HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 HP Part Number: 762800-001 Published: April 2014 Edition: 2.
© Copyright 2007-2014 Hewlett-Packard Development Company L.P Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents HP secure development lifecycle....................................................................16 About this document ...................................................................................17 Intended audience..................................................................................................................17 New and changed features in A.03.02.02.................................................................................17 Features in HP-UX IPSec A.03.01.01.....
OpenSSL copyright notice........................................................................................................28 1 HP-UX IPSec overview...............................................................................30 Features................................................................................................................................30 IPsec protocol suite.................................................................................................................
Step 4: Committing the batch file configuration and verifying operation.........................................53 Step 5: Configuring HP-UX IPSec to start automatically.................................................................54 ipsec_config add startup Syntax...........................................................................................55 Step 6: Creating backup copies of configuration files..................................................................
tunnel_policy_name ......................................................................................................73 -tsource and -tdestination tunnel_address .........................................................................73 -source and -destination ip_addr [/prefix].........................................................................74 ip_addr ..................................................................................................................74 prefix ....................
-hash hash_algorithm ..............................................................................................88 -encryption encryption_algorithm ..........................................................................89 -life lifetime_seconds ...........................................................................................89 -pfs ON|OFF ..............................................................................................................89 -priority priority_number ................
Example....................................................................................................................105 Submitting the Certificate Signing Request to the CA............................................................105 Step 2: Adding the Local Certificate........................................................................................105 ipsec_config add mycert -file Syntax...................................................................................
Exporting the Configuration Database to a Batch File................................................................117 ipsec_config export Syntax................................................................................................117 Parameters.................................................................................................................117 Re-Creating the Configuration Database..................................................................................
Symptoms..................................................................................................................132 Solution.....................................................................................................................133 IPsec SA Negotiation Fails................................................................................................133 Problem.....................................................................................................................
ESP_AES128_HMAC_SHA2_512...................................................................................145 ESP_AES192_HMAC_MD5..........................................................................................145 ESP_AES192_HMAC_SHA1.........................................................................................145 ESP_AES192_HMAC_SHA2_256..................................................................................145 ESP_AES192_HMAC_SHA2_384.........................................
Establishing Tunnel Security Associations.............................................................................162 ICMPv4 Message Processing........................................................................................163 Syntax..................................................................................................................163 ICMPv6 Message Processing........................................................................................163 Syntax..........................
Tips................................................................................................................................177 HP Printers...........................................................................................................................178 C Migrating from Previous Versions of HP-UX IPSec........................................179 DES Compatibility................................................................................................................
Troubleshooting Manual Key Problems.....................................................................................192 Symptoms.......................................................................................................................192 Solutions.........................................................................................................................192 SADB_ADD for SPI 0xnnnn returns EEXIST ....................................................................
Authentication Records on Cluster Nodes.......................................................................207 Authentication Records on Client1.................................................................................207 Authentication Records on Client2.................................................................................207 Preshared Keys Configuration on Cluster Nodes..............................................................208 Preshared Keys Configuration on Client1............
HP secure development lifecycle Starting with HP-UX 11i v3 March 2013 update release, HP secure development lifecycle provides the ability to authenticate HP-UX software. Software delivered through this release has been digitally signed using HP's private key. You can now verify the authenticity of the software before installing the products, delivered through this release. To verify the software signatures in signed depot, the following products must be installed on your system: • B.11.31.
About this document This document describes how to install, configure, and troubleshoot HP-UX IPSec. The latest version of this document are available at HP-UX IPSec Software. Intended audience This document is intended for system and network administrators responsible for installing, configuring, and managing HP-UX IPSec. Administrators are expected to have knowledge of HP-UX and networking concepts, commands, and configuration. This document is not a tutorial. New and changed features in A.03.02.
Features in HP-UX IPSec A.03.01.01 The A.03.01.01 release of HP-UX IPSec introduces the following changes: • Revised requirement for OpenSSL software HP-UX IPSec now requires version A.00.09.08q or later. • IKE support for D-H group 24 HP-UX IPSec now supports the D-H (Diffie-Hellman) group having Transform ID 24 for IKE. The group is used with the IKE protocol to provide security for Internet communications.
[-alt-user-fqdn user_fqdn1 [-alt-user-fqdn user_fqdn2 ... -alt-user-fqdn user_fqdn20]] nl [-key_length number_bits] [-days number_days] Description of revised ipsec_config add csr command alternative-name options The three alternative-name options are as follows: -alt-ipv4 ipv4_addr Specifies the IPv4 address you want in the subjectAlternativeName field of the certificate. You can specify up to 20 IPv4 addresses by repeating the -alt-ipv4 ipv4_addr argument accordingly.
• • • ◦ “IKE support for multiple hash, encryption, and group values” (page 22) ◦ “IKE Support for Diffie-Hellman groups 5 and 14” (page 22) ◦ “IKE support for AES128-CBC encryption” (page 22) “Authentication record changes” (page 22) ◦ “Authentication records are mandatory” (page 22) ◦ “Authentication records specify the IKE (key management protocol) version” (page 23) ◦ “Authentication records include a priority value” (page 22) ◦ “Authentication records support the AUTOCONF flag” (page 2
Support for IKE version 2 HP-UX IPSec now supports IKE version 2 (IKEv2) in addition to IKE version 1 (IKEv1). IKEv1 and IKEv2 policies replace IKE policies Policies for ike are replaced by ikev1 and ikev2 policies. The migration utility converts each existing ike policy to an ikev1 policy as follows: • The IKE authentication (-auth) value is ignored. The ikev1 policies do not include a value for the IKE authentication method.
IKEv1 Perfect forward secrecy with keys only HP-UX IPSec now supports IKE Perfect Forward Secrecy (PFS) with key protection only. This enables IKE to reuse an existing IKE SA to negotiate a new IPsec SA pair and establish new keying information when negotiating the IPsec SA pair. In releases prior to A.03.00, HP-UX IPSec provided a form of PFS when the IKE maximum quick modes value (-maxqm) was 1.
Authentication records specify the IKE (key management protocol) version Authentication records now include a kmp (key management protocol) field that specifies the IKE version (IKEv1 or IKEv2). The default IKE version is IKEv1. You can specify both IKE versions. The IKE daemon uses the first version for all negotiations it initiates, and responds to negotiations for both versions. For more information, see “Determining the IKE Version” (page 153).
Support for multiple source and destination arguments in host and tunnel policies You can specify up to 20 instances of the -source and -destination arguments in the ipsec_config add host and ipsec_config add tunnel commands. For more information, see “IPsec SA Packet Descriptors” (page 161). This feature is not supported with manual keys. For more information, see “Manual Key Policy Restrictions” (page 190).
Support for 4096 bit key pairs for certificates HP-UX IPSec now supports 4096-bit public/private key pairs for certificate-based IKE authentication. The ipsec_config add csr command also supports the argument -key_length 4096. Support for PKCS#12 certificates HP-UX IPSec supports certificates stored in Public Key Cryptography Standards (PKCS) #12 format (commonly referred to as PKCS#12). A PKCS#12 file can also include the private key for the certificate.
the ipsec_migrate utility, ipsec_migrate saves the existing /var/adm/ipsec/ .ipsec_profile file in the /var/adm/ipsec/backup directory before moving the /var/ adm/ipsec/.ipsec_profile.blank file to /var/adm/ipsec/.ipsec_profile. If you use customized settings in your profile file, edit the /var/adm/ipsec/ .ipsec_profile.blank file with your customized settings before running ipsec_migrate.
What’s in this document HP-UX IPSec Administrator’s Guide is divided into several chapters, and each contains information about installing, configuring, or troubleshooting HP-UX IPSec. The appendices contain supplemental information. “HP-UX IPSec overview” This chapter describes product features and topologies. “Installing HP-UX IPSec ” This chapter describes how to verify installation prerequisites and install the product.
ERROR NAME The name of an error, usually returned in the errno variable. Key The name of a keyboard key. Return and Enter both refer to the same key. Term The defined use of an important word or phrase. User input Commands and other text that you type. Variable The name of a placeholder in a command, function, or other syntax display that you replace with an actual value. [] The contents are optional in syntax. If the contents are a list separated by |, you can choose one of the items.
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). Original SSLeay License Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved.
1 HP-UX IPSec overview This chapter describes HP-UX IPSec features and topologies. It contains the following sections: • “Features” (page 30) • “IPsec protocol suite” (page 32) • “HP-UX IPSec topologies” (page 42) Features The IP security (IPsec) protocol suite was defined by the Internet Engineering Task Force (IETF) to provide security for IP networks. HP-UX IPSec is the HP implementation of IPsec.
• Identity authentication The IKE protocol authenticates the identity of the remote system. HP-UX IPSec supports the following forms of IKE authentication: ◦ Preshared keys. ◦ Digital signatures (RSA signatures), using X.509 version 3 security certificates. Because IKE verifies the identity of the remote system, AH and ESP also provide data origin authentication. • Host-based IPsec topologies HP-UX IPSec is supported on host systems in host-to-host and in host-to-gateway topologies.
◦ Configuration test utility The ipsec_policy utility takes a packet definition (local and remote IP addresses, upper-layer protocol, local and remote port numbers) as input and reports the IPsec policy that HP-UX IPSec would apply to packets matching the definition. ◦ Audit logging HP-UX IPSec maintains an audit log of events, including events that may indicate attempts to compromise network security.
Figure 1 Shared key encryption Data Key Encryption Algorithm Encrypted Data System A Data Decryption Algorithm Key Encrypted Data System B Shared key cryptography alone does not provide protection against tampering. An intruder can still intercept encrypted data and alter it before sending it to the correct destination. For this reason, ESP also authenticates the encrypted data.
Figure 2 Shared key hash function Integrity OK Yes Data Does derived HMAC’= received HMAC? HMAC’ Key Hash Algorithm Hash Algorithm No Integrity Bad (Reject) Key Data Authentication Value (HMAC) System A Data Authentication Value (HMAC) System B ESP processing On the sender (System A), the ESP module processes the outbound packet as follows: 1. The ESP module encrypts the IP payload using the encryption key (KeyE. 2.
Figure 3 ESP processing Data Data keyE Decryption Algorithm Integrity OK Yes, decrypt Encryption Algorithm keyE Does derived HMAC’= received HMAC? HMAC’ Encrypted Data keyA Hash Algorithm Hash Algorithm No keyA Authentication Value (HMAC) Encrypted Data Encrypted Data System A Integrity Bad (Reject) Authentication Value (HMAC) System B Transport and tunnel modes ESP can be used in transport mode or tunnel mode.
