HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

HP-UX IPSec version A.02.01

Administrator’s Guide

HP-UX 11i version 1 and HP-UX 11i version 2

Manufacturing Part Number : J4256-90015

October 2005

United States

Summary of content (378 pages)

PAGE 1
HP-UX IPSec version A.02.01 Administrator’s Guide HP-UX 11i version 1 and HP-UX 11i version 2 Manufacturing Part Number : J4256-90015 October 2005 United States © Copyright 2005 Hewlett-Packard Development Company L.P.
PAGE 2
Legal Notices The information in this document is subject to change without notice. Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. U.S. Government License Confidential computer software.
PAGE 3
Contents Preface: About This Document 1. HP-UX IPSec Overview Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPsec Protocol Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Encapsulating Security Payload (ESP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Shared Key Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 4
Contents 3. Quick Configuration Procedure and Tips Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 1: Establishing the HP-UX IPSec Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 2: Modifying the Configuration Batch File Template . . . . . . . . . . . . . . . . . . . . . . Policy Priority Order and Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 5
Contents Dynamic Configuration Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Dynamic Deletions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 nocommit Argument . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Configuration Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 6
Contents -maxqm max_quick_modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ipsec_config add IKE Command Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 4: Configuring Preshared Keys Using Authentication Records . . . . . . . . . . . . . Remote Multihomed Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Preshared Keys without ID Information . . . . . . . . . . . . . . . . . . . . .
PAGE 7
Contents Public Key Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Digital Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IKE Authentication with RSA Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirements . . . . . . . . . . . . . . . . .
PAGE 8
Contents -ldap server_addr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -port port_number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -base search_base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -filter search_filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example . . . . . . . . . . .
PAGE 9
Contents Troubleshooting Utilities Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Getting General Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Getting SA Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Getting Policy Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Getting Interface Information . . . . . .
PAGE 10
Contents Symptoms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 IKE SA Negotiation Times Out (Phase 1 Negotiation timed out) . . . . . . . . . . . . . . 218 Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Symptoms . . . . . . . . . .
PAGE 11
Contents Symptoms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 A. Product Specifications IPsec RFCs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RFC 3775 IKE Identity Payload Requirement . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 12
Contents HP Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 C. Migrating from Previous Versions of HP-UX IPSec Pre-Installation Migration Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MD5 Version Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Migrating from Versions Prior to A.01.03 . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 13
Contents Authentication Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Host Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 14
Contents Step 1: (Required) Securing Binding Messages Between the Home Agent and Mobile Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 host_policy_name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 -source home_agent_addr . . . . .
PAGE 15
Contents and Mobile Node. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 host_policy_name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 -source home_agent_addr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 16
Contents -preshared preshared_key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Mobile IPv6 Manual Key Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Host Policy for Binding Messages (Step 1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Policies for Return Routability Messages (Step 2) . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 17
Contents Determining Serviceguard Cluster Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Host IPsec Policies for Package Addresses . . . . . . . . . . . . . . . . . . . . . . Configuring PASS Host IPsec Policies for Heartbeat IP Addresses . . . . . . . . . . . . Private Dedicated Heartbeat Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Host IPsec Policies for Serviceguard Quorum Server . . . . . . . . . . . . .
PAGE 18
Contents Certificate Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 9: Configuring Serviceguard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cluster Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Package Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Package Control Script . . . . . . .
PAGE 19
Tables Table 1. Publishing History Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Table 1-1. HP-UX IPSec Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 Table 1-2. HP-UX IPSec Authentication Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . .43 Table 4-1. ipsec_config Service Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106 Table 4-2. ipsec_config Transforms . . . . . . . . . . . . . . . . .
PAGE 20
Tables 20
PAGE 21
Figures Figure 1-1. Shared Key Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Figure 1-2. Shared Key Hash Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Figure 1-3. ESP Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 Figure 1-4. ESP Transport Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 Figure 1-5. ESP Tunnel Mode . . . . . . .
PAGE 22
Figures 22
PAGE 23
Preface: About This Document This document describes how to install, configure, and troubleshoot HP-UX IPSec. The document printing date and part number indicate the document’s current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date. The document part number will change when extensive changes are made. Document updates may be issued between editions to correct errors or document product changes.
PAGE 24
Aggressive Mode is quicker and requires the peers to exchange fewer packets, but is less secure because the peers exchange identity information in clear text. The IKE protocol specification requires Main Mode support; Aggressive Mode support is optional. You configure Aggressive Mode in authentication records using the option -exchange AM in the ipsec_config add auth command.
PAGE 25
— ipsec_config add crl: Adds a Certificate Revocation List to the HP-UX IPSec storage scheme. The source can be a local file or an entry in a Lightweight Directory Access Protocol (LDAP) directory. — ipsec_config delete certificate: Deletes the certificate for the local system and the CA’s certificate from the HP-UX IPSec storage scheme. — ipsec_config show certificate: Displays the contents of the certificate for the local system.
PAGE 26
• HP-UX IPSec supports a new command: ipsec_config export. This command exports the contents of the configuration database to a batch file that you can use as input for the ipsec_config batch command. The command can also take the output from the ipsec_config show all command and create a batch file. • HP-UX IPSec no longer includes Java runtime components. You must now install the Java Runtime Environment (JRE) version 1.
PAGE 27
• Tunnel endpoint address (-tsource and -tdestination) parameters are no longer required in the ipsec_config add tunnel command. If you do not specify a tunnel endpoint, HP-UX IPSec uses the end-to-end source or destination address and prefix as the tunnel endpoint address. If the end-to-end source or destination is a subnet, the tunnel policy can be used to form multiple tunnels with different endpoints. • IKE now supports key identifiers as an IKE ID type when using preshared keys with Aggressive Mode.
PAGE 28
Publishing History Table 1 Publishing History Details Document Manufacturing Part Number Operating Systems Supported Supported Product Versions Publication Date J4256-90015 11i version 1 (B.11.11) 11i v2 Update 2 (v2UD2) A.02.01 October 2005 J4256-90009 11i version 1 (B.11.11) 11i version 2 (B.11.23) A.02.00 June 2004 J4256-90005 11i version 1 (B.11.11) A.01.07 August 2003 J4256-90003 11i version 2 (B.11.23) A.01.06 July 2003 J4256-90001 11.0 11.04 11i version 1 (B.11.11) A.01.
PAGE 29
Chapter 5 Using Certificates with HP-UX IPSec Use this chapter to learn how to configure HP-UX IPSec to use security certificates. Chapter 6 Administering HP-UX IPSec Use this chapter to learn how to perform administrative tasks, such as starting and stopping HP-UX IPSec. Chapter 7 Troubleshooting HP-UX IPSec Use this chapter to learn how to troubleshoot HP-UX IPSec, what to do for common problems, how to report problems, and how to use the IPsec troubleshooting tools.
PAGE 30
hot link to the manpage itself. From the HP-UX command line, you can enter “man audit” or “man 5 audit” to view the manpage. See man (1). Book Title The title of a book. On the web and on the Instant Information CD, it may be a hot link to the book itself. KeyCap The name of a keyboard key. Note that Return and Enter both refer to the same key. Emphasis Text that is emphasized. Bold Text that is strongly emphasized. Bold The defined use of an important word or phrase.
PAGE 31
HP Encourages Your Comments HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs. Please send comments to: netinfo_feedback@cup.hp.com Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document. Also, please include what we did right so we can incorporate it into other documents.
PAGE 32
OpenSSL Copyright Notice HP-UX IPSec includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) NOTE HP-UX IPSec uses specific portions of OpenSSL code. HP-UX IPSec does not contain a complete version of OpenSSL software. Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
PAGE 33
ARE DISCLAIMED.
PAGE 34
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes cryptographic software written by Eric Young (eay@cryptsoft.
PAGE 35
1 Chapter 1 HP-UX IPSec Overview 31
PAGE 36
HP-UX IPSec Overview This chapter describes HP-UX IPSec features and topologies.
PAGE 37
HP-UX IPSec Overview Features Features The IP security (IPsec) protocol suite was defined by the Internet Engineering Task Force (IETF) to provide security for IP networks. HP-UX IPSec is the HP implementation of IPsec. HP-UX IPSec provides the following security services for IP networks: • Data integrity and authentication The IPsec Authentication Header (AH) provides data integrity and authentication to prevent unauthorized creation, modification, or deletion of transmitted data.
PAGE 38
HP-UX IPSec Overview Features For more information about HP-UX IPSec performance, refer to the HP-UX IPSec Performance and Sizing White Paper, available at the following URL: http:/docs.hp.com/en/internet.html#HP-UX%20IPsec • Dynamic encryption key management HP-UX IPSec supports the Internet Key Exchange (IKE) protocol, part of the IPsec protocol suite, to establish and manage dynamic cryptographic keys. Using dynamic keys (keys that change) to encrypt and authenticate data provides additional security.
PAGE 39
HP-UX IPSec Overview Features The HP-UX IPSec product includes the configuration and management features listed below. — Easy-to-use configuration utilities You configure HP-UX IPSec using ipsec_config, which allows batch mode operation. — Flexible, packet-based configuration You control IPsec behavior by defining packet filters in IPsec policies. An IPsec policy contains a packet filter definition and list of actions or transforms (pass, discard, use ESP or AH) to apply to the packets.
PAGE 40
HP-UX IPSec Overview Features HP-UX IPSec maintains an audit log of events, including events that may indicate attempts to compromise network security. — Data reporting utility The ipsec_report utility reports IPsec runtime data, including information about SAs and entries in the audit log. — Status reporting utility The ipsec_admin utility reports the status of HP-UX IPSec components.
PAGE 41
HP-UX IPSec Overview IPsec Protocol Suite IPsec Protocol Suite The major components of the IPsec protocol suite can be divided into the following categories: • Encapsulating Security Payload (ESP) header for data confidentiality, data integrity, and data authentication. The ESP header also includes a sequence number that provides a form of replay protection. • Authentication Header (AH) for data integrity and authentication. The AH header also includes a sequence number for a form of replay protection.
PAGE 42
HP-UX IPSec Overview IPsec Protocol Suite cryptographic key can decrypt the data, the encrypted data can be transmitted across the network without being understood by other parties. Figure 1-1 Shared Key Encryption Shared key cryptography alone does not provide protection against tampering. An intruder can still intercept encrypted data and alter it before sending it to the correct destination. For this reason, ESP also authenticates the encrypted data.
PAGE 43
HP-UX IPSec Overview IPsec Protocol Suite used. This makes it difficult for a third party to intercept a message and replace it with a new message that generates the same authentication code. This ensures that only a holder of the secret key can generate the correct authentication code. In Figure 1-2, the sender, System A, uses the plaintext (data) and the shared key to calculate an HMAC for the data and sends the HMAC with the data.
PAGE 44
HP-UX IPSec Overview IPsec Protocol Suite On the remote system (System B), the recipient ESP module processes the inbound ESP packet as follows: 1. The recipient ESP module calculates its own authentication value for the encrypted payload using its copy of the authentication key (KeyA). 2. The recipient ESP compares its authentication value with the transmitted authentication value (the HMAC).
PAGE 45
HP-UX IPSec Overview IPsec Protocol Suite Transport Mode In transport mode, IPsec inserts the ESP header after the original IP header, and adds the ESP trailer and authentication value to the end of the packet. Only the IP payload (e.g., TCP, UDP, or IGMP packet) is secured (encrypted and authenticated). The IP header is not secured. Transport mode is typically used for end-to-end security. Figure 1-4 shows IPv4 ESP packets in transport mode.
PAGE 46
HP-UX IPSec Overview IPsec Protocol Suite • routing extensions • fragment extensions The items listed below follow the ESP header and are encrypted and authenticated: Figure 1-6 • any destination options needed only for the “final” destination and not needed to interpret the ESP header • the IP data or payload (e.g.
PAGE 47
HP-UX IPSec Overview IPsec Protocol Suite ESP Encryption and Authentication Algorithms HP-UX IPSec ESP supports the encryption algorithms listed in Table 1-1 on page 43 and the authentication algorithms listed in Table 1-2 on page 43. For example, HP-UX IPSec can encrypt an ESP packet using AES and authenticate it using SHA1. Table 1-1 HP-UX IPSec Encryption Algorithms Name Table 1-2 AES Advanced Encryption Standard (AES) Cipher Block Chaining (CBC) mode encryption using a 128-bit key.
PAGE 48
HP-UX IPSec Overview IPsec Protocol Suite WARNING DES-CBC has been cracked (data encoded by DES has been decoded by a third party). HP recommends that you use DES only when you are required to so for compatibility reasons or because of legal restrictions. Non-Authenticated ESP ESP encryption takes the data carried by IP, such as a TCP packet, and encrypts it using a cryptographic key. The receiving IPsec ESP entity uses the same key to decrypt the cipher text and extract the original data.
PAGE 49
HP-UX IPSec Overview IPsec Protocol Suite live,” are assigned a zero value before IPsec calculates the authentication value, so the actual values of the mutable fields are not authenticated. Figure 1-8 shows AH in transport mode. Figure 1-8 AH in Transport Mode Tunnel Mode In tunnel mode, IPsec encloses, or encapsulates, the original IP datagram, including the original IP header, within a second IP datagram. All of the original IP datagram, including all fields of the original header, is authenticated.
PAGE 50
HP-UX IPSec Overview IPsec Protocol Suite The entire packet is used to calculate the authentication value. Mutable and unpredictable fields and options, such as timestamp and traceroute options, are assigned a zero value before calculating the authentication value. Figure 1-10 IPv6 AH Transport Mode IPv6 AH Tunnel Mode In IPv6 AH tunnel mode, the packet layout is the same as IPv4 AH tunnel mode, except that the original and new (outer) IP headers may include header extensions.
PAGE 51
HP-UX IPSec Overview IPsec Protocol Suite Internet Key Exchange (IKE) Before IPsec sends authenticated or encrypted IP data, both the sender and receiver must agree on the protocols, encryption algorithms and keys to use. HP-UX IPSec uses the Internet Key Exchange (IKE) protocol to negotiate the encryption and authentication methods, and generate shared encryption keys.
PAGE 52
HP-UX IPSec Overview IPsec Protocol Suite ID information instead of the IKE peer’s IP address extracted from the IP packet header. Aggressive Mode is quicker and requires the peers to exchange fewer packets, but is less secure because the peers exchange identity information in clear text. The IKE protocol specification requires Main Mode support; Aggressive Mode support is optional.
PAGE 53
HP-UX IPSec Overview IPsec Protocol Suite The IKE Phase 2 negotiation is also referred to as a Quick Mode (QM) negotiation. Figure 1-12 SA Establishment IKE Phase 1 IPsec IPsec IKE Phase 2 IKE SA Inbound IPsec SA (ESP or AH) Outbound IPsec SA (ESP or AH) Outbound IKE SA Inbound NodeA NodeB Generating Shared Keys: Diffie-Hellman IKE and IPsec SAs use shared keys to encrypt and authenticate communication.
PAGE 54
HP-UX IPSec Overview IPsec Protocol Suite mathematical properties of the numbers, each party will generate the same value, which can then be used as a shared key or use as a base value to generate multiple shared keys. Figure 1-13 Diffie-Hellman Key Generation IKE Primary Authentication Diffie-Hellman is vulnerable to third-party attacks, in which a third party intercepts messages between two attacked parties, A and B.
PAGE 55
HP-UX IPSec Overview IPsec Protocol Suite IKE Preshared Key Authentication With preshared key authentication, you must manually configure the same, shared on both systems—a preshared key. The two parties establish a shared key (the preshared key) prior to the Diffie-Hellman exchange using an out-of-band key exchange, or a key exchange that does not use normal computer communication channels, such as a face-to-face meeting or telephone call where the two parties agree on a key.
PAGE 56
HP-UX IPSec Overview IPsec Protocol Suite Perfect Forward Secrecy (PFS) with key and identity protection. With PFS, the compromise (exposure) of one key exposes only the data protected by that key. IKE Automatic Re-keying The IKE protocol also allows HP-UX IPSec to dynamically negotiate new IPsec keys rather than exposing the same key for long periods. You can configure key lifetimes based on time or number of bytes sent. Manual Keys Manual keys are an alternative to IKE.
PAGE 57
HP-UX IPSec Overview IPsec Protocol Suite The IKE protocol provides dynamic keying for ESP and AH. The alternative to IKE is to use manual keys for ESP and AH. You must configure preshared keys or certificates for IKE authentication. • Manual Keys Manual keys are an alternative to IKE and require more administrative overhead to configure IKE. Manual keys also expose encryption keys for long periods of time, which increase the opportunities for third parties to determine the keys.
PAGE 58
HP-UX IPSec Overview HP-UX IPSec Topologies HP-UX IPSec Topologies You can use IPsec between hosts (end nodes), between gateways, and between a host and a gateway in an IP network. You can install HP-UX IPSec only on end nodes and on HP-UX Mobile IPv6 Home Agents. An HP-UX IPSec system can have the following roles: • A host in a host-to-host IPsec topology • A host in a host-to-gateway IPsec topology • A host in a host-to-host IPsec tunnel topology, frequently referred to as an end-to-end tunnel.
PAGE 59
HP-UX IPSec Overview HP-UX IPSec Topologies Host-to-Host Security Within an Internal Network Two end hosts can run HP-UX IPSec locally to protect communication between them, with or without intermediate gateways. You can use HP-UX IPSec to secure sensitive network communication within an enterprise, such as network communication for Human Resources (HR) or payroll groups.
