec_report creates the file. RETURN VALUE Upon successful completion, ipsec_report returns 0; otherwise it returns 1. ERRORS ipsec_report fails if any of the following conditions is encountered: • Command used incorrectly - ipsec_report returns a usage message.
PAGE 43
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) Direction Indicates if this entry is for inbound (packets received by the local system or outbound (packets sent from the local system) packets. Action The action or transform applied to packets matching this entry. Possible values follow: Dynamic key SA Use dynamic keys to create IPSec SAs for an IPSec transform - an Authentication Header, AH, and/or Encapsulating Security Payload, ESP.
PAGE 44
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) SA Pair Number n (The SA information is only present for outbound entries created for SAs.) Internal index for the SA for this packet. Normally, there is only one SA and this label is SA Number 1. However, a packet with a nested transform (an ESP nested within an AH) or one that is sent through a tunnel would require multiple SAs. SA Type Indicates the IPSec transform for this SA.
PAGE 45
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) Network Protocol: TCP Direction: inbound Action: Dynamic key SA FLAGS: EXCLUSIVE Proposal 1: Transform: ESP-AES128-HMAC-SHA1 Lifetime Seconds: 28800 Lifetime Kbytes: 0 ------------------- Active Host Policy Rule --------------------Rule Name: default ID: 1 Cookie: 1 Action: Pass REPORT: ipsec_report -host configured The -host configured option displays information about the host IPSec Policies that were configured by the IPSec administrator and l
PAGE 46
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) IPSec: On REPORT: ipsec_report -ike The -ike option displays the IKE Policies that were configured by the IPSec administrator and loaded by the IPSec Policy daemon. Fields are defined as follows: Rule Name A character string used as the name of the policy. Priority The priority for the IKE policy. Cookie An integer used internally by HP-UX IPSec to identify this policy. Remote IP Address The peer’s IP address.
PAGE 47
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) Fields are defined as follows: Cache Policy Record An integer used internally by HP-UX IPSec to index the entries. Cookie An integer used to cross-reference entries in the cache and policy tables kept by the Policy daemon. All cache entries based on the same active policy entry will have the same cookie value. Src IP Address The source IP address. Src Port number The source port number for the upper-layer protocol.
PAGE 48
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) -------------------------Cache Policy Rule --------------------------Cache Policy Record: 9 Cookie: 3 Src IP Address: 192.1.1.1 Src Port number: 23 Dst IP Address: 192.1.1.3 Dst Port number: 56122 Network Protocol: TCP Direction: outbound Action: Secure -- SA Number 1 -State: SA Created SA Type: ESP Tunnel SA: No SPI (hex): 1FE472 Src IP Address: 192.1.1.1 Dst IP Address: 192.1.1.
PAGE 49
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) --- Current Lifetimes --bytes processed: 3384 addtime (seconds): 14 usetime (seconds): 12 --- Hard Lifetimes --bytes processed: 0 addtime (seconds): 28800 usetime (seconds): 28800 ------------------------ IPSec SA -----------------------Sequence number: 2 SPI (hex): 241988 State: MATURE SA Type: ESP with AES128-CBC encryption and HMAC-SHA1 authentication Src IP Addr: 192.1.1.3 Dst IP Addr: 192.1.1.
PAGE 50
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) ------------------------ ISAKMP SA -------------------------Sequence number: 1 Role: Responder Local IP Address: 192.1.1.1 Remote IP Address: 192.1.1.
PAGE 51
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) The ipsec_report -gateway active displays the following report: ------------------- Active Gateway Policy Rule --------------------Rule Name: gwy_policy_name2 ID: 17 Cookie: 5 Priority: 3 Src IP Addr: 0::0 Prefix: 0 Dst IP Addr: fe80::230:6666:7777:8888 Prefix: 128 Network Protocol: MH Action: Forward Tunnel Name: mipv6_tunnel_name FLAGS: MIPv6 ------------------- Active Gateway Policy Rule --------------------Rule Name: default ID: 2 Cookie: 2 A
PAGE 52
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) Ready (SAs are ready for use) SPI(s) Not Established (the IKE daemon has not started negotiating the IPSec/MM SAs) SPI(s) Being Established (the IKE daemon is negotiating the IPSec/MM SAs) Unknown (error state). SA Number 1 and SA Number 2 Information about the inbound and outbound SAs. SPI (hex) The Security Parameters Index (SPI). The SPI is included in the IPSec AH or ESP protocol header transmitted to the remote system.
PAGE 53
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) SA direction: OUTBOUND AUTHOR ipsec_report was developed by HP. SEE ALSO ipsec_admin(1M), ipsec_mgr(1M), ipsec_policy(1M). HP-UX IPSec A.02.
PAGE 54
(Notes) 54 Hewlett-Packard Company (Notes) −1− HP-UX IPSec A.02.