Figure 5 ESP tunnel mode New IP Header ESP Header IP Header Payload ESP Trailer ESP Authentication ESP Tunnel Mode encrypted authenticated IPv6 ESP transport mode In IPv6 ESP transport mode (shown in Figure 6), IPsec inserts the ESP header after the following headers and extensions: • the basic IPv6 header • hop-by-hop options • any destination options needed to interpret the ESP header • routing extensions • fragment extensions The items listed below follow the ESP header and are encrypte
Table 2 HP-UX IPSec encryption algorithms Name Description AES Advanced Encryption Standard (AES) Cipher Block Chaining (CBC) mode encryption using a 128-bit key, 192-bit key, and 256-bit key. 3DES Triple-DES CBC, three CBC encryption iterations, each with a different 56-bit key. Table 3 HP-UX IPSec authentication algorithms Name Description SHA2 Secure Hash Algorithm-2, 256-bit key, 384-bit key, and 512-bit key.
The HP-UX IPSec IKE daemon can send and receive IKEv1 and IKEv2 packets on the same UDP port. However, IKEv1 cannot interoperate with IKEv2 (IKEv1 packets cannot be used for IKEv2 negotiations and vice-versa). When you configure HP-UX IPSec, you specify the IKE protocol version to use when initiating IKE negotiations with a given destination.
The IKEv1 protocol specification requires Main Mode support; Aggressive Mode support is optional. Aggressive Mode is required when IKE is used with autoconfiguration clients because these clients do not have fixed IP addresses. Aggressive Mode enables IKE to select IKE parameters without using the remote address in the IP packet header. TIP: Most IPsec IKEv1 implementations, including HP-UX IPSec, use Main Mode by default.
IKE primary authentication Diffie-Hellman is vulnerable to third-party attacks, in which a third party intercepts messages between two attacked parties, A and B. A and B assume they are exchanging messages with each other, but are exchanging messages with the third party. The attacker assumes the identity of A to exchange messages with B, and assumes the identity of B to exchange messages with A.
Summary This section contains a list of the key IPsec protocol terms and concepts. • ESP The ESP protocol encrypts and authenticates IP data using shared cryptography keys. • AH The AH protocol authenticates IP data and the static fields of the IP header using shared cryptography keys. • Transport Mode and Tunnel Mode ESP and AH can be used in transport mode or tunnel mode. In transport mode, the ESP or AH header is inserted after the IP header.
HP-UX IPSec topologies You can use IPsec between hosts (end nodes), between gateways, and between a host and a gateway in an IP network. You can install HP-UX IPSec only on end nodes. An HP-UX IPSec system can have the following roles: • A host in a host-to-host IPsec topology • A host in a host-to-gateway IPsec topology • A host in a host-to-host IPsec tunnel topology, frequently referred to as an end-to-end tunnel. End-to-end tunnels are commonly used in iSCSI topologies.
In Figure 10, the supplier and manufacturer have separate intranets that are connected to the public Internet using Internet Service Providers (ISPs). System A on the supplier’s intranet and System B on the manufacture’s subnet communicate with a host-to-host IPsec topology. For added security, you can configure filtering on the manufacturer’s firewall so that it checks the traffic to and from system A and allows only IPsec packets between system A and B to pass.
connection to backend servers within the internal network and forward client requests to the backend servers. In these scenarios, HP-UX IPSec can secure the host-to-host data path between the gateway application server in the DMZ (B in Figure 12) and the backend server (C in Figure 12). You must configure filtering on the gateway application server (B) to limit access to the backend servers.
2 Installing HP-UX IPSec This chapter describes installation prerequisites and procedures for installing HP-UX IPSec software.
uname -a 2. Verify that you have the required OpenSSL version installed on your system, as listed in “Software requirements” (page 45). Enter the following command: # what /usr/bin/openssl 3. Check the latest HP-UX IPSec documentation set for release notes that might contain updated or additional software dependencies.. To determine the patches installed on the system, enter the following command: swlist -i 4.
Step 3: Establishing the HP-UX IPSec password You must set the HP-UX IPSec password after installing the product. HP-UX IPSec uses the password to encrypt configuration information. Use the following command to establish the HP-UX IPSec password: ipsec_admin -newpasswd The ipsec_admin utility prompts you to establish the HP-UX IPSec password: IPSEC_ADMIN: Establishing IPsec password, enter IPsec password: Enter a password. The password must be at least 15 characters long and cannot contain spaces.
3 Quick configuration procedure and tips This chapter contains a procedure for quickly configuring HP-UX IPSec for a simple host-to-host topology using IKE with preshared keys. In this procedure, you modify the batch file template /var/adm/ipsec/templates/host-to-host. This chapter also includes configuration tips.
• manual-keys • mipv6 For a simple host-to-host topology, edit the batch file template /var/adm/ipsec/templates/ host-to-host as follows: • Uncomment the appropriate configuration statements. At a minimum, you must uncomment and configure the following items: ◦ Host IPsec policies. At a minimum, you must configure one host IPsec policy.
###################################################################### # # To use this file: # 1. Uncomment the appropriate configuration statements. # For host-to-host IPsec, you must: # a. Configure at least one host IPsec policy. See SECTION 1 below. # b. Configure an authentication record with the preshared key. # See SECTION 2 below. # c. Change the IKEv1 or IKEv2 default policy if needed. # See SECTION 3 below.
# -action ESP_AES128_HMAC_SHA1 # ############################################################################ # Case 3 - Host policy to secure all UDP packets between two hosts ############################################################################ # #add host \ # -source /32 -destination /32 \ # -protocol UDP -action ESP_AES128_HMAC_SHA1 # ############################################################################ # Case 4 - Host policy to secure a
#add ikev1 default -group 2 -hash MD5 -encryption 3DES -life 28800 # # IKEv2 : # The pre-loaded default IKEv2 policy has the following parameters: # -Diffie-Hellman Group: 2 # -IKEv2 authentication: HMAC-SHA1 # -IKEv2 encryption: 3DES # -Pseudo Random Function: HMAC-SHA1 # -IKEv2 SA lifetime: 28800 seconds # # If you use IKEv2 as the Key Exchange Protocol and these parameter values # do not meet your requirements, # uncomment the following policy to change the default IKEv2 policy: # #add ikev2 default -gro
If there are no syntax errors in the batch file, ipsec_config returns without displaying any other messages. Step 4: Committing the batch file configuration and verifying operation Use the following procedure to verify the operation of your HP-UX IPSec configuration. 1. Commit the batch file operations to the configuration database with the following command: ipsec_config batch batch_file_name 2. Verify the contents of the configuration database with the following command: ipsec_config show all 3.
addtime (seconds): 24091 usetime (seconds): 0 ------------- IPsec SA ---------------Sequence number: 2 SPI (hex): 100782 State: MATURE SA Type: ESP with AES128-CBC encryption and HMAC-SHA1 authentication Src IP Addr: 10.2.2.2 Dst IP Addr: 10.1.1.
ipsec_config add startup Syntax Use the following ipsec_config add startup syntax to configure HP-UX IPSec to start automatically at system startup time: ipsec_config add startup -autoboot ON See the ipsec_config_add(1M) manpage for complete syntax information. Step 6: Creating backup copies of configuration files Create backup copies of the following files: • The configuration database file, /var/adm/ipsec/config.db. • Your batch file.
ipsec_config add rlogin_from_10.20.20.20 \ -source 10.10.10.10/32/RLOGIN -destination 10.20.20.20 \ -action ESP_AES128_HMAC_SHA1 • Multihomed Systems If a remote system is multihomed (has more than one IP address), you must configure an IKE policy and an authentication record for each IP address.
4 Configuring HP-UX IPSec This chapter describes how to configure HP-UX IPSec, including preshared key configuration. If you are using RSA signature authentication for IKE, you must also see Chapter 5: “Using Certificates with HP-UX IPSec ” (page 100) for instructions on configuring certificates. This chapter also describes how to maximize HP-UX IPSec security and how to use the HP-UX IPSec configuration utility, ipsec_config.
Strong end system model To maximize security when using open policies or the bypass list, HP recommends that you enable the strong end system (ES) model, which is described in RFC 1122. When the strong ES model is enabled, a system cannot act as an IP router. A system with the strong ES model enabled silently drops incoming IP packets with destination IP addresses that do not match the interface address.
Batch File Processing The ipsec_config utility processes the operations in a batch file as a group. If one operation is invalid, all operations in the batch file fail. The ipsec_config utility first verifies each operation in the batch file for syntax errors and collisions (object names and priority values) with existing entries in the configuration database. If all operations in the batch file are valid, the HP-UX IPSec infrastructure updates the configuration database with all operations at the same time.
file, which is shipped with HP-UX IPSec. In most topologies, you can use the default values supplied in the /var/adm/ipsec/.ipsec_profile file. HP-UX IPSec also has internal default values that are the same as the values in the /var/adm/ ipsec/.ipsec_profile file shipped with the product. If the /var/adm/ipsec/ .ipsec_profile file does not exist and the user does not specify an alternate profile file, HP-UX IPSec uses its internal default values.
delete an IKE policy, any existing IKE SAs remain established, but no new IKE SAs can be established for the policy. nocommit argument The nocommit argument validates entries but does not update the configuration and runtime cache. The nocommit argument is illegal inside batch files (you cannot specify the nocommit argument as part of a statement inside a batch file).
The bypass list improves transmission rates for addresses in the bypass list and is useful in topologies where most of the network traffic passes in clear text and only specific traffic must be secured by IPsec. • Start-up options The start-up options allow you to configure HP-UX IPSec to start automatically at system boot-up time and to specify general operating parameters. HP-UX IPSec also supports gateway IPsec policies when used with HP-UX Mobile IPv6.
Step 1: Configuring host IPsec policies Host IPsec policies specify HP-UX IPSec behavior for IP packets sent or received by the local system as an end host. Each host IPsec policy includes address specifications used to select the host IPsec policy for a packet, and the action for packets using the policy: pass the packets in clear text, discard the packets, or apply an IPsec transform (AH or ESP) to the packets.
[-protocol protocol_id] [-priority priority_number] [-action PASS|DISCARD|transform_list] [-flags flags] HP recommends that you use an ipsec_config batch file to configure HP-UX IPSec.
ip_addr The ip_addr is the source or destination IP address. You can specify a single IP address, or an address range with two addresses separated by a dash and no spaces (ip_addr-ip_addr). The second address in a range must be higher number than the first. For example, 10.1.1.1-10.1.1.3 matches any of the following addresses: 10.1.1.1, 10.1.1.2, 10.1.1.3. Valid Values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation.
Table 4 ipsec_config Service names (continued) Service Name Port Protocol HTTP-TCP 80 TCP HTTP-UDP 80 UDP NTP 123 UDP REXEC 512 TCP RLOGIN 513 TCP RWHO 513 UDP REMSH 514 TCP REMPRINT 515 TCP SMTP 25 TCP TELNET 23 TCP TFTP 69 UDP -protocol protocol_id The protocol_id is the value or name of the upper-layer protocol that HP-UX IPSec uses in the address filter to select an IPsec policy for a packet. You cannot specify protocol and a service_name in the same policy.
