HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

121

122

123

124

125

126

127

128

129

130

Checking Policy Configuration

There are two methods for determining which policy HP-UX IPSec uses for a packet:

• Use the ipsec_policy command to query the policy daemon to determine which policy

HP-UX IPSec would use for the packets.

• Generate packets and use the ipsec_report -cache command to examine policy cache

and determine which policy HP-UX IPSec used for the packets.

Using ipsec_policy

Use the ipsec_policy command to determine which host policy, IKE policy and authentication

record will be used for a given packet. For example, on system 15.1.1.1, you want to determine

which host policy HP-UX IPSec will use for outbound telnet requests to 15.2.2.2 (the local system

15.1.1.1 is the telnet client). Use the following command:

ipsec_policy -sa 15.1.1.1 -sp 65535 -da 15.2.2.2 -dp 23 \

-p tcp -dir out

To determine which policies HP-UX IPSec will use for inbound telnet requests to 15.1.1.1 from

system 15.2.2.2 (the local system 15.1.1.1 is the telnet server), you can use the following command:

ipsec_policy -da 15.1.1.1 -dp 23 -sa 15.2.2.2 -sp 65535 \

-p tcp -dir in

See the ipsec_policy(1M) manpage for more information.

NOTE: Both examples shown above include a dummy user-space port number (65535) for the

client port.

If an authentication records has two values configured for the IKE version (kmp argument),

ipsec_config always selects the first IKE version and selects the IKE policy accordingly.

Examining the Policy Cache and Policy Entries

To determine the actual IPsec policy used for a packet, examine the output from the ipsec_report

-cache command to find the cached policy decision for the packet, then use the Cookie field

from the ipsec_report -cache entry to find the matching entry in the ipsec_report -host

output. The cache entry below is for an attempted outbound telnet session from system 192.1.1.1

to system 192.1.1.3. The host policy on 192.1.1.1 is misconfigured, so the system sends the

packets in clear text. The output from the ipsec_report -cache command shows the following

entry:

-------------------Cache Policy Rule -----------------------

Cache Policy Record: 9 Cookie: 1

Src IP Address: 192.1.1.1 Src Port number: 56122

Dst IP Address: 192.1.1.3 Dst Port number: 23

Network Protocol: TCP Direction: outbound

Action: Pass

The output from the ipsec_report -host command shows the following entry. In this

configuration, Cookie 1 corresponds to the default host IPsec policy, with the action PASS.

---------------- Active Host Policy Rule -------------------

Rule Name: default Priority: 0 Cookie: 1

Action: Pass

Configuring HP-UX IPSec Auditing

You can configure or set the following HP-UX IPSec audit parameters:

• audit level

• audit directory

• maximum audit file size

124 Troubleshooting HP-UX IPSec