HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

141

142

143

144

145

146

147

148

149

150

• Queries the policy daemon and reports the tunnel IPsec policies. You can also do this by

entering the following command:

ipsec_report -tunnel

• Queries the policy daemon and reports the interfaces in the bypass list. You can also do this

by entering the following command:

ipsec_report -bypass

• Queries the policy daemon and reports the active (configured UP or DOWN, plumbed) IP

interfaces, and whether or not HP-UX IPSec is enabled for each interface. You can also do

this by entering the following command:

ipsec_report -ip

• Queries the kernel policy engine and reports the contents of its cache. The cache records the

most recent decisions that the kernel policy engine has made for the traffic that has passed

in and out of the system. If there is no IPsec peer, the kernel policy engine still reports

decisions for packets that have been sent or received by the system (including broadcast

packets) by five-tuple (source IP address, destination IP address, protocol, source port,

destination port) and the action taken—even if the action was to pass the packet in clear

text. You can also do this by entering the following command:

ipsec_report -cache

• Formats and displays the contents of the current audit file. You can also do this by entering

the following command:

ipsec_report -audit audit_file

Isolating HP-UX IPSec Problems from Upper-layer Problems

If you are unsure whether an application problem is being caused by HP-UX IPSec, you can still

enable layer 4 (TCP, UDP, IGMP) tracing. This will capture outbound data packets before they

are encrypted by HP-UX IPSec and inbound packets after they are decrypted by HP-UX IPSec.

Because layer 4 tracing provides a possible security breach, it is disabled when HP-UX IPSec is

started and can only be enabled using the ipsec_admin utility, which requires root capability

and the HP-UX IPSec administrator password.

To enable layer 4 tracing, use the following command:

ipsec_admin -traceon [ tcp | udp | igmp | all ]

Tracing output will go to /var/adm/ipsec/nettl.TRC0 and /var/adm/ipsec/nettl.TRC1

if nettl tracing is not already enabled. If it is, the trace files will be those already in use by

nettl.

Checking Policy Configuration

There are two methods for determining which policy HP-UX IPSec uses for a packet:

• Use the ipsec_policy command to query the policy daemon to determine which policy

HP-UX IPSec would use for the packets.

• Generate packets and use the ipsec_report -cache command to examine policy cache

and determine which policy HP-UX IPSec used for the packets.

Using ipsec_policy

Use the ipsec_policy command to determine which host policy, IKE policy and authentication

record will be used for a given packet. For example, on system 15.1.1.1, you want to determine

which host policy HP-UX IPSec will use for outbound telnet requests to 15.2.2.2 (the local

system 15.1.1.1 is the telnet client). Use the following command:

146 Troubleshooting HP-UX IPSec