ipsec_admin(1M) ipsec_admin(1M) (HP-UX IPSec Software Required) NAME ipsec_admin - HP-UX IPSec administration utility SYNOPSIS /usr/sbin/ipsec_admin -start|st [-audit|au audit_directory] [-auditlvl|al alert|error|warning|informative|debug] [-maxsize|ms max_audit_file_size ] [-traceon|tn tcp|udp|igmp|all] [-spi_min spi_min_value ] [-spi_max spi_max_value ] [-spd_soft spd_soft_limit ] [-spd_hard spd_hard_limit ] /usr/sbin/ipsec_admin -stop|sp /usr/sbin/ipsec_admin -status|s /usr/sbin/ipsec_admin -silentsta
ipsec_admin(1M) ipsec_admin(1M) (HP-UX IPSec Software Required) to be used does not have the correct version, ipsec_admin issues an error message and exits. You can migrate the configuration file to the correct version using ipsec_migrate. -stop|sp Stops the HP-UX IPSec subsystem, including all user-space daemons. -status|s Reports the current status of the HP-UX IPSec subsystem. The report displays the current state of HP-UX IPSec (active or not active).
ipsec_admin(1M) ipsec_admin(1M) (HP-UX IPSec Software Required) -spi_min spi_min_value Specifies the lower bound for inbound, dynamic key Security Parameters Index (SPI) numbers in hexadecimal, prefixed by 0x, or decimal. Range: 1 - 4294967295 (0x1 - 0xFFFFFFFF hexadecimal). Default: If you do not specify spi_min_value, the default is the value specified for the spi_min parameter in the StartUp-Defaults section of the profile file. The default spi_min value is 300.
ipsec_admin(1M) ipsec_admin(1M) (HP-UX IPSec Software Required) ERRORS ipsec_admin fails if any of the following conditions is encountered: • Command used incorrectly - Usage message is returned.
ipsec_config(1M) ipsec_config(1M) (HP-UX IPSec Software Required) NAME ipsec_config - add, delete, export, and show HP-UX IPSec configuration objects in the HP-UX IPSec configuration database SYNOPSIS ipsec_config add object_type argument_list ipsec_config batch argument_list ipsec_config delete object_type argument_list ipsec_config export -o outfile [-s source_file] ipsec_config help [operation [object_type ]] ipsec_config show object_type argument_list DESCRIPTION The ipsec_config command adds, delete
ipsec_config(1M) ipsec_config(1M) (HP-UX IPSec Software Required) gateway Gateway IPsec policies, which specify HP-UX IPSec behavior for processing IP packets when the local system is a gateway. Use this option only when the local system is an HP-UX Mobile IPv6 Home Agent. host Host IPsec policies, which specify HP-UX IPSec behavior for processing IP packets when the local system is an end host.
ipsec_config(1M) ipsec_config(1M) (HP-UX IPSec Software Required) EXAMPLES You have two systems, Apple (10.1.1.1) and Banana (10.2.2.2). Apple and Banana are not multihomed. You want to secure all telnet packets between the two systems using ESP with AES, authenticated with SHA-1. This is a private network, and you will allow all other packets to pass in clear text.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) NAME ipsec_config_add - add HP-UX IPSec configuration objects in the HP-UX IPSec configuration database SYNOPSIS ipsec_config add object_type argument_list DESCRIPTION The ipsec_config add command configures objects in the database. The following ipsec_config add commands are described in more detail in the Options and Operands section below.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) When HP-UX IPSec is the initiator in an IKE Phase 1 negotiation, or the responder in an IKE Phase 1 negotiation using Main Mode, it searches for an authentication record by comparing the remote IP address in the IP packet header with the remote address field in the authentication record. If a remote system is multihomed, you must configure an authentication record for each of the remote system’s IP addresses.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) IPv4 IPv6 0 - 32 0 - 128 32 (0 for all-zero addresses) 128 (0 for all-zero addresses) The default prefix is zero (0) if the address is all zeros. Warning: Specifying a subnet address filter and a preshared key allows you to configure a single preshared key for an entire subnet. However, HP strongly recommends that you configure an individual authentication record for each remote system with a unique preshared key.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) -preshared preshared_key arguments if you specify KEY-ID as the ID type. The maximum length for KEY-ID is 272 characters. USER-FQDN A User-Fully Qualified Domain Name in SMTP format, such as user@myhost.hp.com. If you are using RSA signatures (RSASIG) for IKE authentication and the remote system is an HP-UX system, this must match the user FQDN in the subjectAlternativeName of the certificate for the local system.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) Fully Qualified Domain Name, also known as Domain Name Service or DNS name Character string FQDN KEY-ID USER-FQDN User-Fully Qualified Domain Name in SMTP format X500-DN X.500 Distinguished Name or DN Default: IPV4, if the IKE daemon receives the IKE negotiation packets from an IPv4 interface, or IPV6, if the IKE daemon receives the IKE negotiation packets from an IPv6 interface.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) country The two-character ISO 3166-1 code for the country in the DN, for example US for United States of America. organization The organization of the DN, for example Hewlett-Packard. The maximum length is 64 characters. organizationalUnit organizationalUnit for the DN, for example Marketing. The maximum length is 64 characters.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) Options and Operands The ipsec_config add bypass command recognizes the following operand: ip_address The address to bypass. This can be a virtual IP address (a secondary IP address configured for an interface, such as an address configured for lan0:1). An entry in the bypass interface list affects only the logical interface for the IP address, not all logical interfaces on the physical interface (network card).