PAGE 60
HP-UX IPSec Overview HP-UX IPSec Topologies In Figure 1-15, the supplier and manufacturer have separate intranets that are connected to the public Internet using Internet Service Providers (ISPs). System A on the supplier’s intranet and System B on the manufacture’s subnet communicate with a host-to-host IPsec topology.
PAGE 61
HP-UX IPSec Overview HP-UX IPSec Topologies Host-to-Gateway VPN Across the Internet You can also use IPsec to create a host-to-gateway VPN across the Internet, as shown in Figure 1-16. The manufacturer’s IP router is an IPsec gateway, and system A establishes the IPsec session with the manufacturer’s router.
PAGE 62
HP-UX IPSec Overview HP-UX IPSec Topologies Application Server in DMZ with Back-End Server More enterprises are putting application servers in a “demilitarized zone (DMZ)”—that is, outside corporate firewalls—for business partners or public access. Because inbound connections from the Internet are allowed to these servers, they are vulnerable to attack.
PAGE 63
HP-UX IPSec Overview HP-UX IPSec Topologies Securing Access between the Client and DMZ Server For added security, you can use IPsec between the client (system A in Figure 1-17) and the gateway application server in the DMZ (B in Figure 1-17). Alternatively you can deploy an IPsec VPN gateway appliance on the external network. The IPsec VPN gateway appliance and the gateway application server in the DMZ establish IPsec gateway-to-gateway sessions.
PAGE 64
HP-UX IPSec Overview HP-UX IPSec Topologies 60 Chapter 1
PAGE 65
2 Chapter 2 Installing HP-UX IPSec 61
PAGE 66
Installing HP-UX IPSec This chapter describes installation prerequisites and procedures for installing HP-UX IPSec software.
PAGE 67
Installing HP-UX IPSec HP-UX IPSec Product Requirements HP-UX IPSec Product Requirements Prior to installing the HP-UX IPSec product, check that your system can accommodate the following product requirements. Disk Requirements The total size of the disk space required for the HP-UX IPSec product is 112 Mbytes. Requirements for variable-length user files are listed below: Chapter 2 • Configuration database file (/var/adm/ipsec/config.db): minimum of 50 kbytes per policy file.
PAGE 68
Installing HP-UX IPSec Step 1: Verifying HP-UX IPSec Installation and Configuration Prerequisites Step 1: Verifying HP-UX IPSec Installation and Configuration Prerequisites 1. Verify that the operating system version is HP-UX 11i version 1 (B.11.11) or HP-UX 11i v2 Update 2 (v2UD2). To obtain information about the OS, execute the command: uname -a 2. Check the latest HP-UX IPSec release notes to determine software dependencies.
PAGE 69
Installing HP-UX IPSec Step 2: Loading the HP-UX IPSec Software Step 2: Loading the HP-UX IPSec Software Follow the steps below to load HP-UX IPSec software using the HP-UX swinstall program. 1. Log in as root. 2. Insert the HP-UX IPSec disk into the appropriate drive, or locate the directory into which you downloaded the software from HP Software Depot. 3. Run the swinstall program using the command: swinstall This opens the Software Selection window and the Specify Source window.
PAGE 70
Installing HP-UX IPSec Step 2: Loading the HP-UX IPSec Software swinstall loads the fileset, runs the control scripts for the fileset, and builds the kernel. Estimated time for processing: 3 to 5 minutes. 10. Click OK on the Note window to reboot the system. 11. When the system reboots, check the log files in /var/adm/sw/swinstall.log and /var/adm/sw/swagent.log to make sure the installation was successful. NOTE Do not run the HP-UX IPSec product when the system is booted in single-user mode.
PAGE 71
Installing HP-UX IPSec Step 3: Establishing the HP-UX IPSec Password Step 3: Establishing the HP-UX IPSec Password You must set the HP-UX IPSec password after installing the product. HP-UX IPSec uses the password to encrypt configuration information. Use the following command to establish the HP-UX IPSec password: ipsec_admin -newpasswd The ipsec_admin utility prompts you to establish the HP-UX IPSec password: IPSEC_ADMIN: Establishing IPsec password, enter IPsec password: Enter a password.
PAGE 72
Installing HP-UX IPSec Step 4: Completing Post-Installation Migration Requirements Step 4: Completing Post-Installation Migration Requirements If you are migrating from a previous version of HP-UX IPSec, run the ipsec_migrate utility and complete other post-installation migration procedures, as described in Appendix C, “Post-Installation Migration Instructions” on page 254.
PAGE 73
3 Chapter 3 Quick Configuration Procedure and Tips 69
PAGE 74
Quick Configuration Procedure and Tips This chapter contains a procedure for quickly configuring HP-UX IPSec for a simple host-to-host topology using IKE with preshared keys. This chapter also includes configuration tips.
PAGE 75
Quick Configuration Procedure and Tips Overview Overview Step 1. Use the ipsec_admin -newpasswd command to establish the HP-UX IPSec password, if you have already done this as part of the installation. Step 2. Edit the configuration batch file template for host-to-host topologies. Step 3. Verify the batch file syntax. Step 4. Commit the batch file operations to the database and start HP-UX IPSec to verify operation. Step 5. Configure HP-UX IPSec to start automatically at system boot-up time (optional).
PAGE 76
Quick Configuration Procedure and Tips Step 1: Establishing the HP-UX IPSec Password Step 1: Establishing the HP-UX IPSec Password If you have not already established the HP-UX IPSec password, use the following command to establish it: ipsec_admin -newpasswd The ipsec_admin utility prompts you to establish the HP-UX IPSec password: IPSEC_ADMIN: Establishing IPsec password, enter IPsec password: Enter a password. The password must be at least 15 characters long and cannot contain spaces.
PAGE 77
Quick Configuration Procedure and Tips Step 2: Modifying the Configuration Batch File Template Step 2: Modifying the Configuration Batch File Template HP-UX IPSec provides the following configuration batch file templates in the directory /var/adm/ipsec/templates: • end-to-gateway • end-to-tunnel • host-to-host • manual-keys • mipv6 For a simple host-to-host topology, edit the batch file template /var/adm/ipsec/templates/host-to-host as follows: • Uncomment the appropriate configuration statement
PAGE 78
Quick Configuration Procedure and Tips Step 2: Modifying the Configuration Batch File Template NOTE If you are using HP-UX IPSec on a system with an interface attached to a public network and an interface on a private network, HP recommends that you take additional precautions to isolate potential attacks from the public network. See “Maximizing Security” on page 91 for more information.
PAGE 79
Quick Configuration Procedure and Tips Step 2: Modifying the Configuration Batch File Template # ###################################################################### # # To use this file: # 1. Uncomment the appropriate configuration statements. # For host-to-host IPsec, you must configure the following items: # a. At least one host IPsec policy. See SECTION 1 below. # b. An IKE policy. See SECTION 2 below. # c. An authentication record with the preshared key. See SECTION 3 # below.
PAGE 80
Quick Configuration Procedure and Tips Step 2: Modifying the Configuration Batch File Template # Subnet and IPv6 Addresses # ------------------------# In the address specifications, the IP address prefix (32) follows the # IP address. # To use the host policies for subnet topologies, change # the address prefix length to the appropriate length. # To use the host policies for IPv6 host-to-host topologies, change # the address prefix length from 32 to 128.
PAGE 81
Quick Configuration Procedure and Tips Step 2: Modifying the Configuration Batch File Template # SECTION 2: IKE Policy # ############################################################################ # # Uncomment and modify the following IKE policy.
PAGE 82
Quick Configuration Procedure and Tips Step 2: Modifying the Configuration Batch File Template ipsec_config add telnet_from_blue \ -source 15.1.1.1/32/TELNET \ -destination 15.2.2.2 \ -action ESP_AES128_HMAC_SHA1 add ike blue -remote 15.2.2.2 \ -authentication PSK -group 2 -hash SHA1 -encryption 3DES add auth blue -remote 15.2.2.2 \ -psk my_red_blue_key Blue Configuration On blue, you uncomment and edit the following four entries from the template file: ipsec_config add telnet_to_red \ -source 15.2.2.
PAGE 83
Quick Configuration Procedure and Tips Step 3: Verifying the Batch File Syntax Step 3: Verifying the Batch File Syntax Use the following command to verify the contents of the ipsec_config batch file without committing the configuration: ipsec_config batch batch_file_name -nocommit The ipsec_config utility displays the following message to indicate the profile file used: Using default profile file /var/adm/ipsec/.
PAGE 84
Quick Configuration Procedure and Tips Step 4: Committing the Batch File Configuration and Verifying Operation Step 4: Committing the Batch File Configuration and Verifying Operation Use the following procedure to verify the operation of your HP-UX IPSec configuration. 1. Commit the batch file operations to the configuration database with the following command: ipsec_config batch batch_file_name 2. Verify the contents of the configuration database with the following command: ipsec_config show all 3.
PAGE 85
Quick Configuration Procedure and Tips Step 4: Committing the Batch File Configuration and Verifying Operation HP-UX IPSec always contains a host IPsec policy named default which is searched last. The default policy is configured with PASS as the action by default. To verify proper operation of IPsec policies with Pass or Discard actions in the transform list, generate network traffic that matches the IPsec policy IP address, port, and protocol parameters.
PAGE 86
Quick Configuration Procedure and Tips Step 4: Committing the Batch File Configuration and Verifying Operation ----------------- Active IPsec Policy ----------Rule Name: telnet_in ID: 3 Cookie: 4 Priority: 10 Src IP Addr: 15.1.1.1 Prefix: 32 Port number:23 Dst IP Addr: 15.2.2.
PAGE 87
Quick Configuration Procedure and Tips Step 4: Committing the Batch File Configuration and Verifying Operation addtime (seconds): usetime (seconds): --- Hard Lifetimes --bytes processed: addtime (seconds): usetime (seconds): 31 30 0 28800 28800 For more information on the ipsec_report command, refer to the ipsec_report (1M) manpage.
PAGE 88
Quick Configuration Procedure and Tips Step 5: Configuring HP-UX IPSec to Start Automatically Step 5: Configuring HP-UX IPSec to Start Automatically After you have verified your HP-UX IPSec configuration is properly operating, you can configure HP-UX IPSec so that it starts automatically at system startup time. TIP HP recommends that you configure HP-UX IPSec to start automatically at system startup time once you have a known, good HP-UX IPSec configuration.
PAGE 89
Quick Configuration Procedure and Tips Step 6: Creating Backup Copies of Configuration Files Step 6: Creating Backup Copies of Configuration Files Create backup copies of the following files: • The configuration database file, /var/adm/ipsec/config.db. • Your batch file. If you do not have a batch file, use the ipsec_config export command to create one from the configuration database. See “Exporting the Configuration Database to a Batch File” on page 183 for more information.
PAGE 90
Quick Configuration Procedure and Tips Configuration Tips and Reminders Configuration Tips and Reminders This section contains configuration tips.
PAGE 91
Quick Configuration Procedure and Tips Configuration Tips and Reminders To secure rlogin sessions from 10.20.20.20 to the local system, you must also configure the following policy: ipsec_config add rlogin_from_10.20.20.20 \ -source 10.10.10.10/RLOGIN -destination 10.20.20.20 \ -action ESP_AES128_HMAC_SHA1 • Multihomed Systems If a remote system is multihomed (has more than one IP address), you must configure an IKE policy and an authentication record for each IP address.
PAGE 92
Quick Configuration Procedure and Tips Configuration Tips and Reminders 88 Chapter 3
PAGE 93
4 Chapter 4 Configuring HP-UX IPSec 89
PAGE 94
Configuring HP-UX IPSec This chapter describes how to configure HP-UX IPSec, including preshared key configuration. If you are using RSA signature authentication for IKE, you must also see Chapter 5, “Using Certificates with HP-UX IPSec,” on page 151 for instructions on configuring certificates. This chapter also describes how to maximize HP-UX IPSec security and how to use the HP-UX IPSec configuration utility, ipsec_config.
PAGE 95
Configuring HP-UX IPSec Maximizing Security Maximizing Security A system may have both “public” interface IP addresses and “private” interface IP addresses. A public interface IP address is an IP address configured on a Network Interface Card (NIC) connected to a public network. A private interface IP address is an IP address configured on a NIC connected to a private internal network.
PAGE 96
Configuring HP-UX IPSec Maximizing Security ndd -set /dev/ip ip_strong_es_model 1 You can also enable the RFC 1122 Strong End-System model at system startup time by editing the /etc/rc.config.d/nddconf file. Refer to the ndd (1M) manpage for more information.
PAGE 97
Configuring HP-UX IPSec Using ipsec_config Using ipsec_config The ipsec_config utility adds, deletes and displays HP-UX IPSec configuration objects stored in the configuration database, /var/adm/ipsec/config.db. If HP-UX IPSec is active and running, ipsec_config also adds and deletes configuration information in the runtime policy database.
PAGE 98
Configuring HP-UX IPSec Using ipsec_config ipsec_config batch The ipsec_config batch command allows you to use ipsec_config in batch mode. In batch mode, ipsec_config reads add and delete operations from a file. Batch mode allows administrators to add and delete multiple configuration objects in one operation. This is useful if you are adding or deleting configuration records that affect other operations. HP recommends that you use a batch file to add configuration information.
PAGE 99
Configuring HP-UX IPSec Using ipsec_config ipsec_config delete The ipsec_config delete command deletes objects from the configuration and runtime databases. For example, the following command deletes the host IPsec policy my_host_policy from the configuration database: ipsec_config delete host my_host_policy ipsec_config export The ipsec_config export command exports the contents of the configuration database to a batch file that you can use as input for the ipsec_config batch command.
PAGE 100
Configuring HP-UX IPSec Using ipsec_config You can specify a profile file name with the -profile argument as part of an ipsec_config command. By default, ipsec_config uses the /var/adm/ipsec/.ipsec_profile profile file, which is shipped with HP-UX IPSec. In most topologies, you can use the default values supplied in the /var/adm/ipsec/.ipsec_profile file. HP-UX IPSec also has internal default values that are the same as the values in the /var/adm/ipsec/.ipsec_profile file shipped with the product.
PAGE 101
Configuring HP-UX IPSec Using ipsec_config The default source address parameter values in /var/adm/ipsec/.ipsec_profile are 0.0.0.0/0/0 (IPv4 address 0.0.0.0, address prefix length 0, port 0). This matches any IPv4 address and any port number. In most topologies, this is appropriates since the default source (local) address will be any IPv4 address on the local system.
PAGE 102
Configuring HP-UX IPSec Using ipsec_config part of the ipsec_config batch command line and ipsec_config will apply it to all entries in the batch file. Refer to the ipsec_config_add (1M) manpage for more information.
PAGE 103
Configuring HP-UX IPSec Configuration Overview Configuration Overview There are seven main configuration components: • Host IPsec Policies Host IPsec policies specify HP-UX IPSec behavior for IP packets sent or received by the local system as an end host. A host IPsec policy contains address specifications used to select the host IPsec policy for a packet.
PAGE 104
Configuring HP-UX IPSec Configuration Overview The bypass list specifies the local IP addresses that IPsec will bypass or ignore. The system will not attempt to find an IPsec policy for packets sent or received using an IP address in the bypass list, and will process these packets as if HP-UX IPSec was not enabled.
PAGE 105
Configuring HP-UX IPSec Configuration Overview See Chapter 5, “Using Certificates with HP-UX IPSec,” on page 151 for a description of this step. Step 6. Configure the bypass list of local IP addresses (optional). See “Step 6: Configuring the Bypass List (Local IP Addresses)” on page 140 for a description of this step. Step 7. Verify the batch file.
PAGE 106
Configuring HP-UX IPSec Step 1: Configuring Host IPsec Policies Step 1: Configuring Host IPsec Policies Host IPsec policies specify HP-UX IPSec behavior for IP packets sent or received by the local system as an end host. Each host IPsec policy includes address specifications used to select the host IPsec policy for a packet, and the action for packets using the policy: pass the packets in clear text, discard the packets, or apply an IPsec transform (AH or ESP) to the packets.
PAGE 107
Configuring HP-UX IPSec Step 1: Configuring Host IPsec Policies Automatic Priority Increment There are two ways to set the priority of an host policy: • Specify the priority argument to explicitly set the priority. • Omit the priority argument and have ipsec_config assign a priority using the automatic priority increment value so that the new policy is the last policy evaluated before the default policy.
PAGE 108
Configuring HP-UX IPSec Step 1: Configuring Host IPsec Policies The complete ipsec_config add host syntax specification also allows you to specify the following arguments: • nocommit (verify the syntax but do not commit the information to the database) • profile (alternate profile file) • in and out (inbound and outbound SA information for manual keys) Refer to the ipsec_config_add (1M) manpage for complete syntax information.
PAGE 109
Configuring HP-UX IPSec Step 1: Configuring Host IPsec Policies Acceptable Values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. The IP address type (IPv4 or IPv6) must be the same for the source and destination address. HP-UX IPSec does not support unspecified IPv6 addresses. However, you can use the double-colon (::) notation within a specified IPv6 address to denote a number of zeros (0) within an address.
