HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

201

202

203

204

205

206

207

208

209

210

1. Run the ipsec_migrate utility after you have installed HP-UX IPSec A.03.00. For example:

/usr/sbin/ipsec_migrate

If the /var/adm/ipsec/ipsec.key file is present, ipsec_migrate prompts for the

HP-UX IPSec password before decrypting this file and extracting the contents.

The ipsec_migrate utility creates backup copies of the following files and saves them in

the files under the /var/adm/ipsec/backup directory:

/var/adm/ipsec/.ipsec_profile

/var/adm/ipsec/cainfo.txt

/var/adm/ipsec/config.db

/var/adm/ipsec/ipsec.cert (if present)

/var/adm/ipsec/ipsec.key (if present)

The ipsec_migrate utility appends a timestamp to the names of the backup files. The

timestamp is in the format dd-mm-yy-hh-mn-ss , where:

dd is the day

mm is the month

yy are the last two digits of the year

hh is the hour

mn is the number of minutes

ss is the number of seconds

For more information, refer to the ipsec_migrate(1M) man page.

2. Examine the contents of the configuration database using the following command:

ipsec_config show all

3. Check if you need to make any additional changes to the configuration database. See

“Additional Configuration Tasks” (page 202) for more information.

4. Start HP-UX IPSec:

ipsec_admin -start

Additional Configuration Tasks

The ipsec_migrate utility changes object types and values when converting a configuration

database for HP-UX IPSec A.03.00. Check the following list for additional changes that may be

needed after running ipsec_migrate:

• Check the IKEv1 policies. The migration utility converts each existing ike policy to an

ikev1 policy as follows:

— The IKE authentication (-auth) value is ignored. The ikev1 policies do not include a

value for the IKE authentication method. The IKE authentication method is now specified

in authentication records using the -local_method and -remote_method arguments.

In most cases, you do not need to explicitly specify the -local_method and

-remote_method arguments. If the authentication record specifies a preshared key

value (-preshared), the -local_method and -remote_method arguments default

to PSK; if no preshared key value is specified, these arguments default to RSASIG. For

more information, see “Step 3: Configuring Authentication Records and Preshared

Keys” (page 85).

— The maximum quick modes (-maxqm) value is converted to a value for perfect forward

secrecy (PFS, -pfs). The ikev1 policies do not include a value for maximum quick

modes. If the -maxqm value is 1, the migration utility creates an ikev1 policy with PFS

ON. If the -maxqm value is greater than 1, the migration utility creates an ikev1 policy

with PFS OFF.

— Converts any DES authentication (-hash) values to 3DES. (DES is not supported in

HP-UX IPSec A.03.00).

• Check the action in the host and tunnel policies. The ipsec_migrate utility replaces DES

transforms and nested transforms in host and tunnel policies with the default actions in the

202 Migrating from Previous Versions of HP-UX IPSec