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) When used to retrieve the CRL from an LDAP directory, the ipsec_config add crl command also saves the LDAP directory parameters in the file /var/adm/ipsec/cainfo.txt, which is used by the CRL cron script file, /var/adm/ipsec/ipsec_gui/cron/crl.cron. The ipsec_config add crl command is one of three ipsec_config commands for using certificates with HP-UX IPSec; the other commands are ipsec_config add cert and ipsec_config add csr.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) Description The ipsec_config add csr command creates a PKCS#10 Certificate Signing Request (CSR) for the local system. The ipsec_config utility generates a public/private key pair and encodes an unsigned X.509 certificate with the public key in a PKCS#10 CSR file and encoded using Privacy-Enhanced Mail (PEM) base64 encoding. The ipsec_config utility saves the CSR in the file /var/adm/ipsec/ipsec.csr.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) Range: 1 - 65535. Default: 365. -key-length|klen number_bits Specifies the key length for the public/private keys, in bits. Verify that the number you specify is allowed by your CA. Valid values: 512, 1024, 2048 bits. Default: 1024. Examples Create a CSR for the system myhost with the DN cn=myhost,c=us,o=hp,ou=lab as the subject, and its IPv4 address, 192.6.2.2, in the subjectAlternativeName field.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) ipsec_config add gateway default -action PASS You must configure two gateway IPsec policies for each end-to-end source and destination address pair; you configure one gateway IPsec policy for the data path between the gateway and each endpoint. Options and Operands gateway_policy_name The user-defined name for the gateway IPsec policy. This name must be unique for each gateway IPsec policy and is case-sensitive.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) If you are using manual keys, prefix must be 32 if ip_addr is an IPv4 address or 128 if ip_addr is an IPv6 address. The following table shows the range and default for IPv4 and IPv6 addresses. The defaults apply to non-zero addresses. Type IPv4 IPv6 Range 0 - 32 0 - 128 Default 32 (0 for all-zero addresses) 128 (0 for all-zero addresses) The default is 0 (match any address) if ip_addr is an all-zeros address (0.0.0.0 or 0::0).
