HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

171

172

173

174

175

176

177

178

179

180

1. Run the ipsec_migrate utility after you have installed HP-UX IPSec A.03.0x. For example:

/usr/sbin/ipsec_migrate

If the /var/adm/ipsec/ipsec.key file is present, ipsec_migrate prompts for the HP-UX

IPSec password before decrypting this file and extracting the contents.

The ipsec_migrate utility creates backup copies of the following files and saves them in

the files under the /var/adm/ipsec/backup directory:

/var/adm/ipsec/.ipsec_profile

/var/adm/ipsec/cainfo.txt

/var/adm/ipsec/config.db

/var/adm/ipsec/ipsec.cert (if present)

/var/adm/ipsec/ipsec.key (if present)

The ipsec_migrate utility appends a timestamp to the names of the backup files. The

timestamp is in the format dd-mm-yy-hh-mn-ss , where:

dd is the day

mm is the month

yy are the last two digits of the year

hh is the hour

mn is the number of minutes

ss is the number of seconds

For more information, see the ipsec_migrate(1M) man page.

2. Examine the contents of the configuration database using the following command:

ipsec_config show all

3. Check if you need to make any additional changes to the configuration database. See

“Additional Configuration Tasks” (page 180) for more information.

4. Start HP-UX IPSec:

ipsec_admin -start

Additional Configuration Tasks

The ipsec_migrate utility changes object types and values when converting a configuration

database for HP-UX IPSec A.03.0x. Check the following list for additional changes that may be

needed after running ipsec_migrate:

• Check the IKEv1 policies. The migration utility converts each existing ike policy to an ikev1

policy as follows:

◦ The IKE authentication (-auth) value is ignored. The ikev1 policies do not include a

value for the IKE authentication method. The IKE authentication method is now specified

in authentication records using the -local_method and -remote_method arguments.

In most cases, you do not need to explicitly specify the -local_method and

-remote_method arguments. If the authentication record specifies a preshared key

value (-preshared), the -local_method and -remote_method arguments default

to PSK; if no preshared key value is specified, these arguments default to RSASIG. For

more information, see “Step 3: Configuring authentication records and preshared keys”

(page 77).

◦ The maximum quick modes (-maxqm) value is converted to a value for perfect forward

secrecy (PFS, -pfs). The ikev1 policies do not include a value for maximum quick

modes. If the -maxqm value is 1, the migration utility creates an ikev1 policy with PFS

180 Migrating from Previous Versions of HP-UX IPSec