Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
51525354555657585960
Batch File Processing
The ipsec_config utility processes the operations in a batch file as a group. If one operation
is invalid, all operations in the batch file fail. The ipsec_config utility first verifies each operation
in the batch file for syntax errors and collisions (object names and priority values) with existing
entries in the configuration database. If all operations in the batch file are valid, the HP-UX IPSec
infrastructure updates the configuration database with all operations at the same time. If HP-UX
IPSec is active and running, the HP-UX IPSec infrastructure also updates the runtime policy database.
Batch File Syntax
The syntax for add and delete operations in ipsec_config batch files is the same as the syntax
for ipsec_config add and ipsec_config delete commands, but without the leading
ipsec_config command name. For example, the following entry is a valid add operation for
a batch file:
add host my_host_policy -source 10.1.1.1 \
-destination 10.0.0.0/8/TELNET -pri 100 \
-action ESP_AES128_HMAC_SHA1
Comments
Lines starting with a pound sign (#) are interpreted as comments. Comment lines within an operation
are not allowed.
ipsec_config delete command
The ipsec_config delete command deletes objects from the configuration and runtime
databases. For example, the following command deletes the host IPsec policy my_host_policy
from the configuration database:
ipsec_config delete host my_host_policy
ipsec_config export command
The ipsec_config export command exports the contents of the configuration database to a
batch file that you can use as input for the ipsec_config batch command. You can then use
the batch file to re-create the configuration database if the database is corrupt or lost (see
“Re-Creating the Configuration Database” (page 117)), or use the batch file as a base for creating
a similar configuration on another system.
The ipsec_config export command can also take the output from the ipsec_config show
all command and to create a batch file. See “Exporting the Configuration Database to a Batch
File” (page 117) for more information.
ipsec_config show
The ipsec_config show command displays objects in the configuration database. For example,
the following command displays the host IPsec policies in the configuration database:
ipsec_config show host
The ipsec_config show all command displays the entire contents of the database.
Profile file
An ipsec_config profile file contains default argument values that are evaluated in
ipsec_config add commands if the user does not specify the values in the command. The
values are evaluated once, when the policy is added to the configuration database. Values used
from the profile file become part of the configuration record for the policy.
You can specify a profile file name with the -profile argument as part of an ipsec_config
command. By default, ipsec_config uses the /var/adm/ipsec/.ipsec_profile profile
Using ipsec_config 59