PAGE 110
Configuring HP-UX IPSec Step 1: Configuring Host IPsec Policies service_name The service_name is a character string that specifies a network service. The ipsec_config utility will add a policy to the configuration database with the appropriate port number and protocol, as listed below. You cannot specify service_name and protocol in the same policy.
PAGE 111
Configuring HP-UX IPSec Step 1: Configuring Host IPsec Policies Specifying ICMPV6 affects only the following ICMPv6 messages: Echo Request, Echo Reply, Mobile Prefix Solicitation, Mobile Prefix Advertisement.
PAGE 112
Configuring HP-UX IPSec Step 1: Configuring Host IPsec Policies If this is the first host IPsec policy created, ipsec_config uses the automatic priority increment value as the priority. -tunnel tunnel_policy_name If packets using this host IPsec policy will be tunneled and the local system is one of the tunnel endpoints, use the tunnel argument to specify the tunnel_policy_name, the name of the tunnel IPsec policy to use with this host IPsec policy.
PAGE 113
Configuring HP-UX IPSec Step 1: Configuring Host IPsec Policies Use a comma to separate multiple transform specifications. The order of transforms in the transform list is significant. The first transform is the most preferable and the last transform is the least preferable. At least one transform must match a transform configured on the remote system.
PAGE 114
Configuring HP-UX IPSec Step 1: Configuring Host IPsec Policies Table 4-2 ipsec_config Transforms (Continued) Transform Name Description ESP_DES_HMAC_MD5 ESP with 56-bit Data Encryption Standard, Cipher Block Chaining Mode (DES), authenticated with HMAC-MD5. ESP_DES_HMAC_SHA1 ESP with 56-bit Data Encryption Standard, Cipher Block Chaining Mode (DES), authenticated with HMAC-SHA1.
PAGE 115
Configuring HP-UX IPSec Step 1: Configuring Host IPsec Policies Default: 0 (infinite). CAUTION HP recommends that you do not specify an infinite value for lifetime_seconds (0) with a finite value for lifetime_kbytes. -flags flags The flags are additional options for this policy. Join multiple flags with a plus sign (+).
PAGE 116
Configuring HP-UX IPSec Step 1: Configuring Host IPsec Policies Table 4-3 ipsec_config add host Flags (Continued) Flag EXCLUSIVE Description Specifies session-based keying. Session-based keying uses a different pair of IPsec SAs per connection or session. Only packets with the same source IP address, destination IP address, network protocol, source port, and destination port will use the same IPsec SA. Session-based keying incurs more overhead but provides more security and privacy.
PAGE 117
Configuring HP-UX IPSec Step 1: Configuring Host IPsec Policies add host apple_banana -source 10.1.1.1 \ -destination 10.5.5.5 -pri 20 -action ESP_AES128_HMAC_SHA1 The following batch file entry configures a host IPsec policy that requires all outbound IPv4 rlogin sessions (where the local system is an rlogin client) to use ESP with AES128 encryption and HMAC SHA-1 authentication.
PAGE 118
Configuring HP-UX IPSec Step 1: Configuring Host IPsec Policies add host to_orange -source 10.1.1.1 \ -destination 10.2.2.
PAGE 119
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPsec Policies Step 2: Configuring Tunnel IPsec Policies Complete this step only if you are using IPsec tunnels. If you are not using IPsec tunnels, continue to “Step 3: Configuring IKE Policies” on page 123. Tunnel IPsec policies specify HP-UX IPSec behavior for IP packets tunneled by the local system. In an IPsec tunnel, a tunnel endpoint system encapsulates the original packet in a new IPsec packet with an AH or ESP header.
PAGE 120
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPsec Policies HP recommends that you use an ipsec_config batch file to configure HP-UX IPSec.
PAGE 121
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPsec Policies Default: If you do not specify a tsource or tdestination option, the field will be null and HP-UX IPSec will use the end source or end destination (-source or -destination) address and prefix as the tunnel endpoint when creating the tunnel. You must specify the tsource and tdestination options if you are using manual keying.
PAGE 122
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPsec Policies Acceptable Values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. The IP address type (IPv4 or IPv6) must be the same for the source and destination address. HP-UX IPSec does not support unspecified IPv6 addresses. However, you can use the double-colon (::) notation within a specified IPv6 address to denote a number of zeros (0) within an address. The address must be a unicast address.
PAGE 123
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPsec Policies service_name The service_name is a character string that specifies a network service. The ipsec_config utility will add a policy to the configuration database with the appropriate port number and protocol, as listed below. You cannot specify service_name and protocol in the same policy. See Table 4-1, “ipsec_config Service Names,” on page 106 for a list of valid service names.
PAGE 124
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPsec Policies CAUTION Discarding or requiring ICMP messages for IPv4 (protocol value 1) to be encrypted or authenticated may cause connectivity problems. See Appendix A, “IPv4 ICMP Messages” on page 234 for more information. -action transform_list A transform specifies the IPsec authentication and encryption applied to packets using AH (Authentication Header) and ESP (Encapsulation Security Payload) headers.
PAGE 125
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPsec Policies ESP transform formed by joining an AH transform and an ESP transform with a plus sign (+). For example, AH_MD5+ESP_3DES_HMAC_SHA1. TIP AES128 is the most secure form of encryption, with performance comparable to or better than DES and 3DES. Default: The transform defined for the action parameter in the TunnelPolicy-Defaults section of the profile file used. The default action is ESP_AES128_HMAC_SHA1.
PAGE 126
Configuring HP-UX IPSec Step 2: Configuring Tunnel IPsec Policies Tunnel IPsec Policy Configuration Example The local system (10.1.1.1) is using a end-to-end tunnel (host-to-host tunnel) with system 10.2.2.2. The following batch file entry configures the tunnel to use ESP with AES128 encryption and HMAC SHA-1 authentication. ipsec_config add tunnel my_host_host_tunnel \ -tsource 10.1.1.1 -tdestination 10.2.2.2 \ -source 10.1.1.1 -destination 10.2.2.
PAGE 127
Configuring HP-UX IPSec Step 3: Configuring IKE Policies Step 3: Configuring IKE Policies Complete this step only if you are using dynamic keys for IPsec. You do not need to configure IKE policies if you are using only manual keys for IPsec, or if you are only using HP-UX IPSec to discard packets.
PAGE 128
Configuring HP-UX IPSec Step 3: Configuring IKE Policies policy. The automatic priority increment value for IKE policies is the priority parameter value in the IKEPolicy-Defaults section of the profile file, and the default value is 10. If you are configuring the first IKE IPsec policy and do not specify a priority argument, ipsec_config assigns the automatic priority increment value as the priority.
PAGE 129
Configuring HP-UX IPSec Step 3: Configuring IKE Policies Acceptable Values: 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen (-), or underscore (_). -remote ip_addr[/prefix] The ip_addr and prefix are the IP address and network prefix length that specifies the remote system or subnet for this policy. HP recommends that you do not specify a wildcard address (0.0.0.0/0 or 0::0/0). Wildcard addresses allow unauthorized systems to engage the local systems in IKE negotiations.
PAGE 130
Configuring HP-UX IPSec Step 3: Configuring IKE Policies -priority priority_number The priority_number is the priority value HP-UX IPSec uses when selecting an IKE policy (a lower priority value has a higher priority). The priority must be unique for each IKE policy. Range: 1 - 2147483647.
PAGE 131
Configuring HP-UX IPSec Step 3: Configuring IKE Policies 1 (MODP, 768-bit exponent) 2 (1024-bit exponent) Default: The value of the group parameter in the IKE-Defaults section of the profile file used. The default group parameter value is 2. -hash MD5|SHA1 The hash argument specifies the hash algorithm for authenticating IKE messages. This must match the hash algorithm configured on the remote system.
PAGE 132
Configuring HP-UX IPSec Step 3: Configuring IKE Policies -maxqm max_quick_modes The max_quick_modes is the maximum number of IPsec or Quick Mode (QM) SA negotiations that IKE can perform using an IKE SA. Each IPsec SA negotiation establishes two IPsec SAs (one in each direction).
PAGE 133
Configuring HP-UX IPSec Step 4: Configuring Preshared Keys Using Authentication Records Step 4: Configuring Preshared Keys Using Authentication Records Complete this step only if you configured PSK (preshared keys) as an IKE authentication method in “Step 3: Configuring IKE Policies” on page 123. If you configured RSASIG (RSA signatures) as the IKE authentication method in all IKE policies, skip this step, and go to Chapter 5, “Using Certificates with HP-UX IPSec,” on page 151.
PAGE 134
Configuring HP-UX IPSec Step 4: Configuring Preshared Keys Using Authentication Records ipsec_config add auth Syntax for Preshared Keys without ID Information You can use the following ipsec_config add auth syntax to configure preshared keys without ID information in most installations: ipsec_config add auth auth_name -remote ip_addr[/prefix] -preshared preshared_key HP recommends that you use an ipsec_config batch file to configure HP-UX IPSec.
PAGE 135
Configuring HP-UX IPSec Step 4: Configuring Preshared Keys Using Authentication Records -remote ip_addr[/prefix] The ip_addr and prefix are the IP address and network prefix length that specifies the remote system or subnet for this record. Each ip_addr and prefix combination (the significant bits of ip_addr, as specified by prefix) must be unique.
PAGE 136
Configuring HP-UX IPSec Step 4: Configuring Preshared Keys Using Authentication Records Range: 0 - 32 for an IPv4 address; 0 - 128 for an IPv6 address. If you are using manual keys, prefix must be 32 if ip_addr is an IPv4 address or 128 if ip_addr is an IPv6 address. Default: 32 if ip_addr is a non-zero IPv4 address, 128 if ip_addr is a non-zero IPv6 address, or 0 (match any address) if ip_addr is an all-zeros address (0.0.0.0 or 0::0).
PAGE 137
Configuring HP-UX IPSec Step 4: Configuring Preshared Keys Using Authentication Records • If HP-UX IPSec is the initiator in an IKE Phase 1 negotiation (Main Mode or Aggressive Mode), IKE uses the remote system’s IP address to search for an authentication record. • If HP-UX IPSec is a responder in an IKE Phase 1 negotiation and the exchange type is Main Mode, IKE uses the remote system’s IP address (from the IP packet header) to search for an authentication record.
PAGE 138
Configuring HP-UX IPSec Step 4: Configuring Preshared Keys Using Authentication Records HP recommends that you use an ipsec_config batch file to configure HP-UX IPSec.
PAGE 139
Configuring HP-UX IPSec Step 4: Configuring Preshared Keys Using Authentication Records HP-UX IPSec does not support unspecified IPv6 addresses. However, you can use the double-colon (::) notation within a specified IPv6 address to denote a number of zeros (0) within an address. The address cannot be a broadcast, subnet broadcast, multicast, or anycast address. Default: None.
PAGE 140
Configuring HP-UX IPSec Step 4: Configuring Preshared Keys Using Authentication Records If the remote system is an autoconfiguration client (the AUTOCONF flag is set in the host IPsec policy) or Mobile IPv6 client (the MIPV6 flag is set in the host IPsec policy), the exchange type must be AM. Default: MM (Main Mode). TIP Most vendors use Main Mode by default. The IKE protocol specification requires implementations to support Main Mode; support for Aggressive Mode is optional.
PAGE 141
Configuring HP-UX IPSec Step 4: Configuring Preshared Keys Using Authentication Records Table 4-4 ID Types and Values (Continued) ID Type ID Value USER-FQDN User-Fully Qualified Domain Name (User-FQDN) in SMTP format, such as user@myhost.hp.com. X500-DN X.500 Distinguished Name (DN). The format of the DN is described in the paragraphs that follow.
PAGE 142
Configuring HP-UX IPSec Step 4: Configuring Preshared Keys Using Authentication Records -rtype remote_id_type and -rid remote_id The remote_id_type and local_id are used to verify the ID type and ID value sent by the remote system when negotiating a IKE SA. This must match what is configured on the remote system. You do not have to the remote ID type and value if the remote system is an HP-UX system or a non-HP system that uses IPv4 or IPv6 addresses as the ID type, and is not multihomed.
PAGE 143
Configuring HP-UX IPSec Step 5: Configuring Certificates Step 5: Configuring Certificates See Chapter 5, “Using Certificates with HP-UX IPSec,” on page 151 for information on configuring certificate information if you are using RSA signatures for IKE authentication. After you have configured certificate information, go to “Step 6: Configuring the Bypass List (Local IP Addresses)” on page 140.
PAGE 144
Configuring HP-UX IPSec Step 6: Configuring the Bypass List (Local IP Addresses) Step 6: Configuring the Bypass List (Local IP Addresses) The bypass list specifies local IP addresses that IPsec will bypass or ignore. The system will not attempt to find an IPsec policy for packets sent or received using an IP address in the bypass list, and the system will process these packets as if HP-UX IPSec was not enabled. The bypass list improves transmission rates for addresses in the bypass list.
PAGE 145
Configuring HP-UX IPSec Step 6: Configuring the Bypass List (Local IP Addresses) Figure 4-1 Bypass List Example Node2 Node1 bypass 15.1.1.1 (lan0:0) 16.1.1.1 (lan0:1) 15.2.2.2 (lan0:0) secure 16.2.2.2 (lan0:1) Maximizing Security An IP address in the bypass list has the same effect as an open IPsec policy, with the bypass interface address as the local address, a wildcard (*) remote address, wildcard protocol and ports, and a Pass transform.
PAGE 146
Configuring HP-UX IPSec Step 6: Configuring the Bypass List (Local IP Addresses) The complete ipsec_config add bypass syntax also allows you to specify the nocommit argument (verify the syntax but do not commit the information to the database). Refer to the ipsec_config_add (1M) manpage for complete syntax information. ip_address The ip_address is the IP address to bypass. This can be a virtual IP address (a secondary IP address configured for an interface, such as an address configured for lan0:1).
PAGE 147
Configuring HP-UX IPSec Step 7: Verifying the Batch File Syntax Step 7: Verifying the Batch File Syntax Use the following command to verify the contents of the ipsec_config batch file without committing the configuration: ipsec_config batch batch_file_name -nocommit The ipsec_config utility displays the following message to indicate the profile file used: Using default profile file /var/adm/ipsec/.
PAGE 148
Configuring HP-UX IPSec Step 8: Committing the Batch File Configuration and Verifying Operation Step 8: Committing the Batch File Configuration and Verifying Operation Use the following procedure to verify the operation of your HP-UX IPSec configuration. 1. Commit the batch file operations to the configuration database with the following command: ipsec_config batch batch_file_name 2.
PAGE 149
Configuring HP-UX IPSec Step 8: Committing the Batch File Configuration and Verifying Operation 4.
PAGE 150
Configuring HP-UX IPSec Step 8: Committing the Batch File Configuration and Verifying Operation After doing so, enter the following command to display the IKE and IPsec SAs: ipsec_report -sa Alternatively, you can enter the following command: ipsec_report -all From the output of ipsec_report, you can verify the status of the outbound IPsec SA for the packets using the IPsec policy you are verifying.
PAGE 151
Configuring HP-UX IPSec Step 8: Committing the Batch File Configuration and Verifying Operation bytes processed: 6256 addtime (seconds): 3 usetime (seconds): 30 --- Hard Lifetimes --bytes processed: 0 addtime (seconds): 28800 usetime (seconds): 28800 The information for the inbound IPsec SA corresponds to inbound traffic from the remote system (the source address is 15.2.2.2).
PAGE 152
Configuring HP-UX IPSec Step 9: Configuring HP-UX IPSec to Start Automatically Step 9: Configuring HP-UX IPSec to Start Automatically After you have verified your HP-UX IPSec configuration is properly operating, you can configure HP-UX IPSec so that it starts automatically at system startup time. TIP HP recommends that you configure HP-UX IPSec to start automatically at system startup time once you have a known, good HP-UX IPSec configuration. This allows HP-UX IPSec to secure your system at all times.
PAGE 153
Configuring HP-UX IPSec Step 9: Configuring HP-UX IPSec to Start Automatically • spd_hard (the “hard” limit for the size of the Security Policy Database) Refer to the ipsec_config_add (1M) manpage for complete syntax information.
PAGE 154
Configuring HP-UX IPSec Step 10: Creating Backup Copies of the Configuration Files Step 10: Creating Backup Copies of the Configuration Files Create backup copies of the following files, as applicable: • The configuration database file, /var/adm/ipsec/config.db • Your batch file. If you do not have a batch file, use the ipsec_config export command to create one from the configuration database. See “Exporting the Configuration Database to a Batch File” on page 183 for more information.
PAGE 155
5 Chapter 5 Using Certificates with HP-UX IPSec 151
PAGE 156
Using Certificates with HP-UX IPSec This chapter describes how to use security certificates with HP-UX IPSec.
PAGE 157
Using Certificates with HP-UX IPSec Overview Overview You must use security certificates if you are using digital signatures (RSA signatures) for IKE authentication. HP-UX IPSec uses the certificates to obtain cryptography keys for digital signatures and to verify the digital signatures. If you are not using digital signatures for IKE authentication, you can skip this chapter.
PAGE 158
Using Certificates with HP-UX IPSec Overview Certificates are issued with a specific lifetime, defined by a start date/time and an expiration date/time. However, situations can arise, such as a compromised key value, that necessitate the revocation of the certificate. In this case, the certificate authority can revoke the certificate.