ICMPv6 messages If protocol_id is ICMPV6 or ALL, the policy applies to only the following ICMPv6 message types: • Echo Request • Echo Reply • Mobile Prefix Solicitation • Mobile Prefix Advertisement To ensure proper operation of IPv6 networks, the default HP-UX IPSec behavior allows all other ICMPv6 message types to pass in clear text.
Valid actions are: • PASS Allow packets using this host IPsec policy to pass in clear text with no alteration. The default host IPsec policy shipped with the product specifies -action PASS. • DISCARD Discard packets using this host IPsec policy. • transform_list A list of IPsec AH (Authentication Header) or ESP (Encapsulation Security Payload) transforms. See “transform_list .” Default: The value of the action parameter in the HostPolicy-Defaults section of the profile file used.
Table 5 ipsec_config transforms (continued) Transform Name Description ESP_AES128_HMAC_SHA1 ESP with 128-bit Advanced Encryption Standard (AES128) CBC, authenticated with HMAC-SHA1. ESP_3DES_HMAC_MD5 ESP with triple-DES CBC, three encryption iterations, each with a different 56-bit key (3DES), authenticated with HMAC-MD5. ESP_3DES_HMAC_SHA1 ESP with triple-DES CBC, three encryption iterations, each with a different 56-bit key (3DES), authenticated with HMAC-SHA1.
Table 5 ipsec_config transforms (continued) Transform Name Description ESP_3DES_HMAC_SHA2_512 ESP with triple-DES CBC, three encryption iterations, each with a different 56-bit key (3DES), authenticated 512-bit HMAC using Secure Hash Algorithm-2, HMAC-SHA2 ESP_NULL_HMAC_SHA2_256 ESP with null encryption and authenticated 256-bit HMAC using Secure Hash Algorithm-2, HMAC-SHA2 ESP_NULL_HMAC_SHA2_384 ESP with null encryption and authenticated 384-bit HMAC using Secure Hash Algorithm-2, HMAC-SHA2 ESP_NUL
Table 6 Host Policy Flags (continued) Flag Description The FALLBACK_TO_CLEAR flag is not valid if the action is PASS or DISCARD, or if the policy specifies a tunnel. WARNING! Using the FALLBACK_TO_CLEAR flag is a security risk. It can allow packets from non-secure nodes to communicate with the local system. MIPV6 Specifies that this IPsec policy is used for Mobile IPv6 packets. HP-UX IPSec checks the Mobile IPv6 binding cache for routing information.
The priority is 30 to ensure that HP-UX IPSec selects this policy instead of the policies for telnet and the TCP port 50000 application when the local system is communicating with 10.2.2.2. add host to_orange -source 10.1.1.1 \ -destination 10.2.2.2 -pri 30 -tunnel my_host_host_tunnel \ -action PASS The user should be able to configure the newly introduced ESP transforms using –action option of ipsec_config add host” command. Examples 1.
If the system is an HP-UX Mobile IPv6 Home Agent, it can also act as a gateway, but only when forwarding packets between a Mobile IPv6 client and its Correspondent Node. See “Using Manual Keys” (page 190) if you are configuring HP-UX IPSec for Mobile IPv6. Tunnel IPsec policies are referenced in host or gateway IPsec policies. HP-UX IPSec first selects a host or gateway IPsec policy to use for a packet.
(::) notation within a specified IPv6 address to denote a number of zeros (0) within an address. The address must be a unicast address. Default: If you do not specify a tsource or tdestination option, the field will be null and HP-UX IPSec will use the end source or end destination address of the packet as the tunnel endpoint when creating the tunnel. You must specify the tsource and tdestination options if you are using manual keying.
Specifying ICMPV6 affects only the following ICMPv6 messages: Echo Request, Echo Reply, Mobile Prefix Solicitation, Mobile Prefix Advertisement. To ensure proper operation of IPv6 networks, HP-UX IPSec always allows all ICMPv6 messages not listed above to pass in clear text Valid Values: Integer value 0 (any protocol) - 255, or one of the following protocol names: TCP UDP ICMP ICMPV6 IGMP MH (Mobile IPv6 Mobility Headers) ALL (any protocol) The protocols ICMP and IGMP are valid with IPv4 addresses only.
The transform_list in a tunnel policy are tunnel transports applied to packets encapsulated between the tunnel endpoints. If you are using dynamic keys, the transform list can contain: • A list that contains up to 2 AH transforms. • A list that contains up to 25 ESP transforms. Use a comma to separate multiple transform specifications. The order of transforms in the transform list is significant. The first transform is the most preferable and the last transform is the least preferable.
Step 3: Configuring authentication records and preshared keys This section describes how to configure IKE authentication records and preshared keys. You must configure authentication records if you are using certificates or preshared keys for IKE authentication. You do not need to configure or modify authentication records if you are using manual keys or are using HP-UX IPSec only to discard packets. The main components of an authentication record are: • Remote IP address. This can be a subnet address.
ipsec_config add auth Syntax You can use the following ipsec_config add auth syntax in most installations: ipsec_config add auth auth_name -remote ip_addr[/prefix] [-kmp ike_version] [-exchange|x AM|MM] [-ltype local_id_type -lid local_id] [ -rtype remote_id_type -rid remote_id] [-local_method method] [-remote_method method] [-preshared preshared_key] [-priority priority] HP recommends that you use an ipsec_config batch file to configure HP-UX IPSec.
Range: 0 - 32 for an IPv4 address; 0 - 128 for an IPv6 address. If you are using manual keys, prefix must be 32 if ip_addr is an IPv4 address or 128 if ip_addr is an IPv6 address. Default: 32 if ip_addr is a non-zero IPv4 address, 128 if ip_addr is a non-zero IPv6 address, or 0 (match any address) if ip_addr is an all-zeros address (0.0.0.0 or 0::0). Subnet Addresses You can use a subnet address in an authentication record with a specific remote ID or with a subtree or address range remote ID.
-ltype local_id_type and -lid local_id The local_id_type and local_id are the local ID type and value the local system sends to the remote system when negotiating an IKE SA. These values must match what is configured on the remote system.
Table 7 Local and Remote ID Types and Values (continued) ID Type ID Value If there are spaces in the DN, you must enclose the DN in double quotes (““ ). For example, “CN=host1,C=US,O=My Company,OU=Blue Lab”. The values are defined as follows: commonName: The commonName of the DN in printable string format. This field cannot contain commas and must be 64 bytes or less. country: The two-character ISO 3166-1 code for the country listed in the DN, for example US for United States of America.
Default: The configured value for -local_method. If the -local_method argument is not specified, and the -preshared argument is present, the default is PSK. If both the -local_method and the -preshared argument are not specified, the default is the value for the remote-method parameter in the AUTHPolicy-Defaults section of the profile file used. The default remote-method parameter value is RSASIG (RSA signatures using certificates) in /var/ adm/ipsec/.ipsec_profile.
Table 8 Authentication Record Flags (continued) Flag Column Head To use HP-UX IPSec with autoconfiguration clients, the configuration must meet the following requirements: • The local system cannot be the initiator in IKE SA negotiations with autoconfiguration clients. • If the IKE version is IKEv1 (the kmp argument is IKEV1, the default value), the exchange mode (the exchange argument) must be Aggressive Mode (AM). • The remote ID type (rtype argument) cannot be IPV4 or IPV6.
User FQDN Specify only the FQDN (do not specify a user name) preceded by an at sign (@) to match any user at that FQDN, or specify the FQDN preceded by a dot (.) to match any user in the subtree domain. For example: -rid @foo.example.com This matches the following user FQDNs: root@foo.example.com user1@foo.example.com The user FQDN value .foo.example.com matches the following user FQDNs: root@alpha.foo.example.com root@alpha.beta.foo.example.com It does not match the following user FQDNs: root@foo.example.
Multihomed Example The following batch file entries IKEv1 configure authentication records with preshared key authentication for a remote multihomed HP-UX IPSec system that has addresses 10.8.8.8 and 11.8.8.8: add auth hostX_10net -remote 10.8.8.8\ -preshared my_hostA_hostX_key add auth hostX_11net -remote 11.8.8.8 \ -preshared my_hostA_hostX_key Authentication Record Examples with RSA Signatures This section contains authentication record examples for RSA signature (certificate) authentication.
Step 4: Configuring IKEv1 and IKEv2 Policies The IKEv1 and IKEv1 policies specify parameters for negotiating IKEv1 and IKEv2 SAs. An IKE SA is required to negotiate an IPsec SA pair with dynamic keys. You do not need to configure or modify IKE policies if you are using manual keys or are using HP-UX IPSec only to discard packets. default IKE Policies The configuration database contains a preloaded default IKEv1 policy and a preloaded default IKEv2 policy.
If you omit the priority argument, ipsec_config assigns a priority value that is set to the current highest priority value (lowest priority) for the appropriate IKE policies (IKEv2 or IKEv2) in the configuration database, incremented by the automatic priority increment value for the appropriate IKE policies. The result is that the new policy will be the last IKEv1 or IKEv2 policy evaluated before the default policy.
NOTE: This argument is not valid for the default IKEv1 policy. The default IKEv1 policy matches all remote addresses. Where: ip_addr The ip_addr is the remote IP address. Valid Values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. HP-UX IPSec does not support unspecified IPv6 addresses. However, you can use the double-colon (::) notation within a specified IPv6 address to denote a number of zeros (0) within an address. The address must be a unicast address.
SHA2-256 SHA2-384 SHA2-512 Default: The value of the hash parameter in the IKEV1Policy-Defaults section of the profile file used. The default hash parameter value is MD5 in /var/adm/ipsec/.ipsec_profile. -encryption encryption_algorithm The encryption_algorithm is the encryption algorithm for encrypting IKE messages. You can specify multiple encryption_algorithm values, delimited by commas and no spaces, and specified in descending order of preference.
ipsec_config add ikev1 Command Examples The following batch file entries configure two IKEv1 policies. The first policy (apple) is for a remote system (10.1.1.1) that uses 3DES for IKE encryption. The second policy (all_others) is for all other systems in the local network (10.*.*.*), which use AES128-CBC for IKE encryption. The priority argument is omitted, and the automatic priority increment assigns the second policy (all_others) a lower priority (higher priority value) than the first policy (apple).
[-hash hash_algorithm] [-encryption encryption_algorithm] [-prf pseudo-random_function] [-life lifetime_seconds] [-pfs ON|OFF] [-priority priority_number] The complete ipsec_config add ikev2 syntax specification also allows you to specify the following arguments: • nocommit (verify the syntax but do not commit the information to the database) • profile (alternate profile file) See the ipsec_config_add(1M) manpage for complete syntax information.
descending order of preference. At least one group number must match a Diffie-Hellman group number configured on the remote system. HP recommends that you do not use group 1 unless you are required to for compatibility reasons. For efficiency when negotiating IKE SAs, HP recommends that you specify the group that is most commonly used in your network first, other than group 1.
