HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

201

202

203

204

205

206

207

208

209

210

/var/adm/ipsec/.ipsec_profile file. For host policies, the default action is DISCARD.

For tunnel policies, the default action is the ESP_AES128_HMAC_SHA1 transform.

• Check the priority value in authentication records. In previous releases, authentication

records did not have a priority value; if multiple authentication records had a remote IP

address value that matched the peer's address, HP-UX IPSec selected the record with the

longest IP address prefix.

The ipsec_migrate utility sorts existing authentication records using the address prefix

length (longest to shortest). The migration utility sets the priority for the first record to the

value of the priority parameter value in the AuthPolicy-Defaults section of the HP-UX IPSec

profile file; the default priority value is 10. The utility increments the priority value for each

subsequent record by the priority value.

• Configure additional authentication records if needed. In previous releases, an authentication

record was not required if the authentication method was RSASIG, the systems were not

multihomed, and the systems used IPv4 addresses for the IKE IDs. HP-UX IPSec A.03.00

requires an authentication record for every peer.

• Check for preshared key values beginning with 0x. HP-UX IPSec A.03.00 stores preshared

key values beginning with 0x as hexadecimal values. In prior releases, HP-UX IPSec stored

all preshared key values as ASCII strings. If you have a preshared key value beginning with

0x and are using it with a release prior to A.03.00, the key values will not match. Change

the preshared key values on both systems.

• Configure the AUTOCONF flag in authentication records for autoconfiguration clients. In

previous releases, the AUTOCONF flag was set in host policies. The use of the AUTOCONF flag

in host policies is deprecated and might be removed in future product releases.

Certificate Files

Beginning with release A03.00, HP-UX IPSec stores certificate and CRL files in new locations.

The ipsec_migrate utility performs the following tasks when migrating to HP-UX IPSec

version A.03.00 from previous versions:

• Extracts certificates, the private key and certificate data from the following files under the

/var/adm/ipsec/backup directory:

/var/adm/ipsec/cainfo.txt

/var/adm/ipsec/ipsec.key

/var/adm/ipsec/ipsec.cert

The ipsec_migrate utility prompts the user for the HP-UX IPSec password and uses the

password to decrypt and extract the private key. It also extracts the certificates for the local

system and CA and stores the certificates and keys in files under the /var/adm/ipsec/

certstore directory.

• If the file /var/adm/ipsec_gui/cron/crl.cron exists, ipsec_migrate creates a

soflink from this file to /var/adm/ipsec/util/crl.cron. The crl.cron is a file is a

script that can be executed from a cron job to periodically retrieve CRLs from LDAP

directories. This file was located in the/var/adm/ipsec_gui/cron directory in previous

releases.

You can modify and resubmit the root crontab file to execute the /var/adm/ipsec/

util/crl.cron script directly.

Post-Installation Migration Instructions 203