PAGE 159
Using Certificates with HP-UX IPSec Overview The initiator sends an authentication “challenge” to the responder: the initiator sends data, including a random number (nonce), encrypted using the responder’s public key. To authenticate itself to the sender, the responder decrypts the data using its private key, then sends a hash of the data back, encrypted using the symmetric key negotiated for the IKE SA. The reciprocal process is used by the responder to authenticate the identity of the initiator.
PAGE 160
Using Certificates with HP-UX IPSec Requirements Requirements To use security certificates with HP-UX IPSec, your topology must meet the following requirements: • All security certificates must be administered using a PKI product from the same vendor. When you configure HP-UX IPSec, you must configure only one PKI vendor for all security certificate operations.
PAGE 161
Using Certificates with HP-UX IPSec Configuring Certificates Configuring Certificates Use the following procedure to configure certificates for HP-UX IPSec. You must also complete the configuration tasks for the main product components, as described in Chapter 4, “Configuring HP-UX IPSec,” on page 89. You create one certificate for each HP-UX IPSec system using RSA signatures for IKE authentication. If the local system is multihomed (has multiple IP addresses), you create one certificate for the system.
PAGE 162
Using Certificates with HP-UX IPSec Step 1: Creating a Certificate Signing Request Step 1: Creating a Certificate Signing Request Use the ipsec_config add csr command to create a Certificate Signing Request (CSR) for the local system. The ipsec_config add csr command performs the following tasks: • Generates a public/private key pair for the local system. It encrypts the private key and stores it in the file /var/adm/ipsec/ipsec.key.
PAGE 163
Using Certificates with HP-UX IPSec Step 1: Creating a Certificate Signing Request The values are defined as follows: commonName: The commonName of the DN in printable string format. Commas are not accepted as part of this value. The size of this value must not exceed 64 bytes. country: The two-character ISO 3166-1 code for the country listed in the DN, for example US for United States of America. Commas are not accepted as part of this value.
PAGE 164
Using Certificates with HP-UX IPSec Step 1: Creating a Certificate Signing Request -alt-fqdn fqdn The Fully Qualified Domain Name (FQDN) you want in the subjectAlternativeName field for the certificate. The FQDN also known as Domain Name Server or DNS name, such as myhost.hp.com. Default: None. -alt-user-fqdn user_fqdn The User Fully Qualified Domain Name (User FQDN) you want in the subjectAlternativeName field for the certificate. Specify the User FQDN in SMTP format, such as user@myhost.hp.com.
PAGE 165
Using Certificates with HP-UX IPSec Step 2: Submitting the Certificate Signing Request to the CA Step 2: Submitting the Certificate Signing Request to the CA Submit the Certificate Signing Request (CSR) to the CA to request a signed certificate for the local system. The ipsec_config utility stores the CSR in the file /var/adm/ipsec/ipsec.csr. Request the following items from the CA: • A signed certificate for the local system in a base64 format file.
PAGE 166
Using Certificates with HP-UX IPSec Step 3: Adding the Certificates Step 3: Adding the Certificates After you receive files containing the certificates for the local system and the CA, use the ipsec_config add cert command to extract the certificates and add the certificates to the HP-UX IPSec storage scheme. The ipsec_config add cert command stores the certificates for the local system and the CA in the file /var/adm/ipsec/ipsec.cert.
PAGE 167
Using Certificates with HP-UX IPSec Step 4: Configuring Authentication Records with IKE IDs Step 4: Configuring Authentication Records with IKE IDs You can skip this section if all systems using certificate-based authentication meet the following conditions: • None of the systems are multihomed. • All of the remote systems using certificate-based authentication use the IPV4 or IPV6 as the IKE ID (IKE Identity payload). • You are using Main Mode for IKE Phase 1 negotiations.
PAGE 168
Using Certificates with HP-UX IPSec Step 4: Configuring Authentication Records with IKE IDs and the appropriate IP address type as the remote ID type. HP-UX then verifies that the remote ID information matches the information it receives in the IKE Identity payload and ID information in the remote system’s certificate.
PAGE 169
Using Certificates with HP-UX IPSec Step 4: Configuring Authentication Records with IKE IDs ipsec_config add auth auth_name -remote ip_addr[/prefix] [-exchange|x AM|MM] [-ltype local_id_type] [-lid local_id] [-rtype remote_id_type] [-rid remote_id] HP recommends that you use an ipsec_config batch file to configure HP-UX IPSec.
PAGE 170
Using Certificates with HP-UX IPSec Step 4: Configuring Authentication Records with IKE IDs ip_addr The ip_addr is the remote IP address. Acceptable Values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. The address cannot be a broadcast, subnet broadcast, or multicast address. Default: None. prefix The prefix is the prefix length, or the number of leading bits that must match when comparing the remote IP address with ip_addr.
PAGE 171
Using Certificates with HP-UX IPSec Step 4: Configuring Authentication Records with IKE IDs TIP Most vendors use Main Mode by default. The IKE protocol specification requires implementations to support Main Mode; support for Aggressive Mode is optional. -ltype local_id_type and -lid local_id The local_id_type and local_id are the ID type and value the local system sends to the remote system when negotiating an IKE SA. This must match what is configured on the remote system.
PAGE 172
Using Certificates with HP-UX IPSec Step 4: Configuring Authentication Records with IKE IDs Table 5-1 ID Types and Values (Continued) ID Type ID Value USER-FQDN User-Fully Qualified Domain Name (User-FQDN) in SMTP format for the subject of the certificate, such as user@myhost.hp.com., as configured in the subjectAlternativeName field of the certificate. X500-DN X.500 Distinguished Name (DN), as configured in the subjectName or subjectAlternativeName field of the certificate.
PAGE 173
Using Certificates with HP-UX IPSec Step 4: Configuring Authentication Records with IKE IDs organizationalUnit: The organizationalUnit for the DN, for example Marketing. Commas are not accepted as part of this value. The size of this value must not exceed 64 bytes.
PAGE 174
Using Certificates with HP-UX IPSec Step 4: Configuring Authentication Records with IKE IDs You do not have to specify local ID information in the above entries because Black is not multihomed, and uses its IPv4 address as its ID. On Zebra, you add the following entry to the ipsec_config batch file: add auth Black -remote 10.10.10.10 -ltype IPV4 \ -lid 10.20.20.20 You do not have to specify remote ID information in the above entry because Black is not multihomed, and uses its IPv4 address as its ID.
PAGE 175
Using Certificates with HP-UX IPSec Step 5: Adding the CRL to HP-UX IPSec Step 5: Adding the CRL to HP-UX IPSec Use the ipsec_config add crl command to add a CRL to the HP-UX IPSec storage scheme. The source for the CRL can be a local file in DER format or CRL stored in an LDAP directory in DER format. The ipsec_config utility stores the CRL in the file /var/adm/ipsec/ipsec.crl. ipsec_config add crl Syntax for Files The add crl functionality is not supported in ipsec_config batch files.
PAGE 176
Using Certificates with HP-UX IPSec Step 5: Adding the CRL to HP-UX IPSec -ldap server_addr The address of the LDAP server where the CRL is stored. Default: None. -port port_number TCP port number for the LDAP server. Range: 1 - 65535. Default: 389, the IANA registered TCP port number for LDAP. -base search_base Search base for the CRL, in X.500 Distinguished Name (DN) format, such as C=US,O=HP,OU=Lab.
PAGE 177
Using Certificates with HP-UX IPSec Step 5: Adding the CRL to HP-UX IPSec Example The following command retrieves CRL file in DER format from the LDAP server at address 15.2.2.2 and adds the CRL to /var/adm/ipsec/ipsec.cert. The command also updates the /var/adm/ipsec/cainfo.txt file with the LDAP server information: ipsec_config add crl -ldap 15.2.2.
PAGE 178
Using Certificates with HP-UX IPSec Step 6: Retrieving the CRL Using cron Step 6: Retrieving the CRL Using cron If the CA periodically publishes the CRL to an LDAP directory, you can use the following procedure to automatically retrieve it using the cron utility. Step 1. Execute the ipsec_config add crl command to configure information about the LDAP server in the /var/adm/ipsec/cainfo.txt file. This also retrieves the CRL. Step 2. Add the following entries to the root user’s crontab file.
PAGE 179
Using Certificates with HP-UX IPSec Example Example This example shows the sequence of commands used to configure certificates for HP-UX IPSec on the system hostA. In addition, the administrator must complete the configuration tasks described in Chapter 4, “Configuring HP-UX IPSec,” on page 89, such as configuring IPsec and IKE policies. 1. Create a CSR: ipsec_config add csr \ -subject “cn=hostA,c=US,o=HP,ou=Blue Lab” \ -alt-ipv4 15.1.1.
PAGE 180
Using Certificates with HP-UX IPSec Example 6. Configure cron to automatically retrieve the CRL from the LDAP server by scheduling cron to execute /var/adm/ipsec_gui/cron/crl.cron for the root user.
PAGE 181
6 Chapter 6 Administering HP-UX IPSec 177
PAGE 182
Administering HP-UX IPSec This chapter describes common HP-UX IPSec maintenance procedures.
PAGE 183
Administering HP-UX IPSec Starting HP-UX IPSec Starting HP-UX IPSec Use the ipsec_admin -start command to start HP-UX IPSec.
PAGE 184
Administering HP-UX IPSec Configuring HP-UX IPSec to Start Automatically Configuring HP-UX IPSec to Start Automatically HP recommends that you configure HP-UX IPSec to start automatically at system startup time once you have a known, good HP-UX IPSec configuration. This allows HP-UX IPSec to secure your system at all times. Use the ipsec_config add startup command to configure HP-UX IPSec to start automatically at system startup time.
PAGE 185
Administering HP-UX IPSec Stopping HP-UX IPSec Stopping HP-UX IPSec Use the ipsec_admin stop command to stop HP-UX IPSec. This command performs the following operations: • Flushes the kernel-resident HP-UX IPSec memory structures. • Disables the kernel components. • Sends IKE DELETE messages to peer IKE entities for the local system’s inbound SAs. The DELETE messages tell the peer that the local system will no longer accept data for the deleted SAs. • Stops the HP-UX IPSec daemons.
PAGE 186
Administering HP-UX IPSec Changing HP-UX IPSec Operating Parameters Changing HP-UX IPSec Operating Parameters The ipsec_admin command supports the following arguments for changing HP-UX IPSec operating parameters: • auditlvl (audit level) • auditdir (audit directory) • maxsize (maximum audit file size) • newpasswd (HP-UX IPSec password) • spi_min (lower bound for inbound, dynamic Security Parameters Index; this argument is valid only with the -start argument) • spi_max (upper bound for inbound,
PAGE 187
Administering HP-UX IPSec Exporting the Configuration Database to a Batch File Exporting the Configuration Database to a Batch File The ipsec_config export command exports the contents of the configuration database to a batch file that you can use as input for the ipsec_config batch command.
PAGE 188
Administering HP-UX IPSec Re-Creating the Configuration Database Re-Creating the Configuration Database There are two methods for re-creating the configuration database file (/var/adm/ipsec/config.db). • Restore the skeleton configuration database file and manually re-enter the configuration data or use a previously created ipsec_config batch file to re-create the data. • Use the migration utility, ipsec_migrate.
PAGE 189
Administering HP-UX IPSec Re-Creating the Configuration Database ipsec_migrate -s old_config_file Step 3. Re-run your ipsec_config batch file, if you have one: ipsec_config batch batch_file If you do not have an ipsec_config batch file, you must manually enter your configuration information.
PAGE 190
Administering HP-UX IPSec Re-establishing the HP-UX IPSec Password Re-establishing the HP-UX IPSec Password If you have forgotten the HP-UX IPSec password and are using security certificates for IKE authentication, use the following procedure to re-establish the HP-UX IPSec password: 1. Remove the file /var/adm/ipsec/.ipsec_info. 2. Revoke any certificates from the Certificate Authority (CA). 3. Re-install the product. 4.
PAGE 191
Administering HP-UX IPSec Deleting SA Entries Deleting SA Entries The ipsec_admin -deletesa command deletes security association (SA) information. In normal operation, there is no need for you to do this. However, there are cases when the SA information on the local system is not sychronized with information on a remote system, such as when the IPsec subsystem on a remote system terminates abruptly.
PAGE 192
Administering HP-UX IPSec Deleting SA Entries 188 Chapter 6
PAGE 193
7 Chapter 7 Troubleshooting HP-UX IPSec 189
PAGE 194
Troubleshooting HP-UX IPSec This chapter describes procedures for troubleshooting HP-UX IPSec software. It contains the following sections: • “IPsec Operation” on page 191 • “Troubleshooting Utilities Overview” on page 198 • “Troubleshooting Procedures” on page 203 • “Reporting Problems” on page 211 • “Troubleshooting Scenarios” on page 213.
PAGE 195
Troubleshooting HP-UX IPSec IPsec Operation IPsec Operation To troubleshoot HP-UX IPSec, it is useful to understand a few key points about its operation. This section contains high-level descriptions of how IPsec establishes Security Associations (SAs) and how IPsec processes packets.
PAGE 196
Troubleshooting HP-UX IPSec IPsec Operation 2. Establish IKE SA The two systems complete the establishment of the IKE SA. The IKE SA is the “master” SA that the two systems use as a secure channel to negotiate the SAs for AH and/or ESP packets. IKE supports two methods, or exchange types, for establishing the IKE SA—Main Mode and Aggressive Mode. 3. Establish IPsec SAs Once an IKE SA is established, the two systems have a secure channel for negotiating IPsec or Quick Mode SAs (IPsec SAs).
PAGE 197
Troubleshooting HP-UX IPSec IPsec Operation Internal Processing This section provides an a high-level description of how HP-UX IPSec processes packets. This information is useful to further troubleshoot HP-UX IPSec and analyze the data reported by the HP-UX IPSec troubleshooting tools. Figure 7-2 Outbound Processing Policy Manager Daemon (secpolicyd) 2 IKE Daemon (ikmpd) Policy DB IKE SA DB 3 4 Kernel 1 Policy Engine SA Engine Policy Engine Cache IPsec SA DB 5 Outbound Data 1.
PAGE 198
Troubleshooting HP-UX IPSec IPsec Operation On an end system (the local system is the source for the outbound packet), the Policy Manager sequentially searches the host IPsec policies in priority order for the first policy with an IP packet filter that matches the packet. If no match is found, HP-UX IPSec uses the default host IPsec policy. On a gateway system (the local system is forwarding the outbound packet), the Policy Manager sequentially searches the gateway IPsec policies in priority order.
PAGE 199
Troubleshooting HP-UX IPSec IPsec Operation For the IPsec SAs to be successfully established, both systems must agree on the type of transform (AH, ESP), including the authentication or encryption algorithm used. They must also negotiate SA lifetimes. 5. Add IPsec SAs to the Kernel SA Database The IPsec SAs are added to the kernel SA database by the IKE daemon. Each SA includes an SPI (Security Parameters Index) a number assigned by the receiving system to reference the SA.
PAGE 200
Troubleshooting HP-UX IPSec IPsec Operation • Clear Text Packet If the inbound packet has no AH or ESP (it is a normal IP packet in clear text), HP-UX IPSec must still determine whether the packet should be dropped or passed in clear text. HP-UX IPSec checks the kernel policy engine cache for an existing decision on the action to take (drop or pass in clear text) for the packet based on the IP addresses, protocol, and port numbers.
PAGE 201
Troubleshooting HP-UX IPSec IPsec Operation SA uses manual keys, HP-UX IPSec also verifies that the SA SPI for the tunnel policy referenced in the host or gateway policy matches the SPI in the outer (tunnel) packet.
PAGE 202
Troubleshooting HP-UX IPSec Troubleshooting Utilities Overview Troubleshooting Utilities Overview HP-UX IPSec provides three troubleshooting utilities: ipsec_admin Returns status information and allows the administrator to change the audit level, audit file directory, audit file size, and enable or disable level 4 (TCP, UDP, IGMP) data tracing. ipsec_policy Allows the administrator to determine which IPsec policy will be used for a given packet.
PAGE 203
Troubleshooting HP-UX IPSec Troubleshooting Utilities Overview Getting General Information Table 7-1 Getting General Information Task Command Get status of HP-UX IPSec components. ipsec_admin -status Show all active and configured IPsec policies, IKE policies, cache entries, SAs, active IP interfaces, bypass interfaces, and display current audit file. ipsec_report -all Getting SA Information Table 7-2 Getting SA Information Task Command Show current IKE (Main Mode or Aggressive Mode) SAs.
PAGE 204
Troubleshooting HP-UX IPSec Troubleshooting Utilities Overview Table 7-3 Getting Policy Information (Continued) Task 200 Command Show configured host IPsec policies in the policy database. ipsec_report -host configured Show gateway IPsec policies in the configuration database. ipsec_config show gateway Show active gateway IPsec policies. ipsec_report -gateway ipsec_report -gateway [active] Show configured gateway IPsec policies in the policy database.
PAGE 205
Troubleshooting HP-UX IPSec Troubleshooting Utilities Overview Getting Interface Information Table 7-4 Getting Interface Information Task Command Show active IP (configured, UP or DOWN) interfaces, and whether or not HP-UX IPSec is enabled for each interface. ipsec_report -ip Show bypass list entries. ipsec_report -bypass Getting Certificate Information Table 7-5 Getting Interface Information Task Command Show the contents of the certificate for the local system.