Valid Values: HMAC-SHA1 (96-bit HMAC value using Secure Hash Algorithm-1, HMAC-SHA1) AES-XCBC (128-bit value using Advanced Encryption Standard Extended Cipher Block Chaining mode Message Authentication Code, AES128-XCBC) HMAC-SHA2-256 (256-bit HMAC value using Secure Hash Algorithm-2) HMAC-SHA2-384 (384-bit HMAC value using Secure Hash Algorithm-2) HMAC-SHA2-512 (512-bit HMAC value using Secure Hash Algorithm-2) Default: The value of the prf parameter in the IKEV2Policy-Defaults section of the profile file
algorithms by using –hash option and Encryption algorithms by using -encryption option of ipsec_config add ikev2 command. nl Examples 1. Adding an IKEv2 policy with Authentication algorithm as HMAC-SHA2-256 and Encryption algorithm as AES256-CBC with DH group 24. nl # ipsec_config add ikev2 policy_name –remote 192.6.1.1/32 \ -group 24 –hash HMAC-SHA2-256 –encryption AES256-CBC –pfs OFF 2. Adding an IKEv2 policy with Authentication algorithm as HMAC-SHA2-256 and Encryption algorithm as 3DES with pfs ON.
addresses for that physical interface, you must enter all the IP addresses for the physical interface in the bypass list. Example You have a critical application and must encrypt and authenticate its network packets. All other IP traffic in the network can pass in clear text. You configure additional logical interfaces (lan0:1) for the critical application (16.1.1.1 and 16.2.2.2), and configure the critical application to use only the specific logical interfaces.
An entry in the bypass interface list affects only the logical interface for the IP address, not all logical interfaces for the physical interface (network card). Default: None. Bypass Configuration Example The system has two physical interfaces, both connected to secure, internal networks. You want to use HP-UX IPSec to encrypt traffic on one interface, but disable HP-UX IPSec on the second interface, 12.1.1.1. The following batch file entry configures an entry in the bypass list for address 12.1.1.1.
----------------- IPSec Status Report ----------------Time: Thu Dec 24 15:21:37 1998 secauditd program: Running and responding secpolicyd program: Running and responding ikmpd program: Running and responding IPSec kernel: Up IPSec Audit level: Error IPSec Audit file: /var/adm/ipsec/auditThu-Dec-24-15-21-49-1998.
------------------------ IKEv1 SA -----------------------Index: d0f1ae5476072ef9:80036a37b499c21d Local IP Addr: 10.1.1.1 Remote IP Addr: 10.2.2.2 Role: Initiator State: ESTABLISHED Auth Record: myAuth ENCR: 3DES AUTH: MD5 DH Group: 2 PFS: off For more information on the ipsec_report command, see the ipsec_report(1M) manpage. 6. Verify IPsec policies with Pass or Discard transforms.
• auditlvl (audit level) • auditdir (audit directory) • maxsize (maximum audit file size) • spi_min (lower bound for inbound, dynamic Security Parameters Index) • spi_max (upper bound for inbound, dynamic key Security Parameters Index) • spd_soft (the “soft” limit for the size of the Security Policy Database) • spd_hard (the “hard” limit for the size of the Security Policy Database) • icmp_error_process (enable or disable RFC 4301 secure processing for ICMP and ICMPv6 error messages) see the
5 Using Certificates with HP-UX IPSec This chapter describes how to use security certificates with HP-UX IPSec.
accomplished by including the certificate’s serial number on a Certificate Revocation List (CRL) updated and published on a regular basis by the CA and made available to certificate users. Digital Signatures With digital signatures, the sender uses its private key to create a digital signature value, and sends the digital signature with the data. The recipient uses the sender’s public key and the data to verify the digital signature. There are different methods to generate and verify the digital signature.
The ipsec_config utility can load a certificate from a local file. The ipsec_config utility can also retrieve the certificate from an LDAP directory. ◦ Certificate Revocation Lists: The CA must provide X.509 Version 1 or X.509 Version 2 Certificate Revocation Lists (CRLs).
Step 1: (Optional) Getting a Certificate for the Local System There are two methods you can use to obtain a certificate for the local system: • Use the ipsec_config add csr command to create a Certificate Signing Request (CSR) for the local system. The ipsec_config utility generates a public/private key pair and unsigned certificate for the local system. To use this method, the CA must accept CSRs in PKCS#10 format.
O=organization OU=organizationalUnit The attributes are all optional, but you must specify at least one. Separate multiple attributes using commas. The order of the attributes is ignored and the DN is not case sensitive. If there are spaces in the DN, you must enclose the DN in double quotes (““ ). For example, “CN=host1,C=US,O=My Company,OU=Blue Lab”. The values are defined as follows: commonName : The commonName of the DN in printable string format.
-alt-user-fqdn user_fqdn1 This specifies the User-FQDN you want in the subjectAlternativeName field of the certificate, such as johnson@myhost.acme.com. You can specify up to 20 User-FQDNs by repeating the -alt-user-fqdn user_fqdn argument accordingly. For example, the following specifies two User-FQNDs: -alt-user-fqdn johnson@myhost.acme.com nichols@home.acme.com. nl -key-length The key length for the public/private keys, in bits. Verify that the value you specify is allowed by your CA.
There are two syntax formats for the ipsec_config add mycert command: • ipsec_config add mycert -file The ipsec_config add mycert -file syntax extracts the system certificate from a file. The file can be in PEM, DER, or PKCS#12 format. You must use this method if you did not generate a CSR using HP-UX IPSec; the file must be in PKCS#12 format and include the certificate and private key for the certificate. See “ipsec_config add mycert -file Syntax” (page 106).
-base search_base Search base for the certificate, in X.500 Distinguished Name (DN) format, such as C=US,O=HP,OU=Lab. The search base with the search filter appended to it form a search path to the location of the userCertificate attribute in the LDAP directory. If there are spaces in the DN, you must enclose the DN in double quotes (““ ). For example, “C=US,O=My Company,OU=Blue Lab”. Default: None. -filter search_filter An RFC 2254-compliant LDAP search filter.
Multiple Level CAs If you are using multiple-level CAs, you must use the ipsec_config add cacert command to add a certificate for each CA in the authentication chain to the peer as described in “Multiple Level CA Requirements” (page 102). Each CA certificate must be contained in a separate file or directory object; HP-UX cannot store multiple certificates enclosed in a single file or directory object.
-filter search_filter An RFC 2254-compliant LDAP search filter. If it includes spaces or shell special characters, enclose the value in double quotes. For example, -filter "objectClass=*". Default: "objectClass=*" (match all values for objectClass). -user user -password password User and password needed to access the LDAP directory. If the user name includes spaces, enclose the name in double quotes. Default: None.
ipsec_config add crl -file Syntax The add crl functionality is not supported in ipsec_config batch files. Use the following ipsec_config add crl syntax to add a CRL from a local file to the HP-UX IPSec storage scheme : ipsec_config add crl -file crl_filename -file crl_filename Name of the local file containing the CRL. Default: None. Example The following command adds /tmp/crl.der , the CRL file in DER format received from the CA, to the /var/adm/ipsec/certstore directory.
Examples The following example retrieves a CRL certificate from a directory server with a simple tree structure. The CRL is stored as an attribute of the certificationAuthority object. ipsec_config add cacert -ldap myDirsrv \ -base “C=FR,O=Grande Bleu” -filter “CN=My CA” The following example retrieves three CRLs for a multiple-level CA structure. The directory server has a complex tree structure that also requires password authorization. ipsec_config add crl -ldap myADS.hp.
1. Create a CSR. In this example, the peer is an HP-UX system. By default, HP-UX IPSec uses the IP address in the certificate Subject DistinguishedName field for IKE IDs, so the administrator creates a CSR for the local system with the local IP address in the certificate: ipsec_config add csr -subject c=US,o=HP,cn=hostA \ -alt-ipv4 15.1.1.1 HP-UX IPSec creates a CSR in PKCS#10 format, PEM encoded, and stores it in /var/adm/ ipsec/ipsec.csr.
Not Before: Feb 13 05:34:10 2009 GMT Not After : Feb 13 05:34:10 2010 GMT Subject: C=US, O=HP, OU=LAB, CN=foo1 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cc:98:d6:7d:83:13:91:d9:23:ca:14:3f:65:61: 4b:70:b7:13:45:d1:af:5c:71:83:44:9d:8a:4e:4a: 45:5a:da:10:57:3c:a3:25:3e:64:c0:8f:e7:4d:34: c0:2b:00:64:39:d5:78:b9:6d:28:19:2b:ac:f9:14: 0f:ef:04:f9:46:76:8e:ce:03:98:3d:72:4d:c1:a9: a5:47:f0:47:c1:4e:a4:ec:04:24:a4:d1:1e:3d:3d: 47:d5:6e:66:8a:a1
# ipsec_config show cacert In directory /var/adm/ipsec/certstore : CA cert : 5b0152d9.0 - subject : /C=US/O=HP/OU=LAB/CN=myPKI CRL : 5b0152d9.r0 - issuer : issuer=/C=US/O=HP/OU=LAB/CN=myPKI lastUpdate=Mar 4 19:33:08 2009 GMT nextUpdate=Apr 4 07:53:08 2009 GMT You can use OpenSSL utilities to display more information about the certificate and CRL files. For example, you can use the following command to display the information about the root CA certificate: openssl x509 -in rootcert.
6 Administering HP-UX IPSec This chapter describes common HP-UX IPSec maintenance procedures.
The complete ipsec_config add startup syntax specification also allows you to specify the following arguments: • nocommit (verify the syntax but do not commit the information to the database) • profile (alternate profile file) • auditlvl (audit level) • auditdir (audit directory) • maxsize (maximum audit file size) • spi_min (lower bound for inbound, dynamic Security Parameters Index) • spi_max (upper bound for inbound, dynamic key Security Parameters Index) • spd_soft (the “soft” limit for t
Exporting the Configuration Database to a Batch File The ipsec_config export command exports the contents of the configuration database to a batch file that you can use as input for the ipsec_config batch command. You can then use the batch file to re-create the configuration database if the database is corrupt or lost (see “Re-Creating the Configuration Database” (page 117)), or use the batch file as a base for creating a similar configuration on another system.
that the local system will no longer accept data for the deleted SAs. Most IKE implementations will delete the corresponding IPsec SAs to the remote system from the local system. • The IKE daemon deletes all IKE and IPsec SA entries in the SA database associated with the remote address. ipsec_admin -deletesa Syntax The syntax for the ipsec_admin -deletesa command is as follows: ipsec_admin -deletesa ip_addr Parameters ip_addr 118 The IP address of the remote system.