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) -pri[ority] priority_number Specifies the priority value HP-UX IPSec will use when selecting a gateway IPsec policy. (A lower priority value has a higher priority). The priority must be unique for each gateway IPsec policy. Range: 1 - 2147483647.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) To use IKE (dynamic keying) with a MIPv6 client, you must omit the -in and -out arguments. You must configure an IKE policy for the MIPv6 client. You can configure one IKE policy that is used by multiple MIPv6 clients by specifying the appropriate address prefix length. You must also configure an authentication record for each MIPv6 client.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) Synopsis ipsec_config add host host_policy_name [-nocommit|nc] [-prof[ile] profile_name ] [-source|src ip_address [/prefix[/port_number|service_name]]] [-destination|dst ip_address [/prefix[/port_number|service_name]]] [-prot[ocol] protocol_id ] [-pri[ority] priority_number] [-tun[nel] tunnel_policy_name] [-act[ion] PASS|DISCARD | transform_list] [-flags flags] [-in manual_key_sa_specification [-in manual_key_sa_specification ]] [-
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) IPsec policy for a packet. Specify a local IP address in the source address filter. For an outbound packet, HP-UX IPSec compares the source address filter with the source address fields in the packet, and the destination address filter with the destination address fields in the packet.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) service_name DNS-TCP DNS-UDP FTP-DATA FTP-CONTROL HTTP-TCP HTTP-UDP NTP REXEC RLOGIN RWHO REMSH REMPRINT SMTP TELNET TFTP Port 53 53 20 21 80 80 123 512 513 513 514 515 25 23 69 Protocol TCP UDP TCP TCP TCP UDP UDP TCP TCP UDP TCP TCP TCP TCP UDP -prot[ocol] protocol_id Upper-layer protocol. Value or name of the upper-layer protocol that HP-UX IPSec in the address filter to select an IPsec policy for a packet.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) The values are defined as follows: PASS|DISCARD Defines the action. PASS Allow packets using this host IPsec policy to pass in clear text with no alteration. The default host IPsec policy shipped with the product specifies -action PASS. DISCARD Discard packets using this host IPsec policy.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) ESP_DES_HMAC_MD5 (ESP with 56-bit Data Encryption Standard, Cipher Block Chaining Mode, authenticated with HMAC-MD5.) ESP_DES_HMAC_SHA1 (ESP with 56-bit Data Encryption Standard, Cipher Block Chaining Mode, authenticated with HMAC-SHA1.) ESP_NULL_HMAC_MD5 (ESP, with null encryption and authenticated with HMAC-MD5.) ESP_NULL_HMAC_SHA1 (ESP, with null encryption and authenticated with HMAC-SHA1.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) same IPsec SA. Session-based keying incurs more overhead but provides more security and privacy. If you do not specify session-based keying, all packets using the same IPsec policy to the same remote system will share the same IPsec SA pair and cryptography keys. You cannot specify the EXCLUSIVE flag with manual keys, or if the action is PASS or DISCARD. MIPV6 Specifies that this IPsec policy is used for Mobile IPv6 packets.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) Refer to the spi_min and spi_max parameters for the ipsec_config add startup command for more information on the range for dynamic key SPI numbers. auth_key The hexadecimal authentication key (prefixed by 0x). The auth_key value must match what is configured on the remote system. Acceptable values : Hexadecimal digits, prefixed by 0x.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) ipsec_config add host mkey_10.2.2.2 -source 10.1.1.1 \ -destination 10.2.2.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) -nocommit|nc The ipsec_config utility verifies the IKE policy, but does not add it to the configuration database. This argument is not valid if you specify an add ike operation in a batch file. -prof[ile] profile_name The name of the profile file containing default argument values for this policy. The argument values are evaluated once, when the policy is added to the configuration database.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) Acceptable values: PSK preshared key RSASIG RSA signature using security certificates If you specify PSK, you must configure a preshared key using the ipsec_config add auth command. If you specify RSASIG, you must use security certificates. Refer to the HPUX IPSec product manual for information on using security certificates with HP-UX IPSec.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) Default: 100. Examples Configure an IKE policy that specifies RSA signature (security certificate) for IKE authentication and Oakley Group 2 (1024-bit exponent). ipsec_config add ike apple -remote 10.1.1.1 -pri 10 -auth RSASIG -group 2 Configure an IKE policy for all other system in the local network (10.*.*.*) that specifies preshared keys for IKE authentication: ipsec_config add ike all_others -remote 10.0.0.