HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

141

142

143

144

145

146

147

148

149

150

ipsec_policy -sa 15.1.1.1 -sp 65535 -da 15.2.2.2 -dp 23 \

-p tcp -dir out

To determine which policies HP-UX IPSec will use for inbound telnet requests to 15.1.1.1 from

system 15.2.2.2 (the local system 15.1.1.1 is the telnet server), you can use the following command:

ipsec_policy -da 15.1.1.1 -dp 23 -sa 15.2.2.2 -sp 65535 \

-p tcp -dir in

Refer to the ipsec_policy(1M) manpage for more information.

NOTE: Both examples shown above include a dummy user-space port number (65535) for the

client port.

If an authentication records has two values configured for the IKE version (kmp argument),

ipsec_config always selects the first IKE version and selects the IKE policy accordingly.

Examining the Policy Cache and Policy Entries

To determine the actual IPsec policy used for a packet, examine the output from the

ipsec_report -cache command to find the cached policy decision for the packet, then use

the Cookie field from the ipsec_report -cache entry to find the matching entry in the

ipsec_report -host output. The cache entry below is for an attempted outbound telnet

session from system 192.1.1.1 to system 192.1.1.3. The host policy on 192.1.1.1 is misconfigured,

so the system sends the packets in clear text. The output from the ipsec_report -cache

command shows the following entry:

-------------------Cache Policy Rule -----------------------

Cache Policy Record: 9 Cookie: 1

Src IP Address: 192.1.1.1 Src Port number: 56122

Dst IP Address: 192.1.1.3 Dst Port number: 23

Network Protocol: TCP Direction: outbound

Action: Pass

The output from the ipsec_report -host command shows the following entry. In this

configuration, Cookie 1 corresponds to the default host IPsec policy, with the action PASS.

---------------- Active Host Policy Rule -------------------

Rule Name: default Priority: 0 Cookie: 1

Action: Pass

Configuring HP-UX IPSec Auditing

You can configure or set the following HP-UX IPSec audit parameters:

• audit level

• audit directory

• maximum audit file size

You can change the audit parameters while HP-UX IPSec is active using the ipsec_admin

command. To change the audit parameters used every time HP-UX IPSec starts, use the

ipsec_config add startup command. You can also specify audit parameters with the

ipsec_admin start command.

Audit Level

The HP-UX IPSec audit levels are defined as follows:

• alert : Alert audit entries report events that may require administrator attention, including

security violations and attacks, password violations, errors that may prevent correct operation

of the product, any error condition that is not recoverable, authentication problems, significant

Troubleshooting Procedures 147