7 Troubleshooting HP-UX IPSec This chapter describes procedures for troubleshooting HP-UX IPSec software. It contains the following sections: • “Troubleshooting Utilities Overview” (page 119) • “Troubleshooting Procedures” (page 122) • “Reporting Problems” (page 127) • “Troubleshooting Scenarios” (page 128).
• “Getting Interface Information” (page 121) • “Getting Certificate Information” (page 121) • “Viewing and Configuring Audit Information” (page 121) • “Enabling and Disabling Tracing” (page 121) Getting General Information Table 9 Getting General Information Task Command Get status of HP-UX IPSec components.
Getting Interface Information Table 12 Getting Interface Information Task Command Show active IP (configured, UP or DOWN ) interfaces, and whether or not HP-UX IPSec is enabled for each interface. ipsec_report -ip Show bypass list entries. ipsec_report -bypass Getting Certificate Information Table 13 Getting Certificate Information Task Command Show the contents of the certificate for the local system.
Troubleshooting Procedures This section describes the following troubleshooting procedures: • “Checking Status” (page 122) • “Isolating HP-UX IPSec Problems from Upper-layer Problems” (page 123) • “Checking Policy Configuration” (page 124) • “Isolating HP-UX IPSec Problems from Upper-layer Problems” (page 123) • “Checking Policy Configuration” (page 124) • “Configuring HP-UX IPSec Auditing” (page 124) Checking Status HP-UX IPSec has five main modules: • IKE (ISAKMP/Oakley) daemon (ikmpd ) • P
active traffic by expanding remote IP address specifications and any other wildcard field values. You can also do this by entering the following command: ipsec_report -host [active] • Queries the policy daemon and reports the active gateway IPsec policies. You can also do this by entering the following command: ipsec_report -gateway [active] • Queries the policy daemon and reports the tunnel IPsec policies.
Checking Policy Configuration There are two methods for determining which policy HP-UX IPSec uses for a packet: • Use the ipsec_policy command to query the policy daemon to determine which policy HP-UX IPSec would use for the packets. • Generate packets and use the ipsec_report -cache command to examine policy cache and determine which policy HP-UX IPSec used for the packets.
You can change the audit parameters while HP-UX IPSec is active using the ipsec_admin command. To change the audit parameters used every time HP-UX IPSec starts, use the ipsec_config add startup command. You can also specify audit parameters with the ipsec_admin start command.
Configuring Startup Audit Parameters To set the audit parameters used every time HP-UX IPSec starts, modify the startup record in the configuration database by entering a command similar to the following: ipsec_config add startup [-autoboot ON|OFF] [-auditlvl audit_level] [-auditdir audit_directory] [-maxsize max_size] ... audit _level can be alert, error, warning , informative , or debug. A selected audit level includes all the lower audit levels.
system. If you have firewalls or other packet filter utilities, verify that these utilities allow IPsec packets to pass. The utilities must allow the following types of traffic to pass: ◦ UDP port 500 (IKE negotiations) ◦ IP protocol number 50 (ESP protocol) ◦ IP protocol number 51 (AH protocol) • Use the ipsec_report -cache command to determine what action HP-UX IPSec is selecting for a packet five-tuple.
• Output from the ipsec_policy command. Specify as many parameters as you can (source IP address, source port, destination IP address, destination port, protocol). • If the problem may be caused by the transport or application layer, enable layer four tracing (ipsec_admin -traceon ), recreate the problem, and then disable tracing (ipsec_admin -traceoff ). Trace output will be sent to /var/admin/ipsec/nettl.TRC0 and /var/ admin/ipsec/nettl.
• “Security Policy Database Limit Exceeded (Kernel Policy Cache Threshold reached or Kernel Policy Cache Threshold exceeded ) ” (page 137) • “ ipsec_report –sa display of the phase2 associations will not reflect the key length of AES transform combination” (page 138) HP-UX IPSec Incorrectly Passes Packets Problem IPsec is incorrectly allowing packets to pass in clear text instead of authenticating, encrypting, or discarding the packets.
ping, linkloop (check connectivity) ipsec_policy or ipsec_report -cache and ipsec_report -host (determine the policy being used) Check the configuration file. If HP-UX IPSec is misconfigured to encrypt and/or authenticate packets that it should not and the peer system is not configured to use HP-UX IPSec encryption/authentication, you will consistently get connection errors (unable to connect or connection timed out). Check connectivity to the remote system using /etc/ping and the linkloop utilities.
Determining if the IKEv2 SA Negotiation Succeeded If you are using IKEv2, the IKE daemon deletes the IKE SA if negotiations for the first pair of IPsec (child) SAs fails. If this occurs, output from the ipsec_report -sa ike does not show an IKEv2 SA even though the IKEv2 SA negotiation succeeded.
Check that the responder is receiving the IKE messages from the initiator. If the audit level is set to informative on the responder, the audit file will contain a message similar to the following if it is receiving the initial IKE negotiation message: Msg: 125 From: IKMPD Lvl: INFORMATIVE Date: Mon Mar 2 22:33:27 2009 Event: respond new phase 1 negotiation: 10.1.1.1/500<=>105.2.2.
These symptoms are also present if the first IPsec SA negotiation fails for a given IKEv2 SA. See “Determining if the IKEv2 SA Negotiation Succeeded” (page 131) for information on determining if the IKEv2 SA was established. Solution • Use the ipsec_report -audit command to view the audit file entries. If the IKEv2 SA negotiation fails, the message retransmission count exceeded the limit can indicate either: ◦ A connectivity problem with the remote system. ◦ A mismatch in IKE configuration.
Symptoms If you are using IKEv1, output from the ipsec_report -sa command shows an IKEv1 SA but does not show IPsec SAs. If you are using IKEv2, output from the ipsec_report -sa command might not show an IKEv2 SA. See “Determining if the IKEv2 SA Negotiation Succeeded” (page 131) for information on determining if the IKEv2 SA was established. Solution Determine the host or tunnel policy used on each system for the traffic.
The audit file on the initiator shows the following entries: Msg: 647 From: IKMPD Lvl: INFORMATIVE Date: Tue Mar 17 13:09:42 2009 Event: received notify type NO_PROPOSAL_CHOSEN Msg: 648 From: IKMPD Lvl: ERROR Date: Tue Mar 17 13:09:42 2009 Event: local 10.1.1.1/500 - remote 10.2.2.2/500:message lacks IDr payload IKE Primary Authentication Fails with Certificates Problem Certificate-based (RSA signature) primary authentication fails.
openssl x509 -in rootcert.pem -text HP-UX Will Not Start (ipsec_admin -start Fails) Problem HP-UX IPSec will not start. Symptoms The ipsec_admin -start command fails. The ipsec_admin utility returns one of the following messages: IPSEC_ADMIN: Failed to read IPsec admin file, error: %nn. Did you set the password with -np? IPSEC_ADMIN: Failed to open IPsec admin file, error: %nn. Did you set the password with -np? IPSEC_ADMIN: ERROR-read_admin_info(): Failed to verify ipsec password.
Msg: 413 From: SECPOLICYD Lvl: ERROR Date: Sun May 09 10:21:32 2004 Event: /var/adm/ipsec/config.db file is corrupt. Solution Re-create or restore the configuration database file (/var/adm/ipsec/config.db ) as described in “Re-Creating the Configuration Database” (page 117). Autoboot is Not Working Properly Problem Autoboot fails. Symptoms HP-UX IPSec does not start automatically at system boot-up time. Solution Use the following procedure: 1.
Msg: 55 From: SECPOLICYD Lvl: ALERT Date: Tue Apr 20 12:14:42 2004 Event: Kernel Policy Cache Threshold exceeded nnnn records. where nnnn is the hard limit. Solution Use the following ipsec_config commands to set and configure new SPD soft and hard limits: ipsec_config add startup -spd_soft spd_soft_limit ipsec_config add startup -spd_hard spd_hard_limit The spd_soft_limit and spd_hard_limit are specified in units of 1000 entries. Refer to the ipsec_config(1M) manpage for more information.
Src IP Addr: 192.168.2.1 Dst IP Addr: 192.168.2.
A Product Specifications This appendix lists the HP-UX IPSec product specifications. This chapter contains the following sections: • “Product Files and Directories” (page 140) • “IPsec RFCs” (page 141) • “Product Restrictions” (page 143) • “HP-UX IPSec Transforms” (page 143) • “HP-UX IPSec Operation” (page 146) Product Files and Directories HP-UX IPSec uses the following files and directories: • /sbin/init.d/ipsec Startup and shutdown script. • /usr/sbin/ikmpd IKE daemon.
• ◦ ipsec.csr Output from the ipsec_config add csr command (the certificate signing request). ◦ /var/adm/ipsec/ipsec_status.sh Script that monitors HP-UX IPSec (used with HP Serviceguard). /var/adm/ipsec/certstore Contains the following certificate and CRL files: ◦ mycert.pem Certificate for the local system. ◦ mykey.pem Private key for the local system certificate. ◦ rootcert.pem Softlink to the certificate file for the root CA. ◦ hash.
Table 16 Supported IPsec RFCs (continued) RFC Number RFC Title RFC 3602 The AES-CBC Cipher Algorithm and Its Use with IPsec RFC 3775 Mobility Support in IPv6 RFC 3776 Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents RFC 4109 Algorithms for Internet Key Exchange version 1 (IKEv1) RFC 4301 Security Architecture for the Internet Protocol RFC 4302 IP Authentication Header RFC 4303 IP Encapsulating Security Payload (ESP) RFC 4306 Internet Key Exchange (IKEv2) RF
Product Restrictions HP-UX IPSec product restrictions are described below: • HP-UX IPSec systems cannot act as IP or IPsec gateways. • HP-UX IPSec systems cannot act as IP or IPsec gateways unless the local system is an HP-UX Mobile IPv6 Home Agent forwarding Mobile IPv6 packets to Mobile Node clients. • The action for the host policy in an end-to-end tunnel topology must be PASS.
Table 17 AH and ESP Algorithms and Key Lengths Algorithm Key Length ESP-3DES 168 (3 x 56) ESP-AES 128,192, and 256 AH-MD5 128 AH-SHA1 160 3DES (Triple-DES) uses three independent 56-bit keys. The data is encrypted three times, using the three keys. AES with HP-UX IPSec supports 128-bit, 192-bit, and 256-bit keys. AES encryption is stronger than that of 3DES. In addition, processing speed is faster with AES.
ESP-NULL-HMAC-SHA1 ESP header and trailer, but nothing is encrypted. ESP generates an ICV using HMAC-SHA1. ESP_AES128_HMAC_SHA2_256 ESP using Advanced Encryption Standard encryption with a 128-bit key (AES128) and HMAC-SHA2-256 to generate an ICV. ESP_AES128_HMAC_SHA2_384 ESP using Advanced Encryption Standard encryption with a 128-bit key (AES128) and HMAC-SHA2-384 to generate an ICV.