PAGE 206
Troubleshooting HP-UX IPSec Troubleshooting Utilities Overview Table 7-6 Viewing and Configuring Audit Information Task Command Get the name of the current audit file. ipsec_admin -status Change the audit level. ipsec_admin -auditlvl [alert|error|warning| informative|debug] Change the audit file directory. ipsec_admin -audit audit_directory Change the maximum audit file size (in kilobytes). ipsec_admin -m[axsize] max_audit_file_size Configure audit parameters for startup time.
PAGE 207
Troubleshooting HP-UX IPSec Troubleshooting Procedures Troubleshooting Procedures This section describes the following troubleshooting procedures: • “Checking Status” on page 203 • “Isolating HP-UX IPSec Problems from Upper-layer Problems” on page 205 • “Checking Policy Configuration” on page 206 • “Isolating HP-UX IPSec Problems from Upper-layer Problems” on page 205 • “Checking Policy Configuration” on page 206 • “Configuring HP-UX IPSec Auditing” on page 207 Checking Status HP-UX IPSec has f
PAGE 208
Troubleshooting HP-UX IPSec Troubleshooting Procedures • Queries the kernel Security Association (SA) engine for active IPsec SAs on this system. If there is no peer IPsec system and/or no active IPsec SAs, the kernel SA engine will respond that there are no IPsec SAs to report. You can also do this by entering the command: ipsec_report -sa ipsec • Queries the IKE daemon for IKE SAs. If there is no peer IPsec system or no IPsec traffic, the IKE daemon will respond that there are no IKE SAs to report.
PAGE 209
Troubleshooting HP-UX IPSec Troubleshooting Procedures • Queries the policy daemon and reports the active (configured UP or DOWN, plumbed) IP interfaces, and whether or not HP-UX IPSec is enabled for each interface. You can also do this by entering the following command: ipsec_report -ip • Queries the kernel policy engine and reports the contents of its cache. The cache records the most recent decisions that the kernel policy engine has made for the traffic that has passed in and out of the system.
PAGE 210
Troubleshooting HP-UX IPSec Troubleshooting Procedures Checking Policy Configuration There are two methods for determining which policy HP-UX IPSec uses for a packet: • Use the ipsec_policy command to query the policy daemon to determine which policy HP-UX IPSec would use for the packets. • Generate packets and examine policy cache and policy entries to determine which policy HP-UX IPSec used for the packets.
PAGE 211
Troubleshooting HP-UX IPSec Troubleshooting Procedures host policy on 192.1.1.1 is misconfigured, so the system sends the packets in clear text. The output from the ipsec_report -cache command shows the following entry: -------------------Cache Policy Rule ----------------------Cache Policy Record: 9 Cookie: 1 Src IP Address: 192.1.1.1 Src Port number: 56122 Dst IP Address: 192.1.1.
PAGE 212
Troubleshooting HP-UX IPSec Troubleshooting Procedures NOTE • error: Error audit entries report error events including recoverable error conditions, syntax errors, unsupported features, bad packets, and unknown message types. • warning: Warning audit entries report non-intrusive security events. • informative: Informative audit entries provide detailed event logging for troubleshooting. • debug: Debug audit entries provide very detailed event logging for debugging and troubleshooting.
PAGE 213
Troubleshooting HP-UX IPSec Troubleshooting Procedures ipsec_admin [-al audit_level] [-au audit_directory] [-maxsize max_size] audit _level can be alert, error, warning, informative, or debug. A selected audit level includes all the lower audit levels. audit_directory is the fully-qualified path name for the audit directory. max_size is the maximum size for each audit file, in kilobytes. The range is 1 - 4294967294.
PAGE 214
Troubleshooting HP-UX IPSec Troubleshooting Procedures Then use the -audit option of ipsec_report to display the file: ipsec_report -audit audit_file Filtering Audit File Output by Entity You can filter the audit file output so ipsec_report shows only entries recorded by specified entities. ipsec_report -audit audit_file -entity entity_name [entity_name ...
PAGE 215
Troubleshooting HP-UX IPSec Reporting Problems Reporting Problems Be sure to include the following information when reporting problems: • A complete description of the problem and any error messages. Include information about: — the local system (IP addresses) — IP addresses of relevant remote systems — routing table information (netstat -rn output) if appropriate Also include a description of what works as well as what does not work. • Output from ipsec_admin -status. • Output from ipsec_report -all.
PAGE 216
Troubleshooting HP-UX IPSec Reporting Problems output will be sent to /var/admin/ipsec/nettl.TRC0 and /var/admin/ipsec/nettl.TRC, if nettl tracing is not already enabled and directed to another file set. IP and ICMP tracing are still available when IPsec is running. Packets secured with AH are still in clear text and the packet contents are still visible through a nettl trace. The output format using netfmt can only be parsed for the IP header.
PAGE 217
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Troubleshooting Scenarios This section contains information about the following common troubleshooting scenarios, including their symptoms and resolutions: • “HP-UX IPSec Incorrectly Passes Packets” on page 213 • “HP-UX IPSec Incorrectly Attempts to Encrypt/Authenticate Packets” on page 215 • “HP-UX IPSec Attempts to Encrypt/Authenticate and Fails” on page 215 • “IKE SA Negotiation Fails (Phase 1 MM processing failed, Phase 1 AM processing failed
PAGE 218
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Symptoms No error message or interruptions to user service, but no SAs are established, or IPsec is passing packets that should be discarded to upper layers.
PAGE 219
Troubleshooting HP-UX IPSec Troubleshooting Scenarios HP-UX IPSec Incorrectly Attempts to Encrypt/Authenticate Packets Problem IPsec is attempting to encrypt or authenticate (apply a transform) packets that should not be encrypted or authenticated. Symptoms Link errors (unable to connect or connection timeouts) on traffic that should not be encrypted/authenticated.
PAGE 220
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Symptoms Link errors (unable to connect) and ipsec_report -sa ipsec shows no IPsec SAs. Solution Determine if IKE SA negotiations are succeeding. Run the following commands: ipsec_report -sa ike ipsec_report -audit file Check for Main Mode processing failed, MM negotiation timeout error messages in the log file.
PAGE 221
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Msg: 413 From: IKMPD Lvl: ERROR Date: Fri Mar 15 07:14:18 2002 Event: Phase 1 negotiation timed out, src 15.2.2.2 If there is a mismatch in IKE policies, some IKE daemons do not respond to negotiation attempts. This causes a MM negotiation timeout error on the connecting system. IKE SA Negotiation Fails (Phase 1 MM processing failed, Phase 1 AM processing failed) Problem IKE SA negotiation fails.
PAGE 222
Troubleshooting HP-UX IPSec Troubleshooting Scenarios • (Primary) Authentication Method • Authentication Algorithm • Encryption Algorithm • The preshared key value, if you are using preshared key authentication. On HP-UX systems, this is configured using the ipsec_config add auth command, and must be an ASCII value. The ipsec_config command does not allow spaces, and any double quote marks in the command are added to the key value.
PAGE 223
Troubleshooting HP-UX IPSec Troubleshooting Scenarios src 15.1.1.1. Enable a nettl level 4 trace using the command ipsec_admin -traceon or get a line analyzer trace and verify that the packets are being sent and received by the correct remote system. Check whether the remote IKE entity is responding. IKE always uses UDP port 500 to receive and send IKE packets. IKE Primary Authentication Fails with Certificates Problem Certificate-based (RSA signature) primary authentication fails.
PAGE 224
Troubleshooting HP-UX IPSec Troubleshooting Scenarios certificate files from the CA. Use the ipsec_config show cert command to check the expiration date for the local and remote system certificates. Check that the /var/adm/ipsec/ipsec.key file has not been deleted. If the file has been deleted, and you cannot restore from backup, you must create a new Certificate Signing Request and get a new certificate.
PAGE 225
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Check the transform list and lifetimes. Check the audit file. Manual Keys Fail Problem Manual keys do not work. Symptoms Link errors (unable to connect) and timeouts. The output from the ipsec_report -sa ipsec command shows the SAs, but attempts to exchange data with the remote system fail.
PAGE 226
Troubleshooting HP-UX IPSec Troubleshooting Scenarios In the above example, the user tried to add a manual key with inbound SPI 513 (0x201). The secure policy daemon had already allocated inbound SPI 513 for a dynamic key SA, and when the daemon received the request to add the manual key SA with the same SPI, it logged the above error and did not add the manual key SA. Change the manual key SPI. Verify that the SPIs are unique and are not within the range for dynamic key SPI numbers.
PAGE 227
Troubleshooting HP-UX IPSec Troubleshooting Scenarios nettl -ss The default STREAMS log classes are error and disaster. If the STREAMS log classes do not include the error and disaster classes, use the nettl command to set them. You can do this by executing a command similar to the following command: nettl -log e d -e streams 2. Format the current nettl log file. You can do this by executing a command similar to the following command: netfmt /var/adm/nettl.LOG000 > my_log_output 3.
PAGE 228
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Msg: 67 From: SECPOLICYD Lvl: WARNING Date: Thu Jun 10 13:43:07 2004 Event: No SPI for received packet - SPI: hhhh IP addr: 10.1.1.1-10.2.2.2 proto: 50 The above entry indicates mis-matched SPI numbers. Verify the SPI numbers configured on the remote system. The inbound SPI on the local system must match the outbound SPI on the remote system, and the outbound SPI on the local system must match the inbound SPI on the remote system.
PAGE 229
Troubleshooting HP-UX IPSec Troubleshooting Scenarios /var/adm/ipsec/.admin_info exists. If this file not exist, restore it or use the procedure described in the section “Re-establishing the HP-UX IPSec Password” on page 67 to re-establish the password If ipsec_admin returns the message read_admin_info(): Failed to verify ipsec password, verify that the file /var/adm/ipsec/.admin_info exists.
PAGE 230
Troubleshooting HP-UX IPSec Troubleshooting Scenarios If the policy daemon detects that configuration database is corrupted, the policy daemon logs an error message similar to the following: Msg: 413 From: SECPOLICYD Lvl: ERROR Date: Sun May 09 10:21:32 2004 Event: /var/adm/ipsec/config.db file is corrupt. Solution Re-create or restore the configuration database file (/var/adm/ipsec/config.db).
PAGE 231
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Step 4. Reboot the system. If you still have problems after following the troubleshooting procedure, contact your HP representative. If HP-UX IPSec is not using the IPsec policy you expected, check for errors in the configuration file, such is incorrect IP addresses. Check the order of the IPsec policies—HP-UX IPSec sequentially searches the IPsec policies and selects the first policy with filter parameters that match the packet.
PAGE 232
Troubleshooting HP-UX IPSec Troubleshooting Scenarios Msg: 55 From: SECPOLICYD Lvl: ALERT Date: Tue Apr 20 12:14:42 2004 Event: Kernel Policy Cache Threshold exceeded nnnn records. where nnnn is the hard limit. Solution Use the following ipsec_config commands to set and configure new SPD soft and hard limits: ipsec_config add startup -spd_soft spd_soft_limit ipsec_config add startup -spd_hard spd_hard_limit The spd_soft_limit and spd_hard_limit are specified in units of 1000 entries.
PAGE 233
A Appendix A Product Specifications 1
PAGE 234
Product Specifications This appendix lists the HP-UX IPSec product specifications.
PAGE 235
Product Specifications IPsec RFCs IPsec RFCs The HP-UX IPSec product conforms to the Internet Engineering Task Force (IETF) RFCs listed in Table 1-1 on page 3: Table A-1 Supported IPsec RFCs RFC Number Appendix A RFC Title RFC 2401 Security Architecture for the Internet Protocol RFC 2402 IP Authentication Header RFC 2403 The Use of HMAC-MD5-96 within ESP and AH RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH RFC 2405 The ESP DES-CBC Cipher Algorithm with Explicit IV RFC 2406 IP Encapsula
PAGE 236
Product Specifications IPsec RFCs RFC 3775 IKE Identity Payload Requirement RFC 3775, Mobility Support in IPv6, section 5.1, Binding Updates to Home Agents, contains the following mandatory specification for IKE identities: The ID_IPV6_ADDR Identity Payload MUST NOT be used in IKEv1 phase 1. RFC 3776 Mandatory Support RFC 3776, Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents, section 4.
PAGE 237
Product Specifications Product Restrictions Product Restrictions HP-UX IPSec product restrictions are described below: • HP-UX IPSec systems cannot act as IP or IPsec gateways unless the local system is an HP-UX Mobile IPv6 Home Agent forwarding Mobile IPv6 packets to Mobile Node clients. • You cannot use an end-to-end or transport transform in a end-to-end tunnel (host-to-host tunnel) topology. The action for the host policy in an end-to-end tunnel topology must be PASS.
PAGE 238
Product Specifications Product Restrictions IKE Limitations IKE limitations and constraints are described below: • For Main Mode (MM) and Quick Mode (QM) transaction exchanges, a single transaction request will timeout after 31 seconds (five retransmissions using an exponential timer, starting at one second) which in turn will timeout or terminate the transaction negotiation. When timeouts occur, they usually occur during heavy network traffic congestion.
PAGE 239
Product Specifications Product Restrictions messages being transmitted or received from a non-IPsec gateway or router to be authenticated or encrypted, which will also cause ICMP packets to be discarded. IP uses ICMP messages to transmit error and control information, such as in the following situations: • IP may periodically send ICMP Echo messages to gateways to determine if the gateway is up (“Gateway Probes”). If no response is received, the gateway is marked “Dead” in the IP routing table.
PAGE 240
Product Specifications Product Restrictions • Router Solicitation • Router Advertisement • Neighbor Solicitation • Neighbor Advertisement • Redirect • Destination Unreachable • Packet Too Big • Time Exceeded • Parameter Problem • Router Renumbering You can configure HP-UX IPSec policies to authenticate, encrypt, pass, or discard the following ICMPv6 messages: 8 • Echo Request • Echo Reply • Mobile Prefix Advertisement • Mobile Prefix Solicitation Appendix A
PAGE 241
Product Specifications HP-UX IPSec Transforms HP-UX IPSec Transforms Comparative Key Lengths Table 1-2 lists the key lengths of AH and ESP algorithms. In general, the longer the key length, the more secure the encryption algorithm will be. AES encryption provides the most secure encryption, but should be used with some form of authentication, such as the ESP-AES128-HMAC-SHA1 authenticated ESP transform. WARNING DES has been cracked (data encoded using DES has been decoded by a third party).
PAGE 242
Product Specifications HP-UX IPSec Transforms Authentication Algorithms The authentication algorithms described in this section provide authentication values for IPsec Authentication Header (AH) and for authenticated ESP. The algorithms are based on shared key hash functions. AH-MD5 Hashed Message Authentication Code (HMAC) using the RSA Message Digest-5 algorithm. (128 bit message digest encrypted with a 128 bit key.) AH-SHA1 HMAC using the Secure Hash Algorithm-l.
PAGE 243
Product Specifications HP-UX IPSec Transforms ESP-DES-HMAC-SHA1 ESP using DES-CBC encryption and HMAC-SHA1 to generate with an ICV. ESP-3DES-HMAC-MD5 ESP using triple DES-CBC encryption (3DES-CBC; three encryption iterations, each with a different 56-bit key) and HMAC-MD5 to generate an ICV. ESP-3DES-HMAC-SHA1 ESP using 3DES-CBC encryption and HMAC-SHA1 to generate an ICV. ESP-AES128-HMAC-MD5 ESP using Advanced Encryption Standard encryption with a 128-bit key (AES128) and HMAC-MD5 to generate an ICV.
PAGE 244
Product Specifications HP-UX IPSec Transforms If the remote system initiates the IPsec negotiations, the HP-UX IPSec IKE daemon will accept the lifetime sent by the remote system, within the range specified by the IPsec protocol.
PAGE 245
B Appendix B Interoperability 239
PAGE 246
Interoperability This appendix contains following information about using HP-UX IPSec with other IPsec implementations and contains the following sections: 240 • “Linux” on page 241 • “Microsoft” on page 243 • “Cisco” on page 245 • “HP Printers” on page 248 Appendix B
PAGE 247
Interoperability Linux Linux HP-UX IPSec can interoperate with Linux IPsec implementations that are based on Linux FreeSWAN version 1.96 or later. The following are limitations of Linux FreeSWAN that affect interoperability with HP-UX IPSec: • Linux FreeSWAN does not support DES encryption. If you are configuring an HP-UX IPSec system to interoperate with a Linux FreeSWAN system, you can use 3DES encryption or AES encryption with the appropriate FreeSWAN cryptographic algorithm patch.
PAGE 248
Interoperability Linux right=192.12.13.7 rightnexthop=192.12.13.1 auto=add compress=no auth=esp authby=secret pfs=no esp=3des-sha1-96 NOTE 242 compress and pfs must both be set to no in the Linux FreeSWAN configuration. HP-UX IPSec does not support IP compression or PFS for keys only.
PAGE 249
Interoperability Microsoft Microsoft HP-UX IPSec can interoperate with Microsoft IPsec implementations. Products and Versions HP-UX IPSec A.02.
PAGE 250
Interoperability Microsoft IPsec rules on Microsoft system. Configure one rule with the HP-UX system address as the destination endpoint and configure a second rule with the Microsoft system address as the destination endpoint. Set the mirror flag to no for both rules. Do not configure any other rules in the same policy with the HP-UX system address as the destination. This prevents the Microsoft system from applying the tunnel transform over a transport transform.
