HP-UX IPSec version A.02.01 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_report(1M) ipsec_report(1M)

(IPSec Software Required)

Active Sessions Created

(This ﬁeld is only present for general outbound entries not created for speciﬁc SAs and that

have exclusive policies.) Indicates the number of IPsec/QM SA sessions created.

Proposal n

The proposed transforms in the transform list for this policy, listed in preference order. Propo-

sal 1 is the highest preference. The proposal information includes the transform type, lifetime

seconds and lifetime kilobytes. At least one transform type must match what is conﬁgured on

the remote system, and the lifetime parameters must be acceptable by the remote system.

SA Pair Number

(The SA information is only present for outbound entries created for SAs.) Internal index for

the SA for this packet. Normally, there is only one SA and this label is

SA Number 1

. How-

ever, a packet with a nested transform (an ESP nested within an AH) or one that is sent

through a tunnel would require multiple SAs.

SA Type

Indicates the IPsec transform for this SA. Possible values are

(Authentication Header) and

ESP

(Encapsulating Security Payload).

Encryption Algorithm

(This ﬁeld is only present if the Security Association Type is ESP.) The encryption algorithm

used for the SA, as negotiated with the remote system.

Authentication Algorithm

(This ﬁeld is only present if the Security Association Type is AH or ESP.) The authentication

algorithm used for the SA, as negotiated with the remote system.

Outbound SPI

and Inbound SPI

The Security Parameters Index (SPI). The SPI is included in the IPsec AH or ESP protocol

header transmitted to the remote system. The SPI is also used to index IPsec SA entries in the

kernel Security Association database.

The inbound rule entries do not contain SA information because the system will receive these

packets with a Security Parameters Index (SPI) in the Authentication Header (AH) or Encap-

sulating Security Payload (ESP) header. HP-UX IPSec uses the SPI to ﬁnd an entry in the

kernel Security Association database and does not query the Policy Manager for inbound pack-

ets.

The

ipsec_report -host active

command displays all the outbound rules, then the inbound

rules.

------------------- Active Host Policy Rule ---------------------

Rule Name: telnet_in ID: 5 Priority: 10

Src IP Addr: 192.1.1.1 Prefix: 32 Port number: 23

Dst IP Addr: 192.1.1.0 Prefix: 24 Port number: 0

Network Protocol: TCP Direction: outbound

Action: Dynamic key SA FLAGS: EXCLUSIVE

Number of SA(s) Needed: 1 Pair(s)

Active Sessions Created: 1

Proposal 1: Transform: ESP-AES128-HMAC-SHA1

Lifetime Seconds: 28800

Lifetime Kbytes: 0

------------------- Active Host Policy Rule ---------------------

Rule Name: telnet_in ID: 5 Cookie: 3 Priority: 10

Src IP Addr: 192.1.1.1 Prefix: 32 Port number: 23

Dst IP Addr: 192.1.1.3 Prefix: 32 Port number: 56122

Network Protocol: TCP Direction: outbound

Action: Dynamic key SA State: Ready

FLAGS: EXCLUSIVE

Number of SA(s) Needed: 1 Pair(s)

Number of SA(s) Created: 1 Pair(s)

Proposal 1: Transform: ESP-AES128-HMAC-SHA1

Lifetime Seconds: 28800

Lifetime Kbytes: 0

-- SA Pair Number 1 --

SA Type: ESP

Encryption Algorithm: AES128-CBC

54 Hewlett-Packard Company − 4 − HP-UX IPSec A.02.01