ESP_AES256_HMAC_SHA2_512 ESP using Advanced Encryption Standard encryption with a 256-bit key (AES256) and HMAC-SHA2-512 to generate an ICV. ESP_3DES_HMAC_SHA2_256 ESP using 3DES-CBC encryption and HMAC-SHA2-256 to generate an ICV. ESP_3DES_HMAC_SHA2_384 ESP using 3DES-CBC encryption and HMAC-SHA2-384 to generate an ICV. ESP_3DES_HMAC_SHA2_512 ESP using 3DES-CBC encryption and HMAC-SHA2-512 to generate an ICV. ESP_NULL_HMAC_SHA2_256 ESP header and trailer, but nothing is encrypted.
The messages used to negotiate an IKE SA are referred to as a phase I negotiation. • IPsec SAs or Child SAs An IPsec SA is a security association used to exchange IPsec ESP or AH packets. The IPsec SA operating parameters include the IPsec protocol used (ESP or AH), the mode (transport or tunnel), the cryptographic algorithms (such as AES and SHA-1 or AES and SHA-2), the cryptographic keys, the SA lifetime, and the endpoints (IP addresses, protocol and port numbers).
If the IKE authentication method is RSA signatures, the initiator includes a request for the responder's certificate. • Message 4: Responder sends its Diffie-Hellman public value The responder sends its Diffie-Hellman public value. The initiator and responder each generate the same, shared secret value that they use to generate encryption and authentication keys. The keys are used for the IKE SA and for the IPsec SAs. Subsequent IKE messages in the exchange are secure (encrypted).
sends its certificate. Portions of the message are encrypted using a key based on the Diffie-Hellman shared secret. • Message 3: Initiator sends Diffie-Hellman secured message The initiator sends a message with portions encrypted using a key based on the Diffie-Hellman shared secret. IPsec SAs Negotiated Using IKEv1 Quick Mode After an IKEv1 SA is established, the two systems have a secure channel for negotiating IPsec SAs.
Figure 17 IKEv2 SA Negotiations • Message 1: Initiator sends IKE SA proposals and Diffie-Hellman public value In message 1, the node initiating the IKE exchange (the initiator) sends IKE SA proposals, which contain IKE SA parameters, and its Diffie-Hellman public value. • Message 2: Responder sends accepted IKE SA proposal and Diffie-Hellman public value In message 2, the peer node (the responder) sends back its accepted IKE SA proposal and its Diffie-Hellman public value.
Components The main HP-UX IPSec components are as follows: • Routines in the IP streams module These routines query the other product components to determine the action (pass, discard, or secure) for each IP packet if HP-UX IPSec is enabled. • IKE daemon, ikmpd The IKE daemon establishes IKE and IPsec SAs and processes all IKE messages. The IKE daemon also maintains a list of established IKE SAs, indexed by the remote system's IP address. • Configuration database, /var/adm/ipsec/config.
• protocol • source TCP or UDP port number, if present • destination TCP or UDP port number, if present If a match is found, and the action is pass or discard, HP-UX IPSec passes or discards the packet. If the action is secure (use an Authentication Header, AH or use an Encapsulating Security Payload, ESP) and there is a reference to an existing IPsec SA that can be used, HP-UX IPSec transmits the packet using the existing SA.
that the SPI matches the entry for the five-tuple. If so, HP-UX IPSec uses the information in the SA entry to decrypt or authenticate the packet. If no matching SA entry exists, HP-UX IPSec checks if there is an authentication record that applies to the remote system. If there is not, this is an error and possible intrusion attempt. HP-UX IPSec sends an audit message to the audit daemon. HP-UX IPSec discards the packet.
version and searches its list of established IKE SAs to determine if it already has an IKE SA with the remote system. If the kmp parameter value specifies multiple versions (IKEV1,IKEV2 or IKEV2,IKEV1), the IKE daemon searches both versions of IKE SAs in the order specified. If the IKE daemon must establish a new IKE SA, it uses only the first version specified in the kmp value for negotiations.
Responder Receives Message 3 The responder uses the initiator's Diffie-Hellman public value and its Diffie-Hellman private value (from the group specified by the group value in its IKEv1 policy) to calculate a shared secret value. This shared secret value is used as keying material. Responder Sends Message 4 The responder sends message 4 in the MM exchange, which includes its Diffie-Hellman public value. If the remote_method value is RSASIG, the message includes a request for the peer's certificate.
Initiator Receives Message 6 When the initiator receives message 6, it: • Verifies that the ID payload from the responder matches the rtype and rid values in the authentication record. • If the remote_method value in the authentication record is RSASIG, the daemon verifies that the contents of the ID payload matches the appropriate field (subjectName or subjectAlternativeName) in the responder's certificate. • Verifies that the hash type is appropriate for the remote_method value.
• Uses the packet source address to search the IKEv1 policies in priority order for a policy with a matching remote value. • Uses the values in the selected IKEv1 policy to evaluate the IKE SA proposals sent by the initiator as described in “IKE and IPsec SA Proposals” (page 161). • Uses the initiator's Diffie-Hellman public value and its Diffie-Hellman private value (from the group specified by the group value in its IKEv1 policy) to calculate a shared secret value.
Initiator Sends Message 1 The initiator sends message 1 in the QM exchange that includes information from the following configuration parameters: • action from the host policy as the IPsec SA proposal. If the action value contains multiple transforms, IKE sends multiple IPsec SA proposals. • source (address and port number) and protocol parameters from the host policy as the IPsec initiator traffic selector (initiator client ID).
IKEv2 Negotiations If the IKE version is IKEv2, the negotiation for the initial IPsec SA pair is combined with the negotiation for the IKEv2 SA in messages 3 and 4. Initiator Sends Message 1 The IKE daemon on the initiator selects an IKEv2 policy by searching the IKEv2 policies in priority order and selecting the first policy with a remote address (remote parameter in the policy) that matches the address of the remote system. The IKE daemon sends message 1 in the negotiation.
Initiator Sends Message 3 The initiator sends message 3 in the IKEv2 negotiation. This message includes information from the following configuration parameters: • ltype and lid values from the authentication record, sent as the IKE Identification-Initiator (IDi). If no local ID type and value are configured, the IKE daemon uses the IP address of the interface used to send the packet as the local ID value and the address type (IPV4 or IPV6) as the ID type.
Responder Sends Message 4 The responder sends message 4 in the IKEv2 negotiation. This message includes information from the following configuration parameters: • ltype and lid from the authentication record, sent as the IKE Identification-Responder (IDr). • If the local_method value in the authentication record is PSK, the message includes a hash value calculated from the preshared key.
IKEv1 When HP-UX IPSec is the initiator, the IKE daemon sends the source IP address, port number, and protocol for the client-initiator (IDci). It also sends the destination IP address, port number, and protocol for the client-responder (IDcr). The IKEv1 protocol specification supports the use of wildcard values (0), but does not support address or port number ranges for transport negotiations, or multiple client ID values.
uses/establishes an IKE SA to establish the IPsec SA), except the IKE entities also include proxy address information during IPsec SA negotiation. The proxy address information identifies the end-to-end entities and allows a tunnel endpoint to determine the identity of the end system or subnet for which the other tunnel endpoint is establishing the tunnel.
To enable proper operation of IPv6 networks, the default operation of HP-UX IPSec allows the following ICMPv6 messages to pass in clear text: • Router Solicitation • Router Advertisement • Neighbor Solicitation • Neighbor Advertisement • Redirect • Destination Unreachable • Packet Too Big • Time Exceeded • Parameter Problem • Router Renumbering HP recommends that you do not modify the default behavior; do not configure any policies to discard or secure packets by explicitly specifying th
B Interoperability This appendix contains following information about using HP-UX IPSec with other IPsec implementations and contains the following sections: • “Microsoft” (page 165) • “Linux” (page 167) • “FreeBSD” (page 170) • “Cisco” (page 176) Microsoft HP-UX IPSec can interoperate with Microsoft IPsec implementations. Versions and Functionalities HP-UX IPSec A.03.02.
Additional Tips for Vista and Windows 2008 This section contains additional information for Vista and Windows 2008 systems. • The IKEv1 default parameters on Vista and Windows 2008 systems are the same as the defaults on Windows XP systems, so you must modify the IKE authentication method and hash algorithm as described in the previous section. • There are two types of IPsec rules: ◦ IPsec Policyagent rules.
Example: Windows does not support HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512 in Phase2 as Authentication algorithm , whereas HP-UX IPSec provides the flexibility of choosing this combination. The only compatible combination is SHA1 and MD5. Compatible suite for Windows 7/2008 R2 to interoperate with HP-UX IPSec A.03.02.02 Phase 1: (IKEV1 only) Auth : MD5, SHA1, SHA-256, SHA-384. nl nl Encryption : 3DES, AES-CBC-128, AES-CBC-192, AES-CBC-256 nl DH group : 1,2,14.
IKEv2 test results with all combination of algorithms with Strongswan • Test 1 : IKEv2 with DH group2 and Phase 2 transform : ESP_AES256_HMAC_SHA2_512 ENC/AUTH HMAC-SHA 1 HMAC-SHA2–256 HMAC-SHA2–384 HMAC-SHA2–512 3DES AES 128–CBC AES 192–CBC AES 256–CBC • Test 2 : IKEv2 with DH group24 and Phase 2 transform : ESP_AES256_HMAC_SHA2_512 ENC/AUTH HMAC-SHA 1 HMAC-SHA2–256 HMAC-SHA2–384 HMAC-SHA2–512 3DES AES 128–CBC AES 192–CBC AES 256–CBC IMPORTANT: The following Authentication algorithms in IKEv2
HP-UX IPSec Configuration The ipsec_config commands used on the HP-UX system are as follows: # ipsec_config add host linux -action pass \ -src 10.0.0.11 -dst 10.0.0.26 \ -action ESP_AES128_HMAC_SHA1 # ipsec_config add auth linux -remote 10.0.0.26 \ -psk myKey26 # ipsec_config add ikev1 linux -remote 10.0.0.26 \ -hash SHA1 Linux Configuration The Linux configuration uses the following files: • a file containing arguments for the setkey utility • the racoon.
psk.txt File The path for the preshared key file is specified by the path pre_shared_key directive in the racoon.conf file. In this example, the preshared key file is /root/linux-native-racoon/psk_xport_1/psk.txt. The contents are as follows: ################## preshared key file (psk.txt) 10.0.0.11 myKey26 Tips The following tips might help you configure HP-UX IPSec and Linux implementations: • HP-UX IPSec does not support IP compression.