PAGE 251
Interoperability Cisco Cisco HP-UX IPSec can interoperate with Cisco IOS IPsec implementations. Product and Version HP-UX IPSec has been successfully tested with the following Cisco product: Model 4500, version 12.1 (8).
PAGE 252
Interoperability Cisco Example In the following topology, the HP-UX system with address 192.1.114.218 creates an IPsec tunnel to the Cisco router with address 192.1.114.2. The HP-UX system uses the tunnel communicates with hosts in the 192.1.113.0 subnet. Figure B-1 End to Gateway Tunnel with Cisco Router The following output from the IOS show config command shows the configuration on the Cisco router: crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key Hello! address 192.1.114.
PAGE 253
Interoperability Cisco Tips The following tips may help you configure HP-UX IPSec and Cisco IPsec implementations: Appendix B • The Cisco configuration documentation and utilities use the term ISAKMP (or isakmp) to refer to IKE components. • Under certain conditions, Cisco IOS IPsec negotiates two unidirectional IKE SAs with a peer instead of one bidirectional IKE SA.
PAGE 254
Interoperability HP Printers HP Printers HP-UX IPSec will interoperate with any HP printer with an HP Jetdirect 635n installed. The features tested with HP-UX IPSec A.02.01 HP printers include the following: • IKE with preshared key authentication. • IKE with Main Mode and Aggressive Mode. • Transport IPsec transforms. • Tunnel IPsec transforms. • IPv4 addresses. • IPv6 addresses.
PAGE 255
C Appendix C Migrating from Previous Versions of HP-UX IPSec 249
PAGE 256
Migrating from Previous Versions of HP-UX IPSec This appendix provides information on migrating to the current version of HP-UX IPSec from previous versions.
PAGE 257
Migrating from Previous Versions of HP-UX IPSec Pre-Installation Migration Instructions Pre-Installation Migration Instructions Before installing HP-UX IPSec version A.02.01, verify that your installation meets the following conditions: • MD5 version compatibility: If you are using MD5 transforms, all HP-UX IPSec systems must be version A.01.04 or higher. For more information, refer to “MD5 Version Compatibility” on page 251. • Migrating from HP-UX IPSec versions prior to A.01.003 (such as A.01.01 or A.
PAGE 258
Migrating from Previous Versions of HP-UX IPSec Pre-Installation Migration Instructions To view an HP-UX IPSec log file, use the command ipsec_report -audit audit_file_name [-file output_file_name] By default, HP-UX IPSec log files are located in the /var/adm/ipsec directory. The log file name format is auditdate_information.log. Migrating from Versions Prior to A.01.03 If you are updating to HP-UX IPSec version A.02.01 from a version released prior to A.01.03 (such as version A.01.01 or A.01.
PAGE 259
Migrating from Previous Versions of HP-UX IPSec Pre-Installation Migration Instructions You must re-establish the HP-UX IPSec password using the command ipsec_admin -newpasswd.
PAGE 260
Migrating from Previous Versions of HP-UX IPSec Post-Installation Migration Instructions Post-Installation Migration Instructions Configuration File Beginning with version A.02.00, HP-UX IPSec stores configuration data in a configuration database instead of a policy file. To migrate a policy configuration file from an earlier version of HP-UX IPSec to a configuration database, use the following procedure. Step 1. Run the ipsec_migrate utility after you have installed HP-UX IPSec A.02.01.
PAGE 261
Migrating from Previous Versions of HP-UX IPSec Post-Installation Migration Instructions Step 2. Examine the contents of the configuration database using the following command: ipsec_config show all Step 3. Modify the configuration database, if necessary, using the ipsec_config delete and ipsec_config add commands. Refer to the ipsec_config (1M) man page for more information. Step 4. The ipsec_migrate utility does not configure the autoboot option.
PAGE 262
Migrating from Previous Versions of HP-UX IPSec Post-Installation Migration Instructions Retrieving a VeriSign Certificate Revocation List Beginning with release A.02.01, HP-UX IPSec no longer supports the VeriSign CRL automatic retrieval method using the /var/adm/ipsec_gui/cron/crl.cron script file. (The /var/adm/ipsec_gui/cron/crl.cron file in version A.02.01 retrieves a CRL stored in an LDAP directory.) If you had an entry in the root user’s crontab file to execute the crl.cron file, you must delete it.
PAGE 263
D Appendix D HP-UX IPSec Configuration Examples 257
PAGE 264
HP-UX IPSec Configuration Examples This appendix provides configuration examples for the following topologies: • “Host to Host telnet” on page 259 This section contains example ipsec_config batch files for encrypting and authenticating all telnet traffic between two systems using dynamic keys and preshared keys for IKE authentication.
PAGE 265
HP-UX IPSec Configuration Examples Host to Host telnet Host to Host telnet You have two systems, Apple (15.1.1.1) and Banana (15.2.2.2) on a private, isolated LAN. You want to use authenticated ESP with AES encryption and SHA-1 authentication for all telnet traffic from Apple to Banana, and for all telnet traffic from Banana to Apple. By default, all other network traffic will pass in clear text. You do not have a Public Key Infrastructure, so you can use only preshared keys for IKE primary authentication.
PAGE 266
HP-UX IPSec Configuration Examples Host to Host telnet Apple Configuration Host IPsec Policies On Apple, you configure two host IPsec policies. The first host IPsec policy (telnetAB) is for outbound telnet requests from Apple to Banana (users on Apple using the telnet service to Banana). Note that since the telnet clients on Apple may use any non-reserved TCP port number, you do not specify a port number in the source address.
PAGE 267
HP-UX IPSec Configuration Examples Host to Host telnet add host telnetAB \ -source 15.1.1.1 \ -destination 15.2.2.2/32/TELNET \ -priority 20 -action ESP_AES128_HMAC_SHA1 add host telnetBA \ -source 15.1.1.1/32/TELNET \ -destination 15.2.2.2 \ -priority 30 -action ESP_AES128_HMAC_SHA1 IKE Policy You configure an IKE policy, banana, to use when Apple negotiates IKE Security Associations (SAs) with Banana. The ipsec_config batch file entry is listed below: add ike banana -remote 15.2.2.
PAGE 268
HP-UX IPSec Configuration Examples Host to Host telnet # IKE Policy add ike apple -remote 15.1.1.1 -authentication psk # Auth record with preshared key add auth apple -remote 15.1.1.
PAGE 269
HP-UX IPSec Configuration Examples Subnet ESP with Exceptions Subnet ESP with Exceptions You have a system, Carrot, on a LAN with the network address 192.1.1.*. You want to limit access to this LAN from outside nodes. There is one system outside the LAN with IPsec, Potato, that you will allow to communicate with the nodes in your network using AES with SHA1. All other packets from external nodes will be discarded. All nodes within the LAN have HP-UX IPSec installed, except for internal routers.
PAGE 270
HP-UX IPSec Configuration Examples Subnet ESP with Exceptions Carrot Configuration The ipsec_config batch file on Carrot contains the following entries. Host IPsec Policies You configure four host IPsec policies on Carrot. 1. potato: accepts all packets to and from system Potato using ESP-AES-HMAC-SHA1. add host potato -destination 193.3.3.3 -priority 20 \ -action ESP_AES128_HMAC_SHA1 2. pass_icmp: allows all ICMP packets within the 192.1.1.* network to pass in clear text. Notice how the 192.1.1.
PAGE 271
HP-UX IPSec Configuration Examples Subnet ESP with Exceptions add host potato -destination 193.3.3.3 -priority 20 \ -action ESP_AES128_HMAC_SHA1 add host pass_icmp -destination 192.1.1.0/24 \ -protocol ICMP -priority 30 -action pass add host aes_lan -destination 192.1.1.0/24 \ -priority 40 -action ESP_AES128_HMAC_SHA1 add host default -action DISCARD IKE Policies You are using preshared keys for IKE authentication with system Potato.
PAGE 272
HP-UX IPSec Configuration Examples Host to Gateway Host to Gateway On system Blue (15.5.5.5), you configure HP-UX IPSec to communicate back to Home1 (17.7.7.7) using a secure IPsec tunnel to a gateway (a router), accessed using its 16.6.6.6 address. The end-to-end packets pass in clear text. Blue must use the router as the gateway to Home1. You may need to configure an explicit IP route to Home1 that specifies 16.6.6.6 as the gateway address. The gateway (router) cannot be an HP-UX system.
PAGE 273
HP-UX IPSec Configuration Examples Host to Gateway Tunnel IPsec Policy The end source address specification for the tunnel IPsec policy is 17.0.0.0/8, so this tunnel IPsec policy can be used for host policies to other nodes in the 17.*.*.* network. add tunnel torouter \ -src 15.5.5.5 \ -dst 17.0.0.0/8 \ -tsrc 15.5.5.5 \ -tdst 16.6.6.6 \ -action ESP_DES_HMAC_MD5 IKE Policy The router in this topology uses Oakley group (Diffie-Hellman group) 1 and DES encryption for IKE parameters.
PAGE 274
HP-UX IPSec Configuration Examples Autoconfiguration Clients Autoconfiguration Clients The system Server1 has the address 2001:db8:11:11::1111 on the subnet 2001:db8:11:11::/64. This subnet has three autoconfiguration clients, configured with the user FQDN IKE IDs joe_s@corp.com, mick_j@corp.com, and paul_s@corp.com. Server1 Configuration The configuration on Server1 specifies the subnet address for the autoconfiguration clients as the remote address.
PAGE 275
HP-UX IPSec Configuration Examples Autoconfiguration Clients Host Policy add host autoconf_clients \ -destination 2001:db8:11:11::/64 \ (autoconf client subnet addr.) -action ESP_AES128_HMAC_SHA1 \ -flags AUTOCONF IKE Policy add ike autoconf_clients \ -remote 2001:db8:11:11::/64 \ (autoconf client subnet addr.) -authentication pkey Authentication Records There is one authentication record for each autoconfiguration client.
PAGE 276
HP-UX IPSec Configuration Examples Autoconfiguration Clients Client Configuration The configuration is the same on each client, except for the local ID in the authentication record. This section lists the configuration for the system with local ID joe_s@corp.com. Host Policy The host policy on the client does not specify the AUTOCONF flag, because you specify the AUTOCONF flag when the remote system is an autoconfiguration client, not when the local system is an autoconfiguration client.
PAGE 277
HP-UX IPSec Configuration Examples Manual Keys Manual Keys You want to secure rlogin sessions from the system Dog (10.2.2.2) to the system Cat (10.4.4.4) using manual keys. There is no configuration for rlogin sessions from Cat to Dog; these sessions will use the default host IPsec policy and pass in clear text. Dog Configuration The ipsec_config batch file on Dog contains only one host IPsec policy.
PAGE 278
HP-UX IPSec Configuration Examples Manual Keys add host rlog_dog_to_cat -destination 10.2.2.2 \ -source 10.4.4.
PAGE 279
E Appendix E HP-UX IPSec and HP-UX IPFilter 273
PAGE 280
HP-UX IPSec and HP-UX IPFilter This appendix describes configuration requirements when using HP-UX IPSec and HP-UX IPFilter on the same system.
PAGE 281
HP-UX IPSec and HP-UX IPFilter Using HP-UX IPSec with HP-UX IPFilter Using HP-UX IPSec with HP-UX IPFilter HP-UX IPSec and HP-UX IPFilter can coexist on the same system. You can configure HP-UX IPSec and HP-UX IPFilter so that there is some overlap in the configurations. However, you must be sure the overlapping configurations do not block each other. HP-UX IPFilter is located below HP-UX IPSec in the networking stack.
PAGE 282
HP-UX IPSec and HP-UX IPFilter Using HP-UX IPSec with HP-UX IPFilter Example On hostA, the local IP address is 10.10.10.10, and you want to allow IPsec ESP packets to and from hostB (IP address 15.15.15.15). On hostA, the IPFilter configuration contains the following entries: # Allow IKE packets to and from hostB pass in quick proto UDP from 15.15.15.15 port 500 to 10.10.10.10 port = 500 pass out quick proto UDP from 10.10.10.10 port 500 to 15.15.15.
PAGE 283
F Appendix F HP-UX IPSec and HP-UX Mobile IPv6 277
PAGE 284
HP-UX IPSec and HP-UX Mobile IPv6 HP-UX IPSec can secure Mobile IPv6 packets when the HP-UX system is a Mobile IPv6 Home Agent. This appendix describes how to configure HP-UX IPSec to secure packets between the local system—the Home Agent—and Mobile IPv6 Mobile Node clients.
PAGE 285
HP-UX IPSec and HP-UX Mobile IPv6 Introduction Introduction Mobile IPv6 provides transparent routing of IP data-packets to a mobile IP device or node, such as a portable computer, regardless of the mobile node’s point of attachment to the network. HP provides Mobile IPv6 functionality with the HP-UX Mobile IPv6 product. For more information about HP-UX Mobile IPv6, refer to the HP-UX Mobile IPv6 product documentation available at the following URL: http://www.docs.hp.com/hpux/netcom/index.
PAGE 286
HP-UX IPSec and HP-UX Mobile IPv6 Introduction Home Agent The Mobile Node registers its Care-of Address with a router on the Mobile Node’s home network, known as the Home Agent (HA). The Home Agent maintains a record of the association, or binding of the Mobile Node’s current Care-of Address and its home address. The Home Agent also forwards packets addressed to the Mobile Node’s home address to the Mobile Node’s Care-of Address as needed.
PAGE 287
HP-UX IPSec and HP-UX Mobile IPv6 Introduction Figure F-2 Mobile IPv6 Basic Operation: Mobile Node to Correspondent Node Route Optimization In addition to Basic Operation, Mobile IPv6 can operate using Route Optimization. Route Optimization improves data transmission rates between the Correspondent Node and Mobile Node. With Route Optimization, the Mobile Node and Correspondent Node communicate directly with each other and bypass the Home Agent.
PAGE 288
HP-UX IPSec and HP-UX Mobile IPv6 Introduction Securing Mobile IPv6 with HP-UX IPSec You can configure HP-UX IPSec to secure Mobile IPv6 packets between a Home Agent and Mobile Node on systems that are HP-UX Mobile IPv6 Home Agents. There are four types of Mobile IPv6 packets to secure with IPsec: 1. Binding Messages between the Home Agent and Mobile Node The Binding Messages are Binding Update and Binding Acknowledgement messages. 2.
PAGE 289
HP-UX IPSec and HP-UX Mobile IPv6 Introduction IPv6 Type 2 Routing Header—therefore, the binding messages are processed as if the appropriate source and destination address fields contain the Mobile Node’s Home Address. Only Binding Update and Binding Acknowledgement messages exchanged between the Home Agent and Mobile Node can be secured using IPsec; Binding Update and Binding acknowledgement messages exchanged between the Mobile Node and Correspondent Nodes are secured using a Mobile IPv6 mechanism.
PAGE 290
HP-UX IPSec and HP-UX Mobile IPv6 Introduction Prefix Discovery Packets Between the Home Agent and Mobile Node RFC 3776 specifies that you should use ESP to secure ICMPv6 Mobile Prefix Solicitation and Mobile Prefix Advertisement messages between the Home Agent and Mobile Node. (See Appendix A, “RFC 3776 Mandatory Support” on page 4 for the RFC 3776 extract.) Prefix Discovery allows a Mobile Node to get network prefix information about its Home Network and to configure its Home Address if needed.
PAGE 291
HP-UX IPSec and HP-UX Mobile IPv6 Configuration Overview Configuration Overview This section contains general information about two HP-UX IPSec configuration objects used for HP-UX Mobile IPv6: • Gateway IPsec policies • Manual keys This section also provides an overview of the procedure for configuring HP-UX IPSec for HP-UX Mobile IPv6. Understanding Gateway IPsec Policies Gateway IPsec policies specify forwarding behavior on gateways, or nodes that forward IP packets.
PAGE 292
HP-UX IPSec and HP-UX Mobile IPv6 Configuration Overview Figure F-4 Gateway IPsec Policies Configuring Manual Keys If the Mobile IPv6 client does not support IKE, you must use manual key Security Associations (SAs). Manual key SAs do not use IKE to generate and distribute encryption keys. Instead, the administrator manually configures and distributes the encryption keys.
PAGE 293
HP-UX IPSec and HP-UX Mobile IPv6 Configuration Overview In installations using the HP-UX IPSec default range for dynamic key SPI numbers (300 - 2500000), the ranges for inbound manual key SPI numbers are 1 - 299 and 2500001 - 4294967295. auth_key is the hexadecimal authentication key, prefixed by 0x. For MD5, auth_key is 32 hexadecimal digits. For SHA-1, auth_key is 40 hexadecimal digits. The key must match what is configured on the remote system. enc_key is the hexadecimal encryption key, prefixed by 0x.
PAGE 294
HP-UX IPSec and HP-UX Mobile IPv6 Configuration Overview Nested Transforms If you are using an ESP transform nested in an AH transform with manual keys, you must specify two -in statements and two -out statements: -in manual_key_sa_specification -in manual_key_sa_specification -out manual_key_sa_specification -out manual_key_sa_specification The first -in and -out statements specify the parameters for the AH transform. The second -in and -out statements specify the parameters for the ESP transform.