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) -auditdir|ad audit_directory Specifies the directory in which HP-UX IPSec creates audit files. Allowable values: Full file path name, up to 1023 characters long. Default: If you do not specify audit_directory, the default is the directory specified for the directory parameter in the StartUp-Defaults section of the profile file used. The default directory value is /var/adm/ipsec in /var/adm/ipsec/.ipsec_profile.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) Examples Configure HP-UX IPSec to automatically start at system boot-up time, and to create audit files in the /tmp/ipsec directory. All other startup parameters will be set to the default values. ipsec_config add startup -autoboot ON -dir /tmp/ipsec Configure HP-UX IPSec to create audit files in the /tmp/ipsec directory. All other startup parameters will be set to the default values; autoboot will be set to OFF.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) -tsource|tsrc tunnel_address -tdestination|tdst tunnel_address The IP address for the tunnel endpoint. The -tsource tunnel_address is the local tunnel endpoint; the -tdestination tunnel_address is the remote tunnel endpoint. Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6 address in colonhexadecimal notation. The IP address type (IPv4 or IPv6) must be the same for the tunnel source and destination address.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) Type IPv4 IPv6 Range 0 - 32 0 - 128 Default 32 (0 if address is all-zeros) 128 (0 if address is all-zeros) The default is 0 (match any address) if ip_addr is an all-zeros address ( 0.0.0.0 or 0::0). You must specify prefix if you specify port_number or service_name . port_number port is the upper-layer protocol (TCP or UDP) port number. Specify the upper-layer protocol with the -protocol argument described below.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) value for protocol is ALL in /var/adm/ipsec/.ipsec_profile. -act[ion] transform_list A transform specifies the IPsec authentication and encryption applied to packets using AH (Authentication Header) and ESP (Encapsulation Security Payload) headers. A transform_list specifies the transforms acceptable for packets using the policy.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) Mode, authenticated with HMAC-SHA1.) ESP_NULL_HMAC_MD5 (ESP, with null encryption and authenticated with HMAC-MD5.) ESP_NULL_HMAC_SHA1 (ESP, with null encryption and authenticated with HMAC-SHA1.) AES128 is the most secure form of encryption, with performance comparable to or better than DES and 3DES. lifetime_seconds The maximum lifetime for the IPsec SA, in seconds.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) numbers. auth_key The hexadecimal authentication key (prefixed by 0x). The auth_key value must match what is configured on the remote system. Acceptable values: Hexadecimal digits, prefixed by 0x. Type MD5 SHA-1 Default 32 hexadecimal digits (128 bits) 40 hexadecimal digits (160 bits) enc_key The hexadecimal encryption key (prefixed by 0x). This is required only for ESP.
ipsec_config_add(1M) ipsec_config_add(1M) (HP-UX IPSec Software Required) /var/adm/ipsec/.ipsec_profile default ipsec_config profile file. SEE ALSO ipsec_admin(1M), ipsec_config(1M), ipsec_config_batch(1M), ipsec_config_delete(1M), ipsec_config_export(1M), ipsec_config_show(1M), ipsec_migrate(1M), ipsec_policy(1M), ipsec_report(1M). i 40 Hewlett-Packard Company − 33 − HP-UX IPSec A.02.
ipsec_config_batch(1M) ipsec_config_batch(1M) (HP-UX IPSec Software Required) NAME ipsec_config_batch - allow for processing of IPsec config operations in a single batch file SYNOPSIS ipsec_config batch batch_file_name [-nocommit|nc] [-pro[file] profile_file ] DESCRIPTION The ipsec_config batch command allows you to specify multiple ipsec_config add and ipsec_config delete operations in a single batch file for processing. HP-UX IPSec processes the operations in a batch file as a group.
ipsec_config_batch(1M) ipsec_config_batch(1M) (HP-UX IPSec Software Required) # authenticate all outbound telnet sessions to 10.2.2.2 add host telnet_out -destination 10.2.2.2/32/TELNET \ -pri 100 -action AH_SHA1 # authenticate all inbound telnet sessions from 10.2.2.2 add host telnet_in -source 0.0.0.0/0/TELNET \ -destination 10.2.2.2 -pri 110 -action AH_SHA1 # IKE policy add ike all_ike -remote 10.2.2.2 -pri 10000 -auth psk # preshared key for 10.2.2.2 add auth aloha -remote 10.2.2.
ipsec_config_delete(1M) ipsec_config_delete(1M) (HP-UX IPSec Software Required) NAME ipsec_config_delete - delete configuration records from the HP-UX IPSec configuration database and delete certificate files SYNOPSIS ipsec_config del[ete] auth object_name [nocommit|nc] ipsec_config del[ete] bypass|bp ip_addr [nocommit|nc] ipsec_config del[ete] cert[ificate] ipsec_config del[ete] gateway|gw object_name [nocommit|nc] ipsec_config del[ete] host object_name [nocommit|nc] ipsec_config del[ete] ike object_nam
ipsec_config_export(1M) ipsec_config_export(1M) (HP-UX IPSec Software Required) NAME ipsec_config_export - export the contents of an HP-UX IPSec configuration database in a ipsec_config batch file compatible format SYNOPSIS ipsec_config export -o outfile [-s source_file ] DESCRIPTION The ipsec_config export command uses the output from an ipsec_config show all command to export the contents of an HP-UX IPSec configuration database. The output is in a format that can be used as an ipsec_config batch file.
