HP-UX IPSec version A.02.01 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_report(1M) ipsec_report(1M)

(IPSec Software Required)

REPORT: ipsec_report -cache

The -cache

option displays the Cache Policy Rules. The Cache Policy Rules are maintained by the Ker-

nel Policy Engine and record the action (

Action) to be taken for IP packets that match the 5-tuple

(source IP address and port, destination IP address and port, and protocol) and direction.

Note that there are no entries for inbound IP packets that have been authenticated or encrypted using

IPsec Authentication Headers (AH) or Encapsulating Security Payload (ESP). This is because the system

will receive these packets with a Security Parameters Index (SPI) in the AH or ESP header. HP-UX will

use the SPI to ﬁnd an entry in the kernel Security Association database and not query the Kernel Policy

Engine for these packets.

Fields are deﬁned as follows:

Cache Policy Record

An integer used internally by HP-UX IPSec to index the entries.

An integer used to cross-reference entries in the cache and policy tables kept by the Policy dae-

mon. All cache entries based on the same active policy entry will have the same cookie value.

Src IP Address

The source IP address.

Src Port number

The source port number for the upper-layer protocol. In this example, it is the TCP port

number.

Dst IP Address

The destination IP address.

Dst Port number

The destination port number for the upper-layer protocol. In this example, it is the TCP port

number and it is the well-known port for the telnet service (23).

Network Protocol

The upper-layer protocol in the IP header.

Direction

Indicates if this cache entry is for inbound (packets received by the local system or outbound

(packets sent from the local system) packets.

Action

Indicates the action or transform applied to packets matching this entry. Possible values are

Secure

(authenticate and/or encrypt using an IPsec transform: Authentication Header, AH,

and/or Encapsulating Security Payload, ESP),

Pass (pass in clear text), or

Discard (discard

the packet).

If the action (

Action)is

Secure, and the direction is

outbound

the entry will have information about

the IPsec Security Associations (SAs) established for packets matching the 5-tuple for this entry.

The SA ﬁelds are deﬁned as follows:

SA Number

Internal index for the SA for this packet. Normally, there is only one SA and this label is

Number 1

. However, a packet with a nested transform (an ESP nested within an AH) or one

that is sent through a tunnel would require multiple SAs.

State

Indicates the state of the SA. Possible values are

SA Created (indicates that the SA has

been established and is active),

SA Requested (indicates that this SA is in the process of

being created).

Security Association Type

Indicates the IPsec transform for this SA. Possible values are AH (Authentication Header) and

ESP (Encapsulating Security Payload).

Tunnel SA

Indicates if the SA being used to send the packet through an IPsec tunnel.

SPI The Security Parameters Index (SPI). The SPI is included in the IPsec AH or ESP protocol

header transmitted to the remote system. The SPI is also used to index IPsec SA entries in the

kernel Security Association database.

HP-UX IPSec A.02.01 − 7 − Hewlett-Packard Company 57