Racoon2 Configuration The following Racoon 2 configuration files are located in the /usr/local/racoon2/etc/ racoon directory. • racoon2.conf • transport_ike.conf • vals.conf • default.conf • test.psk (in the /usr/local/racoon2/etc/racoon/psk subdirectory) racoon2.conf File The contents of the racoon2.conf file are as follows: ######################### ## /usr/local/racoon2/etc/racoon2/racoon2.conf include "/usr/local/racoon2/etc/racoon2/vals.
dst "${PEERS_IPADDRESS}"; upper_layer_protocol "any"; policy_index ike_trans_policy; }; selector ike_trans_sel_in { direction inbound; dst "${MY_IPADDRESS}"; src "${PEERS_IPADDRESS}"; upper_layer_protocol "any"; policy_index ike_trans_policy; }; policy ike_trans_policy { action auto_ipsec; remote_index ike_trans_remote; ipsec_mode transport; ipsec_index { ipsec_esp; }; ipsec_level require; }; vals.conf File The relevant sections of the vals.conf file are as follows: ## /usr/local/racoon2/etc/racoon2/vals.
HP-UX IPSec Configuration The ipsec_config batch file contains the following entries: add host Bsd64 \ -src 10.0.0.11 -dst 10.0.0.64 -protocol all \ -action ESP_AES128_HMAC_SHA1 # Note: the lifetime must match the BSD value add ikev1 Bsd64 -rem 10.0.0.64 \ -group 2 -hash sha1 -enc 3des -life 600 add auth Bsd64RSA -rem 10.0.0.
my_public_key x509pem "${CERTDIR}/${MY_PUB_KEY}" "${CERTDIR}/${MY_PRI_KEY}"; peers_public_key x509pem "${CERTDIR}/${PEERS_PUB_KEY}" ""; }; selector_index ike_trans_sel_in; }; vals.conf File The relevant sections of the vals.conf file are as follows: ## /usr/local/racoon2/etc/racoon2/vals.conf setval { CERTDIR "/usr/local/racoon2/etc/racoon2/cert"; # Your Private Key file name MY_PUB_KEY "myPubKey.pem"; # Your Private Key file name MY_PRI_KEY "myPvtKey.
Racoon2 Configuration The following Racoon 2 configuration files are located in the /usr/local/racoon2/etc/ racoon directory. • racoon2.conf • transport_ike.conf • vals.conf • default.conf • test.psk (in the /usr/local/racoon2/etc/racoon/psk subdirectory) racoon2.conf File The racoon2.conf file has the same contents as the file used for IKEv1 with preshared keys. See “racoon2.conf File” (page 171). transport_ike.conf File The transport_ike.
default.conf File The default.conf file installed with Racoon2 is used without modifications. test.psk File The /usr/local/racoon2/etc/racoon2/psk/test.psk key file contains the ASCII preshared key value. myKey65 Tips The following tips might help you configure HP-UX IPSec and FreeBSD IPsec implementations: • The IKEv1 SA lifetime must match. On Racoon2 IPsec implementations, the IKEv1 SA lifetime is 300 seconds. • The FreeBSD Racoon2 IPsec implementation does not support the IKEv2 CERTREQ payload.
No HP-UX IPSec configuration is needed on Host2. Cisco Configuration The IOS configuration commands on the Cisco router are as follows. Configure the IKE preshared key: Router (config)# crypto isakmp key myKey address 192.0.0.
you restart HP-UX IPSec, the Cisco device may attempt to use its existing IKE SA to negotiate IPsec SAs with HP-UX IPSec. This causes a negotiation failure. As a workaround, login to the Cisco device and manually delete any IKE SAs to an HP-UX system that remain after you stop HP-UX IPSec. HP Printers HP-UX IPSec will interoperate with any HP printer with an HP Jetdirect 635n installed. The features tested with HP-UX IPSec A.02.01 HP printers include the following: • IKE with preshared key authentication.
C Migrating from Previous Versions of HP-UX IPSec This appendix provides information on migrating to the current version of HP-UX IPSec from previous versions. This appendix contains the following sections: • “Pre-Installation Migration Instructions” (page 179) • “Post-Installation Migration Instructions” (page 179) DES Compatibility HP-UX IPSec version A.03.0x does not support DES encryption.
1. Run the ipsec_migrate utility after you have installed HP-UX IPSec A.03.0x. For example: /usr/sbin/ipsec_migrate If the /var/adm/ipsec/ipsec.key file is present, ipsec_migrate prompts for the HP-UX IPSec password before decrypting this file and extracting the contents. The ipsec_migrate utility creates backup copies of the following files and saves them in the files under the /var/adm/ipsec/backup directory: /var/adm/ipsec/.ipsec_profile /var/adm/ipsec/cainfo.txt /var/adm/ipsec/config.
ON. If the -maxqm value is greater than 1, the migration utility creates an ikev1 policy with PFS OFF. ◦ Converts any DES authentication (-hash) values to 3DES. (DES is not supported in HP-UX IPSec A.03.0x). • Check the action in the host and tunnel policies. The ipsec_migrate utility replaces DES transforms and nested transforms in host and tunnel policies with the default actions in the /var/adm/ipsec/.ipsec_profile file. For host policies, the default action is DISCARD.
D HP-UX IPSec Configuration Examples This appendix provides configuration examples for the following topologies: • “Host to Host telnet” (page 182) This section contains example ipsec_config batch files for encrypting and authenticating all telnet traffic between two systems using dynamic keys and preshared keys for IKE authentication.
Figure 19 Example 1: telnet AB apple banana telnet client (port varies) telnetd (always port 23) telnet banana The second host IPsec policy (telnetBA ) is for inbound telnet requests from Banana to Apple (users on Banana using the telnet service to Apple). Since the telnet clients on Banana may use any non-reserved TCP port number, do not specify a port number in the destination address.
-source 15.2.2.2/32/TELNET \ -priority 20 -action ESP_AES128_HMAC_SHA1 add host telnetBA -destination 15.1.1.1/32/TELNET \ -source 15.2.2.2 \ -priority 30 -action ESP_AES128_HMAC_SHA1 # Auth record with preshared key add auth apple -remote 15.1.1.1 -preshared apple_banana_key Subnet ESP with Exceptions You have a system, Carrot, on a LAN with the network address 192.1.1.*. You want to limit access to this LAN from outside nodes.
3. aes_lan : applies ESP-AES-HMAC-SHA1 authenticated ESP to all packets in the 192.1.1.* network. add host aes_lan -destination 192.1.1.0/24 \ -priority 40 -action ESP_AES128_HMAC_SHA1 4. default : You modify the default host IPsec policy to discard all other packets. To modify the default host IPsec policy, use the following batch file entry: add host default -action DISCARD The host policy entries in the batch file on Carrot are as follows: add host potato -destination 193.3.3.
Figure 22 Host to Gateway Configuration Example Router Blue Home1 16.6.6.6 15.5.5.5 17.7.7.7 Blue Configuration Host IPsec Policy The ipsec_config batch file on Blue contains the following entry: add host toHome1 \ -src 15.5.5.5 \ -dst 17.7.7.7/32 \ -priority 100 -action PASS -tunnel torouter Tunnel IPsec Policy The end source address specification for the tunnel IPsec policy is 17.0.0.0/8 , so this tunnel IPsec policy can be used for host policies to other nodes in the 17.*.*.* network.
AM ) and remote ID information (-rtype and -rid arguments). You can configure one authentication record for multiple autoconfiguration clients that use a common preshared key. However, HP strongly recommends that you configure an individual authentication record for each remote system with a unique preshared key. In this example, the Server1 configuration contains one authentication record for each autoconfiguration client.
add host server1 \ -destination 2001:db8:11:11::fefe:1111 \ (Server1 addr.) -action ESP_AES128_HMAC_SHA1 \ Authentication Record Each autoconfiguration client configures an authentication record with its unique local ID. The IKE exchange type must be Aggressive Mode (-exchange AM ). The authentication record on the client does not specify the AUTOCONF flag, because you specify the AUTOCONF flag when the remote system is an autoconfiguration client, not when the local system is an autoconfiguration client.
E HP-UX IPSec and HP-UX IPFilter This appendix describes configuration requirements when using HP-UX IPSec and HP-UX IPFilter on the same system. This appendix contains the following section: • “Using HP-UX IPSec with HP-UX IPFilter” (page 189) Using HP-UX IPSec with HP-UX IPFilter HP-UX IPSec and HP-UX IPFilter can coexist on the same system. You can configure HP-UX IPSec and HP-UX IPFilter so that there is some overlap in the configurations.
F Using Manual Keys This appendix describes how to configure and troubleshoot manual keys for IPsec SAs. Manual keys are an alternative to IKE. Instead of dynamically generating and distributing cryptography keys for ESP and AH, the cryptography keys are static and manually distributed. Manual keys are typically used only when the remote system does not support IKE.
Follow these restrictions when configuring tunnel policies for manual keys: • Do not specify multiple instances of the -tsource or -tdestination arguments. • Do not specify wildcard IP addresses or IP address ranges in the -tsource or -tdestination arguments. Selecting Encryption Keys You should configure strong, random, encryption keys for manual key SAs.
0x0123456789012345678901234567890123456789/\ 0x12345678901234567890123456789012 \ -in ESP/2500003/\ 0x1234567890123456789012345678901234567890/\ \0x12345678901234567890123456789012 Troubleshooting Manual Key Problems Troubleshooting manual key problems can be difficult because there are no IKE negotiations and no IKE audit messages. Symptoms Link errors (unable to connect ) and timeouts.
acceptable to the remote system. To view additional data that may include information about manual key SAs, use the following procedures to examine the STREAMS logging records and additional audit file entries. Examining STREAMS Logging Records You can use the strace utility to view STREAMS log records, or use the following procedure to examine the nettl log file for entries logged by the HP-UX IPSec STREAMS modules. 1.
G HP-UX IPSec and Serviceguard HP-UX IPSec can secure HP-UX Serviceguard network traffic. This appendix describes how to configure HP-UX IPSec as an Serviceguard package service so a package will fail or fail over if HP-UX IPSec terminates.
Serviceguard periodically sends heartbeat messages to determine if a cluster node is available. When using Serviceguard with HP-UX IPSec, HP recommends that you have at least one network dedicated to sending and receiving heartbeat messages. In Figure 23, the interface addresses 10.1.1.1, 10.2.2.2 and 10.3.3.3 are attached to a network used only for heartbeat messages. The cluster nodes also send and receive heartbeat messages on interfaces attached to the second network (the 15.*.*.
1. 2. 3. 4. The client sends a cryptographically protected packet to the adoptive node using an IPsec or IKE SA established with the original package node. The adoptive node does not recognize the Security Parameters Index (SPI). This causes the adoptive node to send an unencrypted IKEv2 Notify payload indicating an invalid SPI.
• “Step 3: Configuring Authentication Records for Preshared Keys” (page 206) The authentication records contain the preshared key values and may include IKE ID information. • “Step 4: Configuring Authentication Records for Certificates” (page 208) The authentication records contain IKE ID information to verify the ID information in the security certificates.
