HP-UX IPSec version A.02.01 manpages
i
ipsec_migrate(1M) ipsec_migrate(1M)
(HP-UX IPSec Software Required)
NAME
ipsec_migrate - HP-UX IPSec configuration file migration tool
SYNOPSIS
/usr/sbin/ipsec_migrate
[-p
policy_file]
DESCRIPTION
ipsec_migrate
migrates HP-UX IPSec configuration files to the current version.
The
ipsec_migrate
utility operates on HP-UX IPSec configuration files for IPsec policies, IKE policies,
and bypass lists. In HP-UX IPSec releases prior to A.02.00, this information was stored in the file
/var/adm/ipsec/policies.txt
by default. In HP-UX releases A.02.00 and later, this information
is stored in a configuration database,
/var/adm/ipsec/config.db
.
Before migrating the
/var/adm/ipsec/config.db
and /var/adm/ipsec/cainfo.txt
files,
ipsec_migrate
creates backup files in the directory
/var/adm/ipsec/backup
. The backup files
are named
config.db.
timestamp and
cainfo.txt.timestamp. The format of timestamp is dd-mm-
yy-hh-mm-ss.
ipsec_migrate
requires the optional HP-UX IPSec software.
Option
ipsec_migrate
recognizes the following command-line option and operand:
-p
policy_file
Specifies the HP-UX IPSec policy file, such as
/var/adm/ipsec/policies.txt
. Use this
option if you are migrating from HP-UX IPSec version A.01.07 or earlier.
ipsec_migrate
uses a configuration file to determine the current revision and the list of transforma-
tions available to migrate configuration files from revision to revision. If
ipsec_migrate
cannot build
a set of transformations to migrate the input file from its revision to the desired revision, it reports an
error. The contents of the configuration file is proprietary and has no user-modifiable content.
Migrating from HP-UX IPSec version A.01.05 (and earlier)
ipsec_migrate
changes all
hashed rules to
ordered rules. If this conversion creates a name
conflict with a previously-existing
ordered rule, the suffix
_hash is added to the conflicting name.
ipsec_migrate
severs the relationship between
IPsec
rules and IKE
rules that existed in versions
prior to A.01.07. If an
IPsec rule uses a tunnel, an appropriate
IKE rule will be generated for the tun-
nel. If an
IKE
rule is found to be unused by any
IPsec rule or tunnel, that
IKE
rule is not migrated to
the new configuration file.
ipsec_migrate
forces all IPsec rules to be bi-directional.
ipsec_migrate
then performs the tasks described in Migrating from HP-UX IPSec version A.01.07
and Migrating from HP-UX IPSec version A.02.00.
Migrating from HP-UX IPSec version A.01.07
ipsec_migrate
converts the configuration file into a configuration database . The conversion is com-
plex and space prevents a complete discussion here.
ipsec_migrate
then performs the tasks
described in Migrating from HP-UX IPSec version A.02.00.
Caution: While the conversion produces a valid configuration database, the resulting configuration may
not be an exact duplicate of the source configuration and may not be the most optimal configuration. You
should inspect the resulting configuration carefully and modify or tune it using
ipsec_config.
ipsec_config does not migrate start-up options. Use the
ipsec_config add startup
command
to set start-up options.
Migrating from HP-UX IPSec version A.02.00
ipsec_migrate adds a version string to the /var/adm/ipsec/cainfo.txt file and changes the
format. If a certificate file exists (/var/adm/ipsec/certs.txt or /var/adm/ipsec/.Bcerts),
ipsec_migrate re-names it /var/adm/ipsec/ipsec.cert. If a private key file for the certificate
exists (/var/adm/ipsec/javabeans.txt or /var/adm/ipsec/.Bsec), ipsec_migrate re-
names it /var/adm/ipsec/ipsec.key. ipsec_migrate updates the version number for
/var/adm/ipsec/config.db.
46 Hewlett-Packard Company − 1 − HP-UX IPSec A.02.01