HP-UX IPSec version A.02.01 Administrator's Guide
HP-UX IPSec and Serviceguard
Step 6: Verifying and Testing the HP-UX IPSec Configuration
Appendix G354
Step 6: Verifying and Testing the HP-UX IPSec
Configuration
Start and verify HP-UX IPSec on the cluster node on which you
configured IPsec using the procedure in Chapter 4, “Step 8: Committing
the Batch File Configuration and Verifying Operation” on page 144.
Use ipsec_policy to test your configuration to ensure it meets the
following conditions:
• HP-UX IPSec allows messages sent between the heartbeat IP
addresses to pass in clear text, including Serviceguard heartbeat
messages (TCP and UDP destination port 5300).
• HP-UX IPSec does not discard control messages for optional
Serviceguard services, including Quorum Server and ServiceGuard
Manager messages. Table G-1 on page 343 lists the port numbers
and protocols for Serviceguard services control messages.
To verify that all messages sent between the heartbeat IP addresses pass
in clear text, run ipsec_policy specify only the source and destination
IP addresses (use the default wildcard values for the other parameters).
For example, you could use the following command on node 15.1.1.1 to
verify that all messages sent to 15.2.2.2 pass in clear text:
ipsec_policy -sa 15.1.1.1 -da 15.2.2.2
You can also explicitly verify that HP-UX IPSec will pass heartbeat
messages in clear text. The example below tests if Serviceguard TCP
heartbeat messages (port 5300) will pass in clear text to node 15.1.1.1
from node 15.2.2.2. The dummy value 65535 is used for the dynamically
assigned source port number (-sp 65535).
ipsec_policy -sa 15.1.1.1 -sp 65535 -da 15.2.2.2
-dp 5300 -p tcp