HP-UX IPSec version A.02.00 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_report(1M) ipsec_report(1M)

(IPSec Software Required)

IPSec: On

REPORT: ipsec_report -ike

The

-ike option displays the IKE Policies that were conﬁgured by the IPSec administrator and loaded by

the IPSec Policy daemon.

Fields are deﬁned as follows:

Rule Name

A character string used as the name of the policy.

Priority

The priority for the IKE policy.

An integer used internally by HP-UX IPSec to identify this policy.

Remote IP Address

The peer’s IP address.

Prefix

The number of bits that must match when comparing IP addresses, beginning with the left-

most bit. The preﬁx ﬁeld is not included if the corresponding IP address is a wildcard address.

Group Type

The Oakley Group, which determines the numeric base for values used in the Difﬁe-Hellman

exchange of the ISAKMP protocol. Possible values are deﬁned in the Oakley Key Determina-

tion protocol speciﬁcation (RFC 2412) and include

1 (768-bit prime, Modular Exponentiation,

MODP) and

2 (1024-bit prime, MODP).

Authentication Method

The method used by the two ISAKMP entities to verify each other’s identity, also known as pri-

mary authentication. Possible values are

Pre-sharedKeys and

RSA signature

Authentication Algorithm

The algorithm used to authenticate the ISAKMP protocol messages after the initial exchange.

Encryption Algorithm

The algorithm used to encrypt the ISAKMP protocol messages after the initial exchange.

Number of Quick Modes

The conﬁgured maximum number of Quick Mode negotiations per ISAKMP SA (each Quick

Mode negotiation results in a pair of IPSec SAs).

Lifetime

The conﬁgured preferred maximum lifetime to use for the ISAKMP SA, in seconds. The actual

maximum lifetime used is negotiated with the remote ISAKMP entity.

Action

Indicates the action applied to packets matching this entry. This is always

Secure.

The

ipsec_report -ike

command displays the following report:

---------------------------- IKE Rule -----------------------------

Rule Name: 192.1.1.net Priority: 10 Cookie: 4

Remote IP Address: 192.1.1.0 Prefix: 24

Group Type: 2 Authentication Method: Pre-shared Keys

Authentication Algorithm: HMAC-MD5 Encryption Algorithm: 3DES-CBC

Number of Quick Modes: 100 Lifetime (seconds): 28800

Action: Secure

REPORT: ipsec_report -cache

The

-cache option displays the Cache Policy Rules. The Cache Policy Rules are maintained by the Ker-

nel Policy Engine and record the action (Action) to be taken for IP packets that match the 5-tuple

(source IP address and port, destination IP address and port, and protocol) and direction.

Note that there are no entries for inbound IP packets that have been authenticated or encrypted using

IPSec Authentication Headers (AH) or Encapsulating Security Payload (ESP). This is because the system

will receive these packets with a Security Parameters Index (SPI) in the AH or ESP header. HP-UX will

use the SPI to ﬁnd an entry in the kernel Security Association database and not query the Kernel Policy

Engine for these packets.

46 Hewlett-Packard Company − 6 − HP-UX IPSec A.02.00