NAME
ipsec_report is the IPSec/9000 report
program.
SYNOPSIS
/usr/sbin/ipsec_report -audit file_name
/usr/sbin/ipsec_report -cache
/usr/sbin/ipsec_report -isakmp
/usr/sbin/ipsec_report -mad
/usr/sbin/ipsec_report -policy
/usr/sbin/ipsec_report -sad
/usr/sbin/ipsec_report -all
/usr/sbin/ipsec_report -file report_file
/usr/sbin/ipsec_report -entity [ipsec_admin
ipsec_report | ipsec_policy | ipsec_mgr |
secauditd | ikmpd | secpolicyd ]
DESCRIPTION
ipsec_report displays to stdout ongoing
data about the current active IPSec/9000 system. Data from the
Policy daemons, ISAKMP, the IPSec/9000 kernel, and the content of
the current active IPSec/9000 audit file are displayed.
ipsec_report requires the optional IPSec/9000
software. ipsec_report can only be run by the root user and is protected
by the IPSec/9000 password. The IPSec/9000 password must be entered
from the keyboard (it cannot be redirected from a file).
OPTIONS
- -audit
The -audit option displays
the contents of an IPSec/9000 audit file. The user can give a file-name with
a fully qualified path.
- -cache
The -cache option is a dump
of the on-going Policy Rules kept by the kernel Policy Engine.
- -isakmp
The -isakmp option is a dump
of the ISAKMP Policies kept by the Policy daemon.
- -mad
The -mad option is a dump of
the on-going ISAKMP SAs kept by IKE daemon.
- -policy
The -policy option is a dump
of the IPSec Policies kept by the Policy daemon.
- -sad
The -sad option is a dump of
the on-going IPSec/9000 SAs kept by the kernel Security Association
Engine.
- -file
The -file option redirects
all report output to a report file. If the report file already
exists the file will be overwritten. If not, the file is created.
- -entity
This IPSec/9000 component allows you to do a report on
the specified module.
EXAMPLES
The following excerpts of command outputs are from a system
with IP address 192.6.1.1 and reflect activity for a telnet session
to address 192.6.1.2.
ipsec_report -policy
--------------------- Hash Policy Rule -----------------------
Rule ID: udp_port500
Hash Table: Src Port Cookie: 1
Src IP Addr: * Src Port number: 500
Dst IP Addr: * Dst Port number: 500
Network Protocol: UDP Direction: inbound
Filter: Pass
:
:
------------------ Ordered Policy Rule -----------------------
Rule ID: telnet_out
Cookie: 3 State: Ready
Src IP Addr: 192.6.1.1 Prefix Length: 32 Src Port number: *
Dst IP Addr: 192.6.1.2 Prefix Length: 32 Dst Port number: 23
Network Protocol: TCP Direction: outbound
Filter: Secure
Shared SA: Yes
Number of SA(s) Needed: 1
Number of SA(s) Created: 1
Kernel Requests Queued: 0
-- SA Number 1 --
Security Association Type: ESP
Encryption Algorithm: 3DES-CBC
Authentication Algorithm: None
SPI (hex): BE882
SPI updated: ISAKMP |
 |
The -policy option displays information about the IPSec Policies
that were configured by the IPSec/9000 administrator and loaded
by the IPSec/9000 Policy daemon. For each IPSec Policy, the Policy
Manager actually stores multiple rules, which are similar to IPSec
policies, except that they are unidirectional. Therefore, bi-directional
IPSec policies generate an inbound rule and an outbound rule. The
rule entries are Hash or Ordered according to the type of IPSec
Policy that generated the entry. Hash IPSec Policies will have multiple
rule entries according to the number of hashable fields in the policy.
Fields are defined as follows:
- Rule ID
An integer used internally by IPSec/9000 to index
the entries.
- Hash Table
(For Hash Policy Rules only.) The hash table that contains
this entry. There are four hash tables: Src Address (source IP
address), Dst Address (destination IP address), Src Port (source
port) and Dst Port (destination port). A hash IPSec Policy will
have a rule entry in each hash table for which it has a hashable value
(non-expandable value with no wildcard or address range).
- Cookie
An integer used to cross-reference entries in the
cache and policy (rule) tables kept by the Policy daemon. All entries
based on the same IPSec policy will have the same cookie value.
- Src IP Address
The source IP address.
- Src Port number
The source port number for the upper-layer protocol. In this
example, it is the TCP port number.
- Dst IP Address
The destination IP address.
- Dst Port number
The destination port number for the upper-layer protocol.
In this example, it is the TCP port number and it is the well-known
port for the telnet service (23).
- Network Protocol
The upper-layer protocol in the IP header.
- Direction
Indicates if this entry is for inbound (packets
received by the local system or outbound (packets sent from the local
system) packets.