Table 18 (page 205) provides a summary of the port numbers and protocols for these services. This section describes the Serviceguard cluster information you need to determine before configuring host IPsec policies. It also describes how to configure host IPsec policies for package addresses, heartbeat IP addresses, and optional Serviceguard services. This section also contains a summary of the port numbers and protocols used by Serviceguard services.
Source IP Address/ Protocol Source Port Destination Port Prefix Destination IP Address/ Prefix 15.0.0.0/8 15.1.1.1/32 ALL 0 0 15.0.0.0/8 15.2.2.2/32 ALL 0 0 15.0.0.0/8 15.3.3.3/32 ALL 0 0 CAUTION: Use caution when configuring “open” host ipsec policies (policies that allow all or most packets to pass in clear text). For more information, see “Maximizing security” (page 57).
Quorum Server IPsec Policies If HP-UX IPSec is installed on the Quorum Server, configure host IPsec policies for the packets listed below with actions (PASS or transform lists) that match the policies on the cluster nodes.
The cluster nodes also initiate TCP connections to the remote command clients using dynamically assigned source and destination ports, as listed below. You must configure HP-UX IPSec so it does not discard the packets listed below, however, HP recommends that you do not allow the packets to pass in clear text. For more information, see “Maximizing security” (page 57).
Source IP Address Destination IP Address Protocol Source Port Destination Port SMH Management Station address (or wildcard) cluster node address TCP 0 2381 SMH Management Station address (or wildcard) cluster node address UDP 0 2381 Serviceguard Manager Standalone Version If you using the standalone version of Serviceguard Manager (supported with Serviceguard versions A.11.11 - A.11.
Cluster Node Host IPsec Policies for Secure WBEM Access For each cluster node, configure host IPsec policies so HP-UX IPSec does not discard (the transform list contains any transform except DISCARD ) the packets listed below. If HP-UX IPSec is not installed on the WBEM client, configure PASS host IPsec policies for these packets.
COM System Host IPsec Policies If HP-UX IPSec is installed on the COM system, configure host IPsec policies for the packets listed below with an action (PASS or transform lists) that match the policies on the cluster nodes.
Table 18 Serviceguard Port Numbers and Protocols Port Protocols Service N/A ICMP Type 8 (Echo) Used for cluster subnet monitoring between cluster nodes. Configurable clog port TCP Used by the clog service as the destination port on cluster nodes to receive requests from the SMH Management Agent. 9 UDP Used for network probes by cluster configuration commands between cluster nodes. 161 UDP SNMP agent. Used as the destination port on the cluster nodes from the Serviceguard Manager system.
Step 2: Configuring HP-UX IPSec IKE policies Configure IKE policies as described in Chapter 4, “Step 4: Configuring IKEv1 and IKEv2 Policies” (page 86). In most cases, you can use the default IKEv1 or IKEv2 policy without changes. Cluster IKE policies The cluster nodes must have IKE policies with remote address specifications for the cluster clients. Cluster Client IKE policies The cluster clients must have IKE policies with remote address specifications that include the package addresses.
There are two package clients: • Client1 (15.4.4.4) • Client2 (15.5.5.5) HP-UX IPSec is securing the traffic between the clients and the package addresses. The local ID used by the cluster nodes is the FQDN mycluster.hp.com. The local IDs used by the clients are their IP addresses. Authentication Records on Cluster Nodes On each cluster node, the ipsec_config batch file contains the following entries: add auth client1 -remote 15.4.4.4 -kmp IKEV1 \ -ltype FQDN -lid mycluster.hp.
Preshared Keys Configuration on Cluster Nodes Each cluster node has the following preshared keys configured: Remote IP Address Key 15.4.4.4 (Client1) client1_key 15.5.5.5 (Client2) client2_key Preshared Keys Configuration on Client1 Client1 has the following preshared keys configured: Remote IP Address Key 16.98.98.98 (pkgA) client1_key 16.99.99.99 (pkgB) client1_key Preshared Keys Configuration on Client2 Client2 has the following preshared keys configured: Remote IP Address Key 16.98.98.
Cluster Node On each cluster node, add entries to the ipsec_config batch file with add auth operations to configure an authentication record for each cluster client as follows: • Remote IP Address (-remote ): The cluster client address. • Local ID type (-ltype ): The IKE ID type sent by the cluster nodes. This must be X500-DN, or one of the types of identifiers in the subjectAlternativeName field of the cluster certificate, such as IPV4.
Example This example uses the same topology as the preshared key example, as shown in Figure 23 (page 194). The cluster has three nodes: • Node1 (10.1.1.1 and 15.1.1.1) • Node2 (10.2.2.2 and 15.2.2.2) • Node3 (10.3.3.3 and 15.3.3.3) The 10.*.*.* network is a dedicated heartbeat LAN. The 15.*.*.* network is a shared heartbeat and data LAN. The cluster also has two packages: • pkgA (15.98.98.98) • pkgB (15.99.99.99) There are two package clients: • Client1 (15.4.4.4) • Client2 (15.5.5.
To verify that all messages sent between the heartbeat IP addresses pass in clear text, run ipsec_policy specify only the source and destination IP addresses (use the default wildcard values for the other parameters). For example, you could use the following command on node 15.1.1.1 to verify that all messages sent to 15.2.2.2 pass in clear text: ipsec_policy -sa 15.1.1.1 -da 15.2.2.2 You can also explicitly verify that HP-UX IPSec will pass heartbeat messages in clear text.
1. On the configuration node, use the OpenSSL utility to export the private key and host certificate to an encrypted PKCS#12 file: # openssl pkcs12 -export -in /var/adm/ipsec/certstore/mycert.pem \ -inkey /var/adm/ipsec/certstore/mykey.pem \ -out my_file.p12 The OpenSSL utility will prompt you for an Export Password, a password that OpenSSL uses to encrypt the contents of the file. Make a note of this password; you will need it to extract (import) the contents of the PKCS#12 file.
The sections that follow contain specific examples for modular package configuration and legacy package configuration files. Modular Package Configuration Files For each package using HP-UX IPSec, add a service module to the base module. The service module will run the HP-UX IPSec monitor script. For example: service_name service_cmd service_restart service_fail_fast_enabled service_halt_timeout ipsec /var/adm/ipsec/ipsec_status.
Glossary 3DES Triple Data Encryption Standard. A symmetric key block encryption algorithm that encrypts data three times, using a different 56-bit key each time (168 bits are used for keys). 3DES is suitable for bulk data encryption. AES Advanced Encryption Standard. Uses a symmetric key block encryption. HP-UX IPSec supports AES with a 128-bit key. AES is suitable for encrypting large amounts of data.
ESP The ESP (Encapsulating Security Payload) protocol provides confidentiality (encryption), data authentication, and an anti-replay service for IP packets. When used in tunnel mode, ESP also provides limited traffic flow confidentiality. filter The parameters in an IPsec policy that HP-UX IPSec uses to select the policy applied to an IP packet. The parameters are the source and destination IP addresses, protocol, and source and destination port numbers. HMAC Hashed Message Authentication Code.
Aggressive Mode (AM) A mode used in IKEv1 Phase 1 negotiations to establish IKE SAs. AM is less secure than Main Mode because the IKE peers exchange identity information before establishing a secure channel, but requires the IKE peers to exchange fewer packets (three instead of six). The IKE protocol specification does not require implementations to support AM. Main Mode (MM) A mode used in IKEv1 Phase 1 negotiations to establish IKE SAs.
Security Parameters Index (SPI) A numerical index used with the source IP address to identify a Security Association (SA) on the receiving system. Each SPI and source IP address pair must be unique on the receiving system. SHA1 (Secure Hash Algorithm-1). Authentication algorithm that generates a 160-bit message digest using a 160-bit key. IPsec truncates the message digest to 96 bits. SHA2 (Secure Hash Algorithm-2) Authentication algorithm that generates 256-bit, 384-bit, and 512-bit message digest.
Index Symbols 3DES (Triple Data Encryption Standard), 37, 214 configuring in host IPsec policies, 68 configuring in IKEv1 policies, 89 configuring in IKEv2 policies, 92 configuring in tunnel IPsec policies, 75 key length, 143 A AES (Advanced Encryption Standard), 37, 214 configuring in host IPsec policies, 68 configuring in IKEv2 policies, 92 configuring in tunnel IPsec policies, 75 key length, 143 Aggressive Mode (AM), 38 configuring in authentication records, 79 SA, 215 see also IKE SA AH (Authentication
configuring in IKEv2 policies, 91 digital signature, 40 using with IPsec, 31 disk requirements, 45 Distinguished Name specifying in authentication record, 80 specifying in CSR, 103 DMZ securing with IPsec, 44 E EEXIST error message, 192 Encapsulating Security Payload see ESP encryption algorithms, 144 configuring in IKEv1 policies, 89 configuring in IKEv2 policies, 92 definition, 214 keys, 146 generating, 191 error messages can't find matching selector, 134 connection timed out, 130 EEXIST, 192 Internal Da
configuring overview, 61 default, 63 definition, 215 selection process, 63 IPsec QM SA, 215 see also IPsec SA ipsec_admin, 53, 96, 119, 124 -auditlvl option, 121 -status option, 120 to change audit directory, 121 to change audit level, 121 to get HP-UX IPSec status, 120 ipsec_config add auth examples, 84, 85 syntax, 77 ipsec_config add bypass example, 96 syntax, 95 ipsec_config add cacert example, 108 syntax, 108 LDAP, 108 ipsec_config add crl syntax, 109, 110 ipsec_config add csr example, 105 syntax, 103 i
key length, 143 RFC, 141 MM SA, 215 see also IKE SA configuring in IKEv2 policies, 92 public key, 40, 100 using with IPsec, 31 N QM SA, 215 see also IPsec SA Quick Mode (QM) definition, 216 Quick Mode SA, 215 see also IPsec SA ndd, 128 netstat, 127 no proposal chosen error message, 133, 134 no suitable policy found error message, 134 O Oakley, 215 group configuring in IKEv1 policies, 88 configuring in IKEv2 policies, 91 protocol, 216 RFC, 141 P PASS configuring in host IPsec policies, 67 patch depende
configuring, 55, 98, 115 status report, 53, 96 verifying, 122 subjectAlternativeName specifying in CSR, 104, 105 subjectName specifying in CSR, 103 subnets configuring policies for ICMP messages, 163 swinstall(1M), 46 swlist(1M), 46 T tools survey, 119 tracing disabling, 119 enabling, 119 layer 4, 123, 127 traffic selectors configuring in tunnel IPsec policies, 74 transform, 152 configuring in host IPsec policies, 67 configuring in tunnel IPsec policies, 76 discard, 54, 98 IPsec operation, 149 list, 134 pa
