HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
Exporting the Configuration Database to a Batch File
The ipsec_config export command exports the contents of the configuration database to a
batch file that you can use as input for the ipsec_config batch command. You can then use
the batch file to re-create the configuration database if the database is corrupt or lost (see
“Re-Creating the Configuration Database” (page 117)), or use the batch file as a base for creating
a similar configuration on another system.
The ipsec_config export command can also take the output from the ipsec_config show
all command and to create a batch file.
NOTE: The ipsec_config batch command fails if you attempt to add items to a database
that already exist, such as IPsec policies with the same policy name or priority. Therefore, if you
use the output from the ipsec_config export command as input for the ipsec_config
batch command with the same database, the ipsec_config batch command will fail.
ipsec_config export Syntax
The syntax for the ipsec_config export command is as follows:
ipsec_config export -o outfile [-s source_file ]
Parameters
outfile The name of the output file. You can use this file as input for an ipsec_config
batch command.
source_file The name of the source file. The source file must contain the output from an
ipsec_config show all command. If you do not specify source_file,
ipsec_config executes ipsec_config show all on the local system
and uses the output as the source file.
Re-Creating the Configuration Database
Use the following procedure to re-create the configuration database file (/var/adm/ipsec/
config.db ).
1. Copy the skeleton database file (/var/adm/ipsec/migration/skeleton.db.020002
) to /var/adm/ipsec/config.db :
cp /var/adm/ipsec/migration/skeleton.db.020002 \ /var/adm/ipsec/config.db
2. Re-run your ipsec_config batch file, if you have one:
ipsec_config batch batch_file
If you do not have an ipsec_config batch file, you must manually enter your configuration
information.
Deleting SA Entries
The ipsec_admin -deletesa command deletes security association (SA) information. In normal
operation, there is no need for you to do this. However, there are cases when the SA information
on the local system is not synchronized with information on a remote system, such as when the
IPsec subsystem on a remote system terminates abruptly.
When you use the ipsec_admin -deletesa command, the following events occur:
• The IKE daemon sends IKE DELETE messages to the remote IKE entity for IKE SAs established
between the remote system and the local system.
• The IKE daemon also sends IKE DELETE messages to the remote system for the IPsec SAs that
are inbound to the local system from the remote system. The DELETE messages tell the peer
Exporting the Configuration Database to a Batch File 117