ipsec_config_show(1M) ipsec_config_show(1M) (HP-UX IPSec Software Required) NAME ipsec_config_show - display authentication records, bypass list, local certificate information, gateway IPsec policies, host IPsec policies, IKE policies, tunnel policies, and startup options SYNOPSIS ipsec_config show all ipsec_config show auth auth_name ipsec_config show bypass|bp ip_addr ipsec_config show cert[ificate] ipsec_config show gateway|gwy gw_policy_name ipsec_config show host host_policy_name ipsec_config show i
ipsec_migrate(1M) ipsec_migrate(1M) (HP-UX IPSec Software Required) NAME ipsec_migrate - HP-UX IPSec configuration file migration tool SYNOPSIS /usr/sbin/ipsec_migrate [-p policy_file] DESCRIPTION ipsec_migrate migrates HP-UX IPSec configuration files to the current version. The ipsec_migrate utility operates on HP-UX IPSec configuration files for IPsec policies, IKE policies, and bypass lists. In HP-UX IPSec releases prior to A.02.00, this information was stored in the file /var/adm/ipsec/policies.
ipsec_migrate(1M) ipsec_migrate(1M) (HP-UX IPSec Software Required) RETURN VALUE Upon successful completion, ipsec_migrate returns 0; otherwise it returns 1. ERRORS ipsec_migrate fails if any of the following conditions is encountered: • Command used incorrectly - Usage message is returned. • The user is not the superuser. • The file specified in the -p option does not exist. • The file specified in the -p option is not a regular file. • The file specified in the -p option is not readable.
ipsec_policy(1M) ipsec_policy(1M) (HP-UX IPSec Software Required) NAME ipsec_policy - HP-UX IPSec policy tester SYNOPSIS /usr/sbin/ipsec_policy [-sa|saddr src_ip_addr ] [-da|daddr dst_ip_addr ] [-sp|sport src_port ] [-dp|dport dst_port ] [-p|protocol ICMP|ICMPV6|IGMP|MH|TCP|UDP] [dir|direction out|in|forward|fwd] DESCRIPTION ipsec_policy is a utility program that allows the HP-UX IPSec Administrator to query the active policy database to determine which host or gateway IPsec Policy will be used for an I
ipsec_policy(1M) ipsec_policy(1M) (HP-UX IPSec Software Required) -dp|dport dst_port Specifies the destination port number (dst_port ) of the packet. If the direction is out, this is the remote port number. If the direction is in, this is the local port number. Range: An unsigned integer in the range 1 - 65535. Default: If omitted, any port number is assumed.
ipsec_policy(1M) ipsec_policy(1M) (HP-UX IPSec Software Required) ipsec_policy -sa fe80::260:b0ff:fec4:ace8 -sp 65535 \ -da fe80::260:b0ff:fec4:ace7 -dp 23 -p tcp -dir in On gateway G, you have two gateway IPsec configured for packets between end system 10.1.1.1 and end system 192.6.2.2. The first gateway IPsec policy is for the data path segment between the local system and 10.1.1.1. To verify that policy, enter the following command: ipsec_policy -sa 192.6.2.2 -da 10.1.1.
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) NAME ipsec_report - report information about IPSec SYNOPSIS /usr/sbin/ipsec_report [-all] [-bypass] [-cache] [-sa [all|ike|ipsec]] [-host [act[ive] | conf[igured]] [-gw|gateway [act[ive] | conf[igured]] [-tun[nel]] [-ike] [-ip] [-audit audit_file [-entity ipsec_admin | ipsec_report | ipsec_policy | secauditd | ikmpd | secpolicyd]] [-file report_file ] DESCRIPTION The ipsec_report utility reports information about the active HP-UX IPSec system, i
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) -entity ikmpd|ipsec_admin|ipsec_policy|ipsec_report|secauditd|secpolicyd Display the audit records only for the specified entity. This option must be used with -audit option. -file report_file Redirects all report output to a report file. If the report file already exists, ipsec_report overwrites the file; otherwise ipsec_report creates the file. RETURN VALUE Upon successful completion, ipsec_report returns 0; otherwise it returns 1.
