HP-UX IPSec Version A.03.00 Administrator's Guide
Step 5: Verifying and Testing the HP-UX IPSec Configuration
Start and verify HP-UX IPSec on the cluster node on which you configured IPsec using the
procedure in Chapter 4, “Step 8: Committing the Batch File Configuration and Verifying
Operation” (page 107).
Use ipsec_policy to test your configuration to ensure it meets the following conditions:
• HP-UX IPSec allows messages sent between the heartbeat IP addresses to pass in clear text,
including Serviceguard heartbeat messages (TCP and UDP destination port 5300).
• HP-UX IPSec does not discard control messages for optional Serviceguard services, including
Quorum Server and Serviceguard Manager messages. Table G-1 (page 233) lists the port
numbers and protocols for Serviceguard services control messages.
To verify that all messages sent between the heartbeat IP addresses pass in clear text, run
ipsec_policy specify only the source and destination IP addresses (use the default wildcard
values for the other parameters). For example, you could use the following command on node
15.1.1.1 to verify that all messages sent to 15.2.2.2 pass in clear text:
ipsec_policy -sa 15.1.1.1 -da 15.2.2.2
You can also explicitly verify that HP-UX IPSec will pass heartbeat messages in clear text. The
example below tests if Serviceguard TCP heartbeat messages (port 5300) will pass in clear text
to node 15.1.1.1 from node 15.2.2.2. The dummy value 65535 is used for the dynamically assigned
source port number (-sp 65535 ).
ipsec_policy -sa 15.1.1.1 -sp 65535 -da 15.2.2.2 -dp 5300
-p tcp
242 HP-UX IPSec and Serviceguard