HP-UX IPSec version A.02.00 manpages
ipsec_migrate(1M) ipsec_migrate(1M)
(HP-UX IPSec Software Required)
NAME
ipsec_migrate - HP-UX IPSec configuration file migration tool
SYNOPSIS
/usr/sbin/ipsec_migrate -s
config_file
-d
new_config_file [
-r rev
]
DESCRIPTION
ipsec_migrate
is a utility for migrating HP-UX IPSec configuration files to the current version (the
default) or to any version that is greater than or equal to the version of the input configuration file.
The
ipsec_migrate
utility operates on HP-UX IPSec configuration files for IPSec policies, IKE poli-
cies, and bypass lists. In HP-UX IPSec releases prior to A.02.00, this information was stored in the file
/var/adm/ipsec/policies.txt
by default. In HP-UX releases A.02.00 and later, this information
is stored in a configuration database,
/var/adm/ipsec/config.db
.
ipsec_migrate
requires the optional HP-UX IPSec software.
Options
ipsec_migrate
recognizes the following command-line options and operands:
-s
config_file
Specifies the input file to the migration process. The revision of this file is determined by
inspection of the file. The input file must exist; otherwise
ipsec_migrate
reports an error.
-d
new_config_file
Specifies the output file to the migration process. This must be a new file name.
-r
rev
Specifies the desired configuration file revision of the output configuration file. If you do not
specify this option, ipsec_migrate
migrates the configuration file to the current revision as
given in its configuration file. You must specify the revision in the format
n.nn.nn where the
n
´s represent the decimal digits in the revision. All digits are required; that is,
9.99 or
9.9
are not valid revisions.
ipsec_migrate
uses a configuration file to determine the current revision and the list of
transformations available to migrate configuration files from revision to revision. If
ipsec_migrate cannot build a set of transformations to migrate the input file from its revi-
sion to the desired revision, it reports an error. The contents of the configuration file is
proprietary and has no user-modifiable content.
Migrating HP-UX IPSec version A.01.05 (and earlier) to version A.01.07
ipsec_migrate
changes all
hashed rules to ordered
rules. If this conversion creates a name
conflict with a previously-existing
ordered
rule, the suffix
_hash
is added to the conflicting name.
ipsec_migrate
severs the relationship between
IPSec rules and
ISAKMP rules that existed in ver-
sions prior to A.01.07. If an
IPSec rule uses a tunnel, an appropriate
ISAKMP rule will be generated for
the tunnel. If an
ISAKMP rule is found to be unused by any
IPSec rule or tunnel, that
ISAKMP rule is
not migrated to the new configuration file.
ipsec_migrate
forces all IPSec rules to be bi-directional.
Migrating HP-UX IPSec version A.01.07 to version A.02.00 (and later)
ipsec_migrate
converts the configuration file into a configuration database. The conversion is com-
plex and space prevents a complete discussion here.
Caution: While the conversion produces a valid configuration database, the resulting configuration may
not be an exact duplicate of the source configuration and may not be the most optimal configuration. You
should inspect the resulting configuration carefully and modify or tune it using
ipsec_config.
ipsec_config does not migrate start-up options. Use the ipsec_config add startup command
to set start-up options.
RETURN VALUE
Upon successful completion,
ipsec_migrate returns 0; otherwise it returns 1.
ERRORS
ipsec_migrate fails if any of the following conditions is encountered:
36 Hewlett-Packard Company − 1 − HP-UX IPSec A.02.00