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) Network Protocol The upper-layer protocol in the IP header. Direction Indicates if this entry is for inbound (packets received by the local system or outbound (packets sent from the local system) packets. Action The action or transform applied to packets matching this entry.
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) Active Sessions Created (This field is only present for general outbound entries not created for specific SAs and that have exclusive policies.) Indicates the number of IPsec/QM SA sessions created. Proposal n The proposed transforms in the transform list for this policy, listed in preference order. Proposal 1 is the highest preference. The proposal information includes the transform type, lifetime seconds and lifetime kilobytes.
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) Authentication Algorithm: HMAC-SHA1 Outbound SPI (hex): 1FE472 Inbound SPI (hex): 241988 ------------------- Active Host Policy Rule --------------------Rule Name: telnet_in ID: 5 Priority: 10 Src IP Addr: 192.1.1.0 Prefix: 24 Port number: 0 Dst IP Addr: 192.1.1.
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) IPSec: On --------------------------- System Configured Interface ------------Interface Name: lan1 Address: 192.2.2.1 IPSec: Off --------------------------- System Configured Interface -----------Interface Name: lan0:1* Address: 192.1.3.3 IPSec: On REPORT: ipsec_report -ike The -ike option displays the IKE Policies that were configured by the IPSec administrator and loaded by the IPsec Policy daemon.
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) REPORT: ipsec_report -cache The -cache option displays the Cache Policy Rules. The Cache Policy Rules are maintained by the Kernel Policy Engine and record the action (Action) to be taken for IP packets that match the 5-tuple (source IP address and port, destination IP address and port, and protocol) and direction.
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) Src IP Address The source IP address that will be used in the IP header. This may be different than the original source IP address if tunneling is being used. Dst IP Address The destination IP address that will be used in the IP header. This may be different than the original destination IP address if tunneling is being used.
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) This field is not present for manual keys. There are no maximum lifetimes for manual key SAs since they are static. The ipsec_report -sa ipsec command displays the following report: ------------------------ IPsec SA -----------------------Sequence number: 1 SPI (hex): 1FE472 State: MATURE SA Type: ESP with AES128-CBC encryption and HMAC-SHA1 authentication Src IP Addr: 192.1.1.1 Dst IP Addr: 192.1.1.
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) Quick Modes Processed This indicates the number times the IKE SA was used to negotiate a pair of IPsec SAs (each Quick Mode negotiation results in a pair of IPsec SAs). Lifetime The maximum lifetime for the IKE SA, in seconds, as negotiated with the remote IKE entity. If this lifetime is exceeded, the IKE SA is deleted.
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) Possible flags are defined as follows: MIPV6 indicates this policy is used for Mobile IPv6. HP-UX IPSec checks the Mobile IPv6 binding cache for routing information. Tunnel Name The name of the tunnel policy used with this host policy. This field is not present if no tunnel is configured for this gateway policy.
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) Network Protocol The upper-layer protocol in the IP header. Action The type of IPsec SAs for this tunnel. Possible values follow: Dynamic key SA Use dynamic keys to create IPsec SAs for the transform - an Authentication Header, AH, and/or Encapsulating Security Payload, ESP. Manual key SA Use manual keys to create IPsec SAs for the transform. State (This field is only present for dynamic key SAs.) The state of the SAs.
ipsec_report(1M) ipsec_report(1M) (IPSec Software Required) SPI (hex): 3EB SA Type: ESP Authentication Algorithm: HMAC-SHA1 Encryption Algorithm: DES-CBC Src IP Addr: fe80::230:6666:7777:8888 Dst IP Addr: fe80::260:1111:2222:3333 SA direction: INBOUND -- SA Number 2 -SPI (hex): 3EA SA Type: ESP Authentication Algorithm: HMAC-SHA1 Encryption Algorithm: DES-CBC Src IP Addr: fe80::260:b1111:2222:3333 Dst IP Addr: fe80::230:6666:7777:8888 SA direction: OUTBOUND AUTHOR ipsec_report was developed by HP.
(Notes) (Notes) i 64 Hewlett-Packard Company −1− HP-UX IPSec A.02.