- Filter
Indicates the action or transform applied to packet matching
this entry. Possible values are Secure (authenticate and/or encrypt
using an IPSec transform: Authentication Header, AH, and/or Encapsulating Security
Payload, ESP), Pass (pass in cleartext), or Discard (discard the
packet).
If the action (Filter) is Secure, the entry will have information
about the IPSec Security Associations (SAs) established for packets
matching the 5-tuple for this entry. In addition, if the Direction
is outbound, the entry will have Security Parameter Index (SPI)
information.
The SA fields are defined as follows:
- Shared SA
Yes indicates that host-based keying will be used.
All IP packets that use the same IPSec policy between the same host
pair (the source IP address and destination IP address are the same)
will share the same IPSec SA pair. No indicates that session-based
keying will be used. Only IP packets with the same 5-tuple (the
same source IP address, destination IP address, network protocol,
source port and destination port) will share the same IPSec SA pair.
- Number of SA(s) Needed
The number of IPSec SAs required for an IP packet that uses
this policy entry. Normally, only one SA is needed. However, a packet
with a nested transform (an ESP nested within an AH) or one that
is sent through a tunnel would require multiple SAs.
- Number of SA(s) Created
(This field is only present for non-shared SA entries.) This
indicates the number of IPSec SAs actually created with the peer
node. When negotiations are complete, this number should match the "Number
of SA(s) Needed".
- Kernel Requests Queued
(This field is only present for outbound entries.) This is the
number of pending requests from the kernel to form IPSec SAs using
this policy. Once the SA(s) are established, the queued kernel requests
are processed and the number of Kernel Requests Queued will go down
to 0.
- SA Number
Internal index for the SA for this packet. Normally, there
is only one SA and this label is SA Number 1. However, a packet
with a nested transform (an ESP nested within an AH) or one that
is sent through a tunnel would require multiple SAs.
- Security Association Type
Indicates the IPSec transform for this SA. Possible values
are AH (Authentication Header) and ESP (Encapsulating Security Payload).
- Encryption Algorithm
(This field is only present if the Security Association Type
is ESP.) The encryption algorithm used for the SA, as negotiated
with the remote system.
- Authentication Algorithm
The authentication algorithm used for the SA, as negotiated
with the remote system.
- SPI
(This field is only present for outbound, shared
SA entries.) The Security Parameters Index (SPI). The SPI is included
in the IPSec AH or ESP protocol header transmitted to the remote
system. The SPI is also used to index IPSec SA entries in the kernel
Security Association database.
The inbound rule entries will not contain SPI information
because the system will receive these packets with a Security Parameters
Index (SPI) in the Authentication Header (AH) or Encapsulating Security Payload
(ESP) header. IPSec/9000 will use the SPI to find an entry in the
kernel Security Association database and not query the Policy Manager
for these packets.
- SPI updated
(This field is only present for outbound, shared
SA entries.) Indicates the IPSec/9000 module that provided the SA
parameter information (always ISAKMP).
ipsec_report -isakmp
------------------- Default ISAKMP Rule ----------------------
Rule ID: default
Rule Type: Default Cookie: 2824
Group Type: 1 Authentication Method: Pre-shared Keys
Authentication Algorithm: HMAC-MD5 Encryption Algorithm:DES-CBC
Number of Quick Modes: 100 Lifetime (seconds): 28800 |
The -isakmp option displays the ISAKMP Policies that were
configured by the IPSec/9000 administrator and loaded by the IPSec/9000
Policy daemon.
Fields are defined as follows:
- Rule ID
The name of the ISAKMP policy, as configured.
- Rule Type
The type of rule. Default indicates the default
ISAKMP policy. Otherwise, the rule type is ISAKMP.
- Cookie
An integer used internally by IPSec/9000 to identify this
policy.
- Group Type
The Oakley Group, which determines the numeric base for
values used in the Diffie-Hellman exchange of the ISAKMP protocol.
Possible values are defined in the Oakley Key Determination protocol
specification (RFC 2412) and include 1 (768-bit prime, Modular Exponentiation,
MODP) and 2 (1024-bit prime, MODP).
- Authentication Method
The method used by the two ISAKMP entities to verify each
other's identity, also known as primary authentication. Possible
values are Pre-shared Keys and RSA signature
- Authentication Algorithm
The algorithm used to authenticate the ISAKMP protocol messages
after the initial exchange.
- Encryption Algorithm
The algorithm used to encrypt the ISAKMP protocol messages
after the initial exchange.
- Number of Quick Modes
The configured maximum number of Quick Mode negotiations per
ISAKMP SA (each Quick Mode negotiation results in a pair of IPSec
SAs).
