Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
201202203204205206207208209210
Troubleshooting HP-UX IPSec
Troubleshooting Procedures
Chapter 7206
Checking Policy Configuration
There are two methods for determining which policy HP-UX IPSec uses
for a packet:
•Use the ipsec_policy command to query the policy daemon to
determine which policy HP-UX IPSec would use for the packets.
Generate packets and examine policy cache and policy entries to
determine which policy HP-UX IPSec used for the packets.
Using ipsec_policy
Use the ipsec_policy command to determine which IPsec policy will be
used for a given packet. For example, on system 15.1.1.1, you want to
determine which host policy HP-UX IPSec will use for outbound telnet
requests to 15.2.2.2 (the local system 15.1.1.1 is the telnet client). Use
the following command:
ipsec_policy -sa 15.1.1.1 -sp 65535 -da 15.2.2.2 -dp 23
-p tcp -dir out
To determine which host policy HP-UX IPSec will use for inbound
telnet requests to 15.1.1.1 from system 15.2.2.2 (the local system
15.1.1.1 is the telnet server), you can use the following command:
ipsec_policy -da 15.1.1.1 -dp 23 -sa 15.2.2.2 -sp 65535
-p tcp -dir in
Refer to the ipsec_policy (1M) manpage for more information.
NOTE Both examples shown above include a dummy user-space port number
(65535) for the client port.
Examining the Policy Cache and Policy Entries
To determine the actual IPsec policy used for a packet, examine the
output from the ipsec_report -cache command to find the cached
policy decision for the packet, then use the Cookie field from the
ipsec_report -cache entry to find the matching entry in the
ipsec_report -host output. The cache entry below is for an attempted
outbound telnet session from system 192.1.1.1 to system 192.1.1.3. The