HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
ON. If the -maxqm value is greater than 1, the migration utility creates an ikev1 policy
with PFS OFF.
◦ Converts any DES authentication (-hash) values to 3DES. (DES is not supported in HP-UX
IPSec A.03.0x).
• Check the action in the host and tunnel policies. The ipsec_migrate utility replaces DES
transforms and nested transforms in host and tunnel policies with the default actions in the
/var/adm/ipsec/.ipsec_profile file. For host policies, the default action is DISCARD.
For tunnel policies, the default action is the ESP_AES128_HMAC_SHA1 transform.
• Check the priority value in authentication records. In previous releases, authentication records
did not have a priority value; if multiple authentication records had a remote IP address value
that matched the peer's address, HP-UX IPSec selected the record with the longest IP address
prefix.
The ipsec_migrate utility sorts existing authentication records using the address prefix
length (longest to shortest). The migration utility sets the priority for the first record to the value
of the priority parameter value in the AuthPolicy-Defaults section of the HP-UX IPSec profile
file; the default priority value is 10. The utility increments the priority value for each subsequent
record by the priority value.
• Configure additional authentication records if needed. In previous releases, an authentication
record was not required if the authentication method was RSASIG, the systems were not
multihomed, and the systems used IPv4 addresses for the IKE IDs. HP-UX IPSec A.03.0x requires
an authentication record for every peer.
• Check for preshared key values beginning with 0x. HP-UX IPSec A.03.0x stores preshared
key values beginning with 0x as hexadecimal values. In prior releases, HP-UX IPSec stored
all preshared key values as ASCII strings. If you have a preshared key value beginning with
0x and are using it with a release prior to A.03.00, the key values will not match. Change
the preshared key values on both systems.
• Configure the AUTOCONF flag in authentication records for autoconfiguration clients. In previous
releases, the AUTOCONF flag was set in host policies. The use of the AUTOCONF flag in host
policies is deprecated and might be removed in future product releases.
Certificate Files
Beginning with release A03.00, HP-UX IPSec stores certificate and CRL files in new locations. The
ipsec_migrate utility performs the following tasks when migrating to HP-UX IPSec version
A.03.0x from previous versions:
• Extracts certificates, the private key and certificate data from the following files under the
/var/adm/ipsec/backup directory:
/var/adm/ipsec/cainfo.txt
/var/adm/ipsec/ipsec.key
/var/adm/ipsec/ipsec.cert
The ipsec_migrate utility prompts the user for the HP-UX IPSec password and uses the
password to decrypt and extract the private key. It also extracts the certificates for the local
system and CA and stores the certificates and keys in files under the /var/adm/ipsec/
certstore directory.
• If the file /var/adm/ipsec_gui/cron/crl.cron exists, ipsec_migrate creates a
soflink from this file to /var/adm/ipsec/util/crl.cron. The crl.cron is a file is a
script that can be executed from a cron job to periodically retrieve CRLs from LDAP directories.
This file was located in the/var/adm/ipsec_gui/cron directory in previous releases.
You can modify and resubmit the root crontab file to execute the /var/adm/ipsec/util/
crl.cron script directly.
Post-Installation Migration Instructions 181