- Lifetime
The configured preferred maximum lifetime to use
for the ISAKMP SA, in seconds.The actual maximum lifetime used is
negotiated with the remote ISAKMP entity.
ipsec_report -cache
---------------------Cache Policy Rule -----------------------
Cache Policy Record: 7 Cookie: 3
Src IP Address: 192.6.1.1 Src Port number: 49182
Dst IP Address: 192.6.1.2 Dst Port number: 23
Network Protocol: TCP Direction: outbound
Filter: Secur
-- SA Number 1 --
State: SA Created
Security Association Type: ESP
Tunnel SA: No
SPI (hex): BE882
Src IP Address: 192.6.1.1
Dst IP Address: 192.6.1.2 |
The -cache displays the Cache Policy Rules. The Cache Policy
Rules are maintained by the Kernel Policy Engine and record the
action (Filter) to be taken for IP packets that match the 5-tuple
(source IP address and port, destination IP address and port, and
protocol) and direction.
Note that there are no entries for inbound IP packets that
have been authenticated or encrypted using IPSec Authentication
Headers (AH) or Encapsulating Security Payload (ESP). This is because
the system will receive these packets with a Security Parameters
Index (SPI) in the AH or ESP header. IPSec/9000 will use the SPI
to find an entry in the kernel Security Association database and
not query the Kernel Policy Engine for these packets.
Fields are defined as follows:
- Cache Policy Record
An integer used internally by IPSec/9000 to index the entries.
- Cookie
An integer used to cross-reference entries in the
cache and policy tables kept by the Policy daemon. All cache entries
based on the same IPSec policy will have the same cookie value.
- Src IP Address
The source IP address.
- Src Port number
The source port number for the upper-layer protocol. In this
example, it is the TCP port number.
- Dst IP Address
The destination IP address.
- Dst Port number
The destination port number for the upper-layer protocol.
In this example, it is the TCP port number and it is the well-known
port for the telnet service (23).
- Network Protocol
The upper-layer protocol in the IP header.
- Direction
Indicates if this cache entry is for inbound (packets received
by the local system or outbound (packets sent from the local system)
packets.
- Filter
Indicates the action or transform applied to packets matching
this entry. Possible values are Secure (authenticate and/or encrypt
using an IPSec transform: Authentication Header, AH, and/or Encapsulating Security
Payload, ESP), Pass (pass in cleartext), or Discard (discard the
packet).
If the action (Filter) is Secure, and the direction is outbound
the entry will have information about the IPSec Security Associations
(SAs) established for packets matching the 5-tuple for this entry.
The SA fields are defined as follows:
- SA Number
Internal index for the SA for this packet. Normally, there
is only one SA and this label is SA Number 1. However, a packet
with a nested transform (an ESP nested within an AH) or one that
is sent through a tunnel would require multiple SAs.
- State
Indicates the state of the SA. Possible values
are: SA Created (indicates that the SA has been established and
is active), SA Requested (indicates that this SA is in the process
of being created).
- Security Association Type
Indicates the IPSec transform for this SA. Possible values
are AH (Authentication Header) an ESP (Encapsulating Security Payload).
- Tunnel SA
Indicates if the SA being used to send the packet through
an IPSec tunnel.
- SPI
The Security Parameters Index (SPI). The SPI is included
in the IPSec AH or ESP protocol header transmitted to the remote
system. The SPI is also used to index IPSec SA entries in the kernel
Security Association database.
- Src IP Address
The source IP address that will be used in the IP header.
This may be different than the original source IP address if tunnelling
is being used.
- Dst IP Address
The destination IP address that will be used in the IP header.
This may be different than the original destination IP address if
tunnelling is being used.
ipsec_report -sad
------------------- Security Association --------------------
Sequence number: 1
SPI (hex): BE882 State: MATURE
Security Association Type: ESP with 3DES-CBC encryption and
No authentication
Src IP Addr: 192.6.1.1 Dst IP Addr: 192.6.1.2
Current Lifetimes
bytes processed: 6256
addtime (seconds): 32
usetime (seconds): 30 Hard Lifetimes
bytes processed: 0
addtime (seconds): 28800
usetime (seconds): 28800
------------------- Security Association --------------------
Sequence number: 2
SPI (hex): 13BDB7 State: MATURE
Security Association Type: ESP with 3DES-CBC encryption and
No authentication
Src IP Addr: 192.6.1.2 Dst IP Addr: 192.6.1.1
Current Lifetimes
bytes processed: 6344
addtime (seconds): 31
usetime (seconds): 30
Hard Lifetimes
bytes processed: 0
addtime (seconds): 28800
usetime (seconds): 28800 |
The -sad option displays information about the IPSec Security Associations,
as maintained by the kernel Security Association Engine in the SA
database.
Fields are defined as follows:
- Sequence Number
An integer used internally by the SA engine to index the entries.
- SPI
The Security Parameters Index (SPI). For outbound SAs
(the source IP address is a local address), the SPI is
selected by the remote system and is included in the outbound IPSec
AH or ESP protocol header. For inbound SAs, this is the SPI selected
by the local system and is used to find the correct SA when the
local system receives a packet with an IPSec AH or ESP header.
- State
The state of the IPSec SA. Possible values are Mