NAME
The IPSec/9000 Administration Program is used to administer IPSec/9000.
SYNOPSIS
/usr/sbin/ipsec_admin -start
/usr/sbin/ipsec_admin -policy policy_file
/usr/sbin/ipsec_admin -stop
/usr/sbin/ipsec_admin -status
/usr/sbin/ipsec_admin -newpasswd password
/usr/sbin/ipsec_admin -audit audit_directory
/usr/sbin/ipsec_admin -auditlvl [alert|error|warning|informative|debug|]
/usr/sbin/ipsec_admin -maxsize max_audit_file_size
/usr/sbin/ipsec_admin -traceon [tcp|udp|igmp|all]
/usr/sbin/ipsec_admin -traceoff [tcp|udp|igmp|all]
/usr/sbin/ipsec_admin -flushsa
/usr/sbin/ipsec_admin -flushp
/usr/sbin/ipsec_admin -deletesa remote_ip_address
DESCRIPTION
ipsec_admin is an administration program
that provides IPSec/9000 system administration tasks such as starting
and stopping the IPSec/9000 subsystem and getting status on the
IPSec/9000 subsystem. The IPSec/9000 subsystem includes the user-space
key management daemon, audit daemon, policy daemon, and the IPSec/9000
kernel portion.
The Security Administrator at any time can also,
Change the audit level.
Change the audit directory
Get status of the IPSec/9000 subsystem.
Enable or disable Level 4 tracing for TCP, UDP or
IGMP.
Change the IPSec/9000 password.
ipsec_admin requires the optional IPSec/9000
software. ipsec_admin can only be run by the
root user and is protected by the IPSec/9000 password. The IPSec/9000
password must be entered from the keyboard (it cannot be redirected
from a file).
OPTIONS
ipsec_admin recognizes the following
command-line options and arguments.
- -start (Abbr.: -st)
Starts the IPSec/9000 subsystem which includes all user-space
daemons.
- -policy policy_file (Abbr.: -p)
Specifies the Security Policy file other than the
default file to use when the IPSec/9000 subsystem is started. Default
is /var/adm/ipsec/policies.text.
- -stop (Abbr.: -sp)
Stops the IPSec/9000 subsystem which includes all user-space
daemons.
- -status (Abbr.: -s)
Reports the current status of the IPSec/9000 subsystem.
The report will display the current state of IPSec/9000 (active
or not active). If active, the IPSec/9000 daemons that are currently
running and the Audit and Policy files in use are also displayed.
Also any Level 4 tracing is displayed.
- -newpasswd password (Abbr.: -np)
Changes password for IPSec/9000 password protected programs
and files. The password must be at least 15 characters. Once
the IPSec/9000 password has been established, this option is valid
only if the IPSec/9000 subsystem is running.
- -audit audit_directory (Abbr.: -au)
Specifies the Audit directory other than the default directory
to use when the IPSec/9000 subsystem is started. Default is /var/adm/ipsec.
This option is also valid with the -start option.
- -auditlvl (Abbr.: -al)
Changes the Audit level for the IPSec/9000 subsystem. The
levels are shown in ascending order. Higher audit levels include
all lower levels. Default Audit level is error which includes alert
messages. A definition of each class is shown below.
Alert. These messages include security
violations and attacks, password violations, errors that may prevent
correct operation of the product, any error condition that is not
recoverable, authentication problems, major security changes, unknown message
types, and changing of the IPSec/9000 password or audit level.
Error. These messages include recoverable error conditions,
syntax errors, unsupported features, bad packets, and unknown message
types.
Warning. These messages provide notification to
the user about non-intrusive security events.
Informative. These messages provide detailed event
logging for debugging and troubleshooting purposes.
This option is also valid with the -start option.
- -maxsize (Abbr.:-m)
Specifies the maximum size in kilobytes of an Audit
file before a new one is created. The default is 100 kbytes.
This option is also valid with the -start option.
- -traceon (Abbr.:-tn)
Enables Level 4 tracing for TCP, UDP, or IGMP.
If ALL is selected, then all three protocols are traced. ipsec_admin uses nettl to
enable Level 4 tracing. Tracing output is directed to /var/admin/ipsec/nettl.TRCC0 and /var/adm/ipsec/nettl.TRC1 if nettl is
not already enabled for tracing. If it is, then the trace file
would be the one already started by nettl.
This option is also valid with the -start option.
- -traceoff (Abbr.: -tf)
Disable any Level 4 tracing enabled with the -traceon option.
- -flushsa (Abbr.: -fa)
This option allows the Security Administrator to
flush all of the ISAKMP SAs and IPSec SAs. It can also be used to
clear the SA database without restarting IPSec/9000.
This option is automatically executed when the user executes
the -stop option.
- -flushp (Abbr.: -fp)
This option allows the Security Administrator to
flush the Security Policy data base kept by the Policy daemon and
the kernel policy engine during startup.
This option is automatically executed when the user executes
the -stop option.
- -deletesa (Abbr.: -da)
This option allows the Security Administrator to
delete the ISAKMP MM SA and IPSec SAs for a given remote_IP_address.
The remote_ip_address must be in decimal dot notation.
EXAMPLE
----------------- IPSec Status Report -----------------secauditd program: Running and responding
secpolicyd program: Running and responding
ikmpd program: Running and responding
IPSec kernel: Up
IPSec Audit level: Error
IPSec Audit file: /var/adm/ipsec/auditThu-Dec-24-15-21-49-1998.log
Max Audit file size: 100 KBytes
IPSec Policy file: /var/adm/ipsec/policies.txt
Level 4 tracing: None-------------- End of IPSec Status Report ------------- |
In normal operation, the status for the secauditd, secpolicyd and ikmpd daemons
is Running and responding and the status of the IPSec kernel status
is Up.
Printable version