PAGE 295
HP-UX IPSec and HP-UX Mobile IPv6 Configuration Overview See “Step 3: (Recommended) Securing Prefix Discovery Messages Between the Home Agent and Mobile Node” on page 299 for a description of this step. Step 4. (Optional) Configure two gateway IPsec policies and a tunnel policy to secure payload packets between the Mobile Node and Correspondent Node when they are routed through the Home Agent.
PAGE 296
HP-UX IPSec and HP-UX Mobile IPv6 Step 1: (Required) Securing Binding Messages Between the Home Agent and Mobile Node Step 1: (Required) Securing Binding Messages Between the Home Agent and Mobile Node RFC 3776 specifies that you must use IPsec to secure binding messages between the Home Agent and Mobile Node. To secure binding messages, configure a host IPsec policy on the Home Agent to secure Mobile IPv6 Mobility Header (MH) packets between the Home Agent and the Mobile Node.
PAGE 297
HP-UX IPSec and HP-UX Mobile IPv6 Step 1: (Required) Securing Binding Messages Between the Home Agent and Mobile Node -source home_agent_addr The home_agent_addr is the Home Agent’s IP address. If you are using manual keys, this cannot be a wildcard or subnet address. -destination mn_home_addr[/prefix] The mn_home_addr is the Mobile Node’s home address. If you are using manual keys, this cannot be a wildcard or subnet address. If you are using IKE, you can specify a subnet address and prefix.
PAGE 298
HP-UX IPSec and HP-UX Mobile IPv6 Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent RFC 3776 specifies that you should use IPsec to secure Return Routability (RR) Home Test Init and Home Test messages routed through the Home Agent. NOTE If you are going to secure payload packets sent through the Home Agent, you can skip this step.
PAGE 299
HP-UX IPSec and HP-UX Mobile IPv6 Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent Figure F-5 Mobile IPv6 RR Home Test Init and Home Test Packets To secure Return Routability messages between Mobile Nodes and Correspondent Nodes as they are forwarded through the Home Agent, use the following procedure to configure three IPsec policies on the Home Agent for each Mobile Node.
PAGE 300
HP-UX IPSec and HP-UX Mobile IPv6 Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent specifications are relative to the packets forwarded by the Home Agent: the source is the Mobile Node’s home address and the destination is the Correspondent Node address, or an IPv6 wildcard address (0::0). If you are using manual keys, you must configure one policy for each Mobile Node.
PAGE 301
HP-UX IPSec and HP-UX Mobile IPv6 Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent -destination cn_addr The cn_addr is the Correspondent Node’s address. In many cases, there will be a large number of possible Correspondent Nodes and you may want to use the IPv6 wildcard address instead (0::0). -protocol MH The protocol must be MH (Mobile IPv6 Mobility Headers).
PAGE 302
HP-UX IPSec and HP-UX Mobile IPv6 Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent ipsec_config add gateway gwy_policy_name -source cn_addr -destination mn_home_addr[/prefix] -protocol MH [-priority priority_number] -tunnel rr_tunnel_name -action FORWARD -flags MIPV6 gwy_policy_name The gwy_policy_name is the user-defined name for the gateway IPsec policy. The gwy_policy_name must be unique for each gateway IPsec policy and is case-sensitive.
PAGE 303
HP-UX IPSec and HP-UX Mobile IPv6 Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent -action FORWARD The action must be FORWARD. -flags MIPV6 The flags must include MIPV6. Step 2C: Return Routability Messages: Configuring the Home Agent - Mobile Node Tunnel Configure the tunnel between the Home Agent and Mobile Node used for Return Routability packets.
PAGE 304
HP-UX IPSec and HP-UX Mobile IPv6 Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent If you are using IKE, you can omit this parameter. The policy will use the destination address and prefix from the -destination argument. -source cn_addr The cn_addr is the Correspondent Node’s address. In many cases, there will be a large number of possible Correspondent Nodes and you may want to use the IPv6 wildcard address instead (0::0).
PAGE 305
HP-UX IPSec and HP-UX Mobile IPv6 Step 3: (Recommended) Securing Prefix Discovery Messages Between the Home Agent and Mobile Node Step 3: (Recommended) Securing Prefix Discovery Messages Between the Home Agent and Mobile Node If the Mobile Node supports prefix discovery, RFC 3776 specifies that you should use IPsec to secure the ICMPv6 Mobile Prefix Solicitation and Mobile Prefix Advertisement messages. You can skip this step if the Mobile Nodes do not support prefix discovery.
PAGE 306
HP-UX IPSec and HP-UX Mobile IPv6 Step 3: (Recommended) Securing Prefix Discovery Messages Between the Home Agent and Mobile Node -source home_agent_addr The home_agent_addr is the Home Agent’s IP address. If you are using manual keys, this cannot be a wildcard or subnet address. -destination mn_home_addr[/prefix] The mn_home_addr is the Mobile Node’s home address. If you are using manual keys, this cannot be a wildcard or subnet address. If you are using IKE, you can specify a subnet address and prefix.
PAGE 307
HP-UX IPSec and HP-UX Mobile IPv6 Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent RFC 3776 specifies that you may use IPsec to secure data (payload) packets between Mobile Nodes and Correspondent Nodes when these packets are forwarded through the Home Agent. This is the data path for Basic Operation, used when Route Optimization is not established.
PAGE 308
HP-UX IPSec and HP-UX Mobile IPv6 Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent NOTE • The protocol argument value is ALL. • The priority_number must be greater (lower priority) than the policy configured in “Step 2A: Return Routability Messages: Configuring the Home Agent - Correspondent Node Gateway IPsec Policy” on page 293.
PAGE 309
HP-UX IPSec and HP-UX Mobile IPv6 Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent -priority priority_number The priority_number is the priority value HP-UX IPSec uses when selecting a gateway IPsec policy (a lower priority value has a higher priority). The priority must be unique for each gateway IPsec policy. The range is 1 - 2147483647.
PAGE 310
HP-UX IPSec and HP-UX Mobile IPv6 Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent Syntax ipsec_config add gateway gwy_policy_name -source cn_addr -destination mn_home_addr[/prefix] -protocol ALL [-priority priority_number] -tunnel payload_tunnel_name -action FORWARD -flags MIPV6 [-homeclear interface_name] gwy_policy_name The gwy_policy_name is the user-defined name for the gateway IPsec policy. This name must be unique for each gateway IPsec policy and is case-sensitive.
PAGE 311
HP-UX IPSec and HP-UX Mobile IPv6 Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent -flags MIPV6 The flags must include MIPV6. Step 4C: Payload Packets: Configuring the Home Agent - Mobile Node Tunnel Configure the tunnel between the Home Agent and Mobile Node used for payload packets. The syntax is the same as the one used in “Step 2C: Return Routability Messages: Configuring the Home Agent - Mobile Node Tunnel” on page 297, except protocol is ALL.
PAGE 312
HP-UX IPSec and HP-UX Mobile IPv6 Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent -destination mn_home_addr The mn_home_addr is the Mobile Node’s home address. -action transform_name The transform_name must be an authenticated ESP transform with a non-null authentication method, according to the Mobile IPv6 protocol specification. For example, ESP_AES128_HMAC_SHA1.
PAGE 313
HP-UX IPSec and HP-UX Mobile IPv6 Step 5: Configuring IKE Policies Step 5: Configuring IKE Policies If you are using manual keys, skip this step. If you are using IKE, configure at least one IKE policy for each Mobile Node, or an IKE policy for a group of Mobile Node clients by specifying a subnet address and prefix.
PAGE 314
HP-UX IPSec and HP-UX Mobile IPv6 Step 5: Configuring IKE Policies the HostPolicy-Defaults section of the profile file (this policy will be the last policy evaluated before the default policy). The default automatic priority increment value (priority) is 10. If this is the first IKE policy created, ipsec_config uses the automatic priority increment value as the priority.
PAGE 315
HP-UX IPSec and HP-UX Mobile IPv6 Step 5: Configuring IKE Policies Acceptable Values: MD5 (128-bit key Hashed Message Authentication Code using RSA Message Digest-5, HMAC-MD5) SHA1 (160-bit key HMAC using Secure Hash Algorithm-1, HMAC-SHA1) Default: The value of the hash parameter in the IKE-Defaults section of the profile file used. The default hash parameter value is MD5. -encryption encryption_algorithm The encryption_algorithm is the encryption algorithm for encrypting IKE messages.
PAGE 316
HP-UX IPSec and HP-UX Mobile IPv6 Step 5: Configuring IKE Policies access only to data protected by that key. When PFS is configured, the IKE daemon creates a new IKE SA for each IPsec SA negotiation and performs a Diffie-Hellman exchange for each IPsec SA negotiation. Range: 1 - 255. Default: 100.
PAGE 317
HP-UX IPSec and HP-UX Mobile IPv6 Step 6: Configuring Authentication Records Step 6: Configuring Authentication Records If you are using manual keys, skip this step. You must configure one authentication record for each Mobile Node. The record must include the following specifications: • The remote address (the -remote argument) must specify the Mobile Node’s home address. • The record must specify remote ID information (it must include -rtype and -rid arguments).
PAGE 318
HP-UX IPSec and HP-UX Mobile IPv6 Step 6: Configuring Authentication Records -exchange AM The exchange mode must be Aggressive Mode (AM). -ltype local_id_type and -lid local_id The local_id_type and local_id are the ID type and value the local system sends to the remote system when negotiating an IKE SA. This must match what is configured on the remote system. If you are using RSA signatures and the remote system is an HP-UX system, this must also match information in the certificate for the local system.
PAGE 319
HP-UX IPSec and HP-UX Mobile IPv6 Step 6: Configuring Authentication Records CN=commonName C=country O=organization OU=organizationalUnit The attributes are all optional, but you must specify at least one. Separate multiple attributes using commas. The order of the attributes is ignored and the DN is not case sensitive. If there are spaces in the DN, you must enclose the DN in double quotes (““). For example, “CN=host1,C=US,O=My Company,OU=Blue Lab”.
PAGE 320
HP-UX IPSec and HP-UX Mobile IPv6 Step 6: Configuring Authentication Records Default: You must configure values for -rtype and -rid when configuring authentication records for Mobile IPv6 clients. If you do not configure these values, HP-UX IPSec will attempt to use the remote IPv6 address from the packet header, which will be a dynamically-assigned Care-of Address. Default: You must configure values for -rtype and -rid when configuring authentication records for Mobile IPv6 clients.
PAGE 321
HP-UX IPSec and HP-UX Mobile IPv6 Mobile IPv6 Manual Key Configuration Example Mobile IPv6 Manual Key Configuration Example This section contains ipsec_config batch file entries for a Mobile IPv6 Home Agent using manual keys. Figure F-6 • The local system’s (Home Agent) IP address is 2001:db8:11:11::fefe:1111. • The Mobile Node’s IP address is 2001:db8:11:11::fefe:2222.
PAGE 322
HP-UX IPSec and HP-UX Mobile IPv6 Mobile IPv6 Manual Key Configuration Example Policies for Return Routability Messages (Step 2) There are two gateway policies and a tunnel policy for Return Routability messages. You can skip this step if you going to secure payload packets routed through the Home Agent (Step 4). Gateway IPsec Policy for Home Agent - Correspondent Node Segments (Step 2A) You can omit this policy if you are using the default gateway IPsec policy shipped with HP-UX IPSec.
PAGE 323
HP-UX IPSec and HP-UX Mobile IPv6 Mobile IPv6 Manual Key Configuration Example -in ESP/2500009/0x1234567890123456789012345678901234567890\ /0x12345678901234567890123456789012/0x1234567890123456 \ -out ESP/2500010/0x0123456789012345678901234567890123456789\ /0x01234567890123456789012345678901/0x0123456789012345 Prefix Discovery Messages (Step 3) This step is optional. You can skip this step if the Mobile Node does not support prefix discovery.
PAGE 324
HP-UX IPSec and HP-UX Mobile IPv6 Mobile IPv6 Manual Key Configuration Example add gateway mn2222_payload_to_cn \ -source 2001:db8:11:11::fefe:2222 \(Mobile Node’s Home Address) -destination 0::0 \(wildcard for any Correspondent Node) -protocol ALL -pri 300 -action FORWARD -flags MIPV6 Gateway IPsec Policy for Home Agent - Mobile Node Segments (Step 4B) add gateway mn2222_payload_to_mobile_node \ -source 0::0 \(wildcard for any Correspondent Node) -destination 2001:db8:11:11::fefe:2222 \(Mobile Node’s Home
PAGE 325
HP-UX IPSec and HP-UX Mobile IPv6 Mobile IPv6 Dynamic Key Configuration Example Mobile IPv6 Dynamic Key Configuration Example This section contains ipsec_config batch file entries for a Mobile IPv6 Home Agent using dynamic keys. The topology is similar to the manual key configuration example, except that there are two Mobile Nodes, and the configuration uses subnet addresses.
PAGE 326
HP-UX IPSec and HP-UX Mobile IPv6 Mobile IPv6 Dynamic Key Configuration Example 2001:db8:11:11::/64 • The tunnel policies do not explicitly specify a destination tunnel endpoint (the -tdestination parameter is omitted). Instead, the example specifies the Mobile Nodes’ subnet address and prefix for the end destination (-destination 2001:db8:11:11::/64). At run time, the destination tunnel endpoint inherits the address from the actual end destination address when the tunnel is created.
PAGE 327
HP-UX IPSec and HP-UX Mobile IPv6 Mobile IPv6 Dynamic Key Configuration Example add gateway mipv6_rr_to_cn \ -source 2001:db8:11:11::/64 \(Mobile Node subnet addr.) -destination 0::0 \(wildcard for any Correspondent Node) -protocol MH -pri 200 -action FORWARD -flags MIPV6 Gateway IPsec Policy for Home Agent - Mobile Node Segments (Step 2B) add gateway mipv6_rr_to_mobile_node \ -source 0::0 \(wildcard for any Correspondent Node) -destination 2001:db8:11:11::/64 \(Mobile Node subnet addr.
PAGE 328
HP-UX IPSec and HP-UX Mobile IPv6 Mobile IPv6 Dynamic Key Configuration Example Payload Packets Routed Through the Home Agent (Step 4) This step is optional. There are two gateway policies and a tunnel policy to secure payload messages between the Mobile Node and the Correspondent Node when they are routed through the local node (Home Agent).
PAGE 329
HP-UX IPSec and HP-UX Mobile IPv6 Mobile IPv6 Dynamic Key Configuration Example add tunnel mipv6_payload_tunnel \ -tsource 2001:db8:11:11::fefe:1111 \(Home Agent)) -source 0::0 \(wildcard for any Correspondent Node) -destination 2001:db8:11:11::/64 \(Mobile Node subnet addr.) -protocol ALL \ -action ESP_AES128_HMAC_SHA1 IKE Policy (Step 5) add ike mipv6_clients \ -remote 2001:db8:11:11::/64 \(Mobile Node subnet addr.
PAGE 330
HP-UX IPSec and HP-UX Mobile IPv6 Mobile IPv6 Dynamic Key Configuration Example 324 Appendix F
PAGE 331
G Appendix G HP-UX IPSec and Serviceguard 325
PAGE 332
HP-UX IPSec and Serviceguard HP-UX IPSec can secure HP-UX Serviceguard network traffic. This appendix describes how to configure HP-UX IPSec as an Serviceguard package service so a package will fail or fail over if HP-UX IPSec terminates.
PAGE 333
HP-UX IPSec and Serviceguard Introduction Introduction An Serviceguard cluster is a networked group of HP 9000 or Integrity servers (host systems known as nodes) with redundant hardware and software so that a single point of failure does not significantly disrupt service. Application packages (individual HP-UX processes) can be grouped together in failover packages.
PAGE 334
HP-UX IPSec and Serviceguard Introduction Each package can have one or more unique package addresses. A package address is a relocatable IP address that is dynamically assigned to the cluster node on which the package is currently running. In Figure G-1, the package pkgA is currently running on Node1, and its relocatable package address, 15.98.98.98, is assigned to an interface on Node1. The package clients connect to or access the packages using the package addresses.
PAGE 335
HP-UX IPSec and Serviceguard Introduction If a package client is an HP-UX system using a version of HP-UX IPSec released prior to A.01.07, or if it is not an HP-UX system, the package client may not delete SA information when it receives the INITIAL-CONTACT notify message. In these cases, an administrator must manually delete the SAs on the package client.
PAGE 336
HP-UX IPSec and Serviceguard Configuration Overview Configuration Overview Requirements To use HP-UX IPSec with Serviceguard, your topology must meet the following requirements: • The same version of HP-UX IPSec (A.01.07 or A.02.00) must be installed on all cluster nodes. (For information on using HP-UX IPSec A.01.07 with Serviceguard, refer to the HP-UX IPSec A.01.07 product documentation.) • Serviceguard version A.11.16 or later must be installed on all cluster nodes.
PAGE 337
HP-UX IPSec and Serviceguard Configuration Overview Configuration Steps When configuring HP-UX IPSec for Serviceguard, configure HP-UX IPSec using an ipsec_config batch file according to the instructions in Chapter 4, “Configuring HP-UX IPSec,” on page 89 on one cluster node. Additional configuration requirements are listed below and described in the following sections. After you have verified the HP-UX IPSec configuration on one node, copy the configuration files to the other cluster nodes.
