HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

121

122

123

124

125

126

127

128

129

130

active traffic by expanding remote IP address specifications and any other wildcard field

values. You can also do this by entering the following command:

ipsec_report -host [active]

• Queries the policy daemon and reports the active gateway IPsec policies. You can also do

this by entering the following command:

ipsec_report -gateway [active]

• Queries the policy daemon and reports the tunnel IPsec policies. You can also do this by

entering the following command:

ipsec_report -tunnel

• Queries the policy daemon and reports the interfaces in the bypass list. You can also do this

by entering the following command:

ipsec_report -bypass

• Queries the policy daemon and reports the active (configured UP or DOWN, plumbed) IP

interfaces, and whether or not HP-UX IPSec is enabled for each interface. You can also do

this by entering the following command:

ipsec_report -ip

• Queries the kernel policy engine and reports the contents of its cache. The cache records the

most recent decisions that the kernel policy engine has made for the traffic that has passed in

and out of the system. If there is no IPsec peer, the kernel policy engine still reports decisions

for packets that have been sent or received by the system (including broadcast packets) by

five-tuple (source IP address, destination IP address, protocol, source port, destination port)

and the action taken—even if the action was to pass the packet in clear text. You can also

do this by entering the following command:

ipsec_report -cache

• Formats and displays the contents of the current audit file. You can also do this by entering

the following command:

ipsec_report -audit audit_file

Isolating HP-UX IPSec Problems from Upper-layer Problems

If you are unsure whether an application problem is being caused by HP-UX IPSec, you can still

enable layer 4 (TCP, UDP, IGMP) tracing. This will capture outbound data packets before they are

encrypted by HP-UX IPSec and inbound packets after they are decrypted by HP-UX IPSec.

Because layer 4 tracing provides a possible security breach, it is disabled when HP-UX IPSec is

started and can only be enabled using the ipsec_admin utility, which requires root capability

and the HP-UX IPSec administrator password.

To enable layer 4 tracing, use the following command:

ipsec_admin -traceon [ tcp | udp | igmp | all ]

Tracing output will go to /var/adm/ipsec/nettl.TRC0 and /var/adm/ipsec/nettl.TRC1

if nettl tracing is not already enabled. If it is, the trace files will be those already in use by

nettl.

Troubleshooting Procedures 123