PAGE 338
HP-UX IPSec and Serviceguard Configuration Overview The authentication records contain IKE ID information to verify the ID information in the security certificates. • “Step 6: Verifying and Testing the HP-UX IPSec Configuration” on page 354 Verify and test the HP-UX IPSec configuration on the node on which you configured IPsec before distributing the IPsec configuration files.
PAGE 339
HP-UX IPSec and Serviceguard Step 1: Configuring a Common HP-UX IPSec Password Step 1: Configuring a Common HP-UX IPSec Password If you are using certificate-based IKE authentication, you must assign the same HP-UX IPSec password on all nodes in the Serviceguard cluster. Use the following command to set the HP-UX IPSec password on each system: ipsec_admin -newpasswd See Chapter 2, “Step 3: Establishing the HP-UX IPSec Password” on page 67 for more information.
PAGE 340
HP-UX IPSec and Serviceguard Step 2: Configuring HP-UX Host IPsec Policies for Serviceguard Step 2: Configuring HP-UX Host IPsec Policies for Serviceguard Overview Use the procedure described in Chapter 4, “Step 1: Configuring Host IPsec Policies” on page 102 to configure host IPsec policies, with the following additional requirements: • Configure PASS host IPsec policies for all packets sent between the heartbeat IP addresses.
PAGE 341
HP-UX IPSec and Serviceguard Step 2: Configuring HP-UX Host IPsec Policies for Serviceguard • “Configuring Host IPsec Policies for ServiceGuard Manager” on page 340 • “Configuring Host IPsec Policies for Cluster Object Manager (COM)” on page 342 • “Summary: Serviceguard Port Numbers and Protocols” on page 343 Determining Serviceguard Cluster Information Before configuring IPsec policies, determine the following information about the Serviceguard cluster: • Heartbeat IP addresses The heartbeat IP addr
PAGE 342
HP-UX IPSec and Serviceguard Step 2: Configuring HP-UX Host IPsec Policies for Serviceguard Specify the following values for the remaining filter fields in the host IPsec policies: • Protocol: ALL • Source and destination ports: 0 (all ports) For the cluster shown in Figure G-1 on page 327, one way to configure PASS host ipsec policies for the heartbeat address pairs is to configure six host ipsec policies with the following filter specifications: CAUTION Source IP Address/ Prefix Destination IP Addr
PAGE 343
HP-UX IPSec and Serviceguard Step 2: Configuring HP-UX Host IPsec Policies for Serviceguard subnet. For example, you could replace the policies for the first three address pairs in the above table with one host IPsec policy that has the following filter: Source IP Address/ Prefix 10.0.0.0/8 Destination IP Address/ Prefix 10.0.0.
PAGE 344
HP-UX IPSec and Serviceguard Step 2: Configuring HP-UX Host IPsec Policies for Serviceguard Quorum Server IPsec Policies If HP-UX IPSec is installed on the Quorum Server, configure host IPsec policies for the packets listed below with actions (PASS or transform lists) that match the policies on the cluster nodes.
PAGE 345
HP-UX IPSec and Serviceguard Step 2: Configuring HP-UX Host IPsec Policies for Serviceguard The cluster nodes also initiate TCP connections to the remote command clients using dynamically assigned source and destination ports, as listed below. You must configure HP-UX IPSec so it does not discard the packets listed below, however, HP recommends that you do not allow the packets to pass in clear text. For more information, see “Maximizing Security” on page 91.
PAGE 346
HP-UX IPSec and Serviceguard Step 2: Configuring HP-UX Host IPsec Policies for Serviceguard The cluster nodes also initiate TCP connections to the remote command clients using dynamically assigned source and destination ports, as listed below. You must configure HP-UX IPSec so it does not discard the packets listed below, however, HP recommends that you do not allow the packets to pass in clear text. For more information, see “Maximizing Security” on page 91.
PAGE 347
HP-UX IPSec and Serviceguard Step 2: Configuring HP-UX Host IPsec Policies for Serviceguard Cluster Node Host IPsec Policies for ServiceGuard Manager For each cluster node, configure host IPsec policies so HP-UX IPSec does not discard (the transform list contains any transform except DISCARD) the packets listed below. If HP-UX IPSec is not installed on the ServiceGuard Manager system, configure PASS host IPsec policies for these packets.
PAGE 348
HP-UX IPSec and Serviceguard Step 2: Configuring HP-UX Host IPsec Policies for Serviceguard Configuring Host IPsec Policies for Cluster Object Manager (COM) If you are using a Cluster Object Manager (COM) on a system outside of the cluster to provide connections to COM clients, such as ServiceGuard Manager, configure HP-UX IPSec so it does not discard the packets listed in the sections below.
PAGE 349
HP-UX IPSec and Serviceguard Step 2: Configuring HP-UX Host IPsec Policies for Serviceguard You must also configure HP-UX IPSec so it does not discard packets to COM clients, as listed below. Source IP Address COM system address (or wildcard) Destination IP Address COM client address Protocol Source Port TCP 0 Destination Port 5303 Configure corresponding host IPsec policies on the COM clients as appropriate.
PAGE 350
HP-UX IPSec and Serviceguard Step 2: Configuring HP-UX Host IPsec Policies for Serviceguard Table G-1 Serviceguard Port Numbers and Protocols (Continued) Port Protocols Service 5300 TCP, UDP HA Cluster Heartbeat (hacl-hb). Used as the destination port between cluster nodes. 5301 TCP HA Cluster General Services (hacl-gs). Used as the destination port between cluster nodes. 5302 TCP and UDP HA Configuration (ha-cfg). Used as destination ports between cluster nodes.
PAGE 351
HP-UX IPSec and Serviceguard Step 2: Configuring HP-UX Host IPsec Policies for Serviceguard Table G-1 Serviceguard Port Numbers and Protocols (Continued) Port dynamic (49152-65535 by default) NOTE Appendix G Protocols TCP Service Serviceguard network probes. Used as the source and destination port between cluster nodes. This list of Serviceguard services may not be exhaustive. New Serviceguard utilities may be developed that use port numbers different from those listed above.
PAGE 352
HP-UX IPSec and Serviceguard Step 3: Configuring HP-UX IPSec IKE policies Step 3: Configuring HP-UX IPSec IKE policies Configure IKE policies as described in Chapter 4, “Step 3: Configuring IKE Policies” on page 123. Cluster IKE policies The cluster nodes must have IKE policies with remote address specifications for the cluster clients. Cluster Client IKE policies The cluster clients must have IKE policies with remote address specifications that include the package addresses.
PAGE 353
HP-UX IPSec and Serviceguard Step 4: Configuring Authentication Records for Preshared Keys Step 4: Configuring Authentication Records for Preshared Keys This section describes configuration requirements for authentication records if you are using preshared keys for IKE authentication. If you are not using preshared keys for IKE authentication, go to “Step 5: Configuring Authentication Records for Certificates” on page 350. The preshared key information must be the same on all nodes in the cluster.
PAGE 354
HP-UX IPSec and Serviceguard Step 4: Configuring Authentication Records for Preshared Keys • Node1 (10.1.1.1 and 15.1.1.1) • Node2 (10.2.2.2 and 15.2.2.2) • Node3 (10.3.3.3 and 15.3.3.3) The 10.*.*.* network is a dedicated heartbeat LAN. The 15.*.*.* network is a shared heartbeat and data LAN. The cluster also has two packages: • pkgA (15.98.98.98) • pkgB (15.99.99.99) There are two package clients: • Client1 (15.4.4.4) • Client2 (15.5.5.
PAGE 355
HP-UX IPSec and Serviceguard Step 4: Configuring Authentication Records for Preshared Keys Remote IP Address Appendix G Key 16.98.98.98 (pkgA) client2_key 16.99.99.
PAGE 356
HP-UX IPSec and Serviceguard Step 5: Configuring Authentication Records for Certificates Step 5: Configuring Authentication Records for Certificates This section describes configuration requirements for authentication records if you are using security certificates (RSA signatures) for IKE authentication. If you are not using security certificates for IKE authentication, go to “Step 6: Verifying and Testing the HP-UX IPSec Configuration” on page 354.
PAGE 357
HP-UX IPSec and Serviceguard Step 5: Configuring Authentication Records for Certificates Cluster Node On each cluster node, add entries to the ipsec_config batch file with add auth operations to configure an authentication record for each cluster client as follows: • Remote IP Address (-remote): The cluster client address. • Local ID type (-ltype): IPV4. • Local ID value(-lid): The IP address in the subjectAlternativeName field of the certificate for the cluster.
PAGE 358
HP-UX IPSec and Serviceguard Step 5: Configuring Authentication Records for Certificates — You do not need to enter this argument if the cluster client is an HP-UX system and is not multihomed. HP-UX IPSec will use IPV4 as the ID type. — If the cluster client is a multihomed HP-UX system, specify IPV4. — If the cluster client is not an HP-UX system, enter the value sent by the cluster client. • Local ID value (-lid): The IKE ID value sent by the cluster client.
PAGE 359
HP-UX IPSec and Serviceguard Step 5: Configuring Authentication Records for Certificates • Client1 (15.4.4.4) • Client2 (15.5.5.5) HP-UX IPSec is securing the traffic between the clients and the package addresses. IKE ID Configuration on Cluster Nodes On each cluster node, the ipsec_config batch file contains the following entries: add auth client1 -remote 15.4.4.4 -ltype IPV4 -lid 15.1.1.1 add auth client2 -remote 15.5.5.5 -ltype IPV4 -lid 15.1.1.
PAGE 360
HP-UX IPSec and Serviceguard Step 6: Verifying and Testing the HP-UX IPSec Configuration Step 6: Verifying and Testing the HP-UX IPSec Configuration Start and verify HP-UX IPSec on the cluster node on which you configured IPsec using the procedure in Chapter 4, “Step 8: Committing the Batch File Configuration and Verifying Operation” on page 144.
PAGE 361
HP-UX IPSec and Serviceguard Step 7: Configuring HP-UX IPSec Start-up Options Step 7: Configuring HP-UX IPSec Start-up Options HP-UX IPSec must be running on all nodes in the cluster before Serviceguard starts. After you have verified the configuration, you can configure HP-UX IPSec to start automatically at system startup time. See Chapter 4, “Step 9: Configuring HP-UX IPSec to Start Automatically” on page 148 to configure HP-UX IPSec to start automatically at system boot-up time.
PAGE 362
HP-UX IPSec and Serviceguard Step 8: Distributing HP-UX IPSec Configuration Files Step 8: Distributing HP-UX IPSec Configuration Files After you have verified and tested the HP-UX IPSec configuration on one node, distribute the HP-UX IPSec configuration database file, /var/adm/ipsec/config.db, to the other nodes in the cluster. NOTE Do not redistribute the configuration database file if HP-UX IPSec is running.
PAGE 363
HP-UX IPSec and Serviceguard Step 9: Configuring Serviceguard Step 9: Configuring Serviceguard Configure Serviceguard according to the Serviceguard product documentation, with the additional requirements listed below. Verify the Serviceguard configuration using the cmcheckconf command, as described in the Serviceguard product documentation. Cluster Configuration HP strongly recommends that you do not secure heartbeat messages using IPsec (with AH or ESP).
PAGE 364
HP-UX IPSec and Serviceguard Step 9: Configuring Serviceguard Monitor Script Polling Interval By default, the HP-UX IPSec monitor script polls IPsec every 60 seconds to verify that it is available. To modify the polling interval, change the value of the IPSEC_POLLING_INVERVAL parameter in the monitor script file, /var/adm/ipsec/ipsec_status.sh.
PAGE 365
HP-UX IPSec and Serviceguard Step 10: Starting HP-UX IPSec and Serviceguard Step 10: Starting HP-UX IPSec and Serviceguard HP-UX IPSec must be running on all cluster nodes with the same HP-UX IPSec configuration files before you start the Serviceguard cluster. Use the following procedure to start HP-UX IPSec and Serviceguard. 1. Start HP-UX IPSec. There are two ways to start HP-UX IPSec: • Manually, using the ipsec_admin -start command. • Automatically, at system boot-up time.
PAGE 366
HP-UX IPSec and Serviceguard Step 10: Starting HP-UX IPSec and Serviceguard 360 Appendix G
PAGE 367
Glossary 3DES Triple Data Encryption Standard. A symmetric key block encryption algorithm that encrypts data three times, using a different 56-bit key each time (168 bits are used for keys). 3DES is suitable for bulk data encryption. AES Advanced Encryption Standard. Uses a symmetric key block encryption. HP-UX IPSec supports AES with a 128-bit key. AES is suitable for encrypting large amounts of data.
PAGE 368
Glossary Diffie-Hellman DES has been cracked (data encoded using DES has been decoded by a third party). Diffie-Hellman Method to generate a symmetric key where two parties can publicly exchange values and generate the same shared key. Start with prime p and generator g, which may be publicly known (typically these numbers are from a well-known “Diffie-Hellman Group”). Each party selects a private value (a and b) and generates a public value (g**a mod p) and (g**b mod p). They exchange the public values.
PAGE 369
Glossary MD5 packet filter is used to select a policy for a packet and the action is applied to the packets using the policy. IPsec SA A security association (SA), or security session, for IPsec. An IPsec SA also specifies encryption and authentication methods, encryption keys and lifetimes. Also referred to as IPsec/QM SA, Phase 2 SA, Quick Mode SA, QM SA. IPsec/QM SA See IPsec SA.
PAGE 370
Glossary MM MM See Main Mode. Oakley Oakley is a key exchange protocol which works within the ISAKMP framework to generate authenticated keying material for use with other security services. out-of-band key exchange A key exchange using a secure communication channel that is outside of normal computer communication channels, such as a face-to-face meeting or telephone call. addition, most algorithms provide assurance that only the holder of k1 can correctly encrypt data that can be decrypted by k2.
PAGE 371
Glossary SPI transform A transform defines the IPsec action(s) to be taken on the IP data, such as passing the data in clear text, discarding the data, authenticating and encrypting the data using ESP, or authenticating the data using AH. SA See Security Association. SHA1 (Secure Hash Algorithm-1). Authentication algorithm that generates a 160-bit message digest using a 160-bit key. IPsec truncates the message digest to 96 bits.
PAGE 372
Glossary transform 366 Glossary
PAGE 373
Numerics 3DES (Triple Data Encryption Standard), 43, 361 configuring in host IPsec policies, 109 configuring in IKE policies, 127 configuring in tunnel IPsec policies, 120 key length, 236 A advanced troubleshooting, 193 AES (Advanced Encryption Standard), 43, 361 configuring in host IPsec policies, 109 configuring in tunnel IPsec policies, 120 key length, 236 Linux interoperability, 237 recommendation, 43 Aggressive Mode (AM), 47 configuring in authentication records, 135 SA See also IKE SA , 363 AH (Auth
PAGE 374
authentication records, 129 bypass list, 140 certificates, 162 gateway IPsec policies, 285 host IPsec policies, 103, 171 IKE policies, 123 manual keys, 286 prerequisites, 64 preshared keys, 129 startup options, 84, 148, 180 tunnel IPsec policies, 115 Correspondent Node (Mobile IPv6) defined, 279 CRL (Certificate Revocation List), 154, 361 retrieving, 171, 174 CSR (Certificate Signing Request), 158 D daemons HP-UX IPSec, 203 demilitarized zone See DMZ DES (Data Encryption Standard), 43, 361 configuring in ho
PAGE 375
policy selection, 123 protocol, 362 RFC, 231 SA, 191 definition, 99 establishing, 194 negotiation failure, 218, 219 reporting, 204 SA definition, 363 installing loading software, 65 prerequisites, 64 verifying, 80 , 144 Internet Control Message Protocol messages.
PAGE 376
keying, dynamic, 47 L lifetime kilobytes configuring in host IPsec policies, 110 configuring in tunnel IPsec policies, 121 lifetime seconds configuring in host IPsec policies, 110 configuring in IKE policies, 127, 309 configuring in tunnel IPsec policies, 121 lifetimes, 221, 238 link errors, 217 Linux AES (Advanced Encryption Standard), 237 encryption options, 237 lKE policies configuring, 124 loading software, 65 lSAKMP parameters See IKE policies M MAC, 363 Main Mode (MM), 47 configuring in authentication
PAGE 377
priority configuring in host IPsec policies, 107 configuring in IKE policies, 126, 307 product limitations, 233 IKE , 233 product requirements, 63 disk, 63 protocol configuring in host IPsec policies, 106 proxy identifiers configuring in tunnel IPsec policies, 117 public key, 50, 153 using with IPsec, 34 Q QM SA See also IPsec SA, 363 Quick Mode (QM) definition, 364 Quick Mode SA See also IPsec SA, 363 R random number generator for generating encryption keys, 287 reporting problems, 211 RFCs, 231 Route Opti
PAGE 378
advanced, 193 hints, 203 scenarios, 203 tunnel addresses configuring in tunnel IPsec policies, 116 configuring in host IPsec policies, 108 IPsec policies configuring, 115 examples, 122 mode AH, 45 ESP, 41 tunnel, secure IPsec and , 33 U uname(1), 64 unsupported features lockd, 233 multiple destination addresses, 233 NFS, 233 NIS, 233 PFS, 233 V verifying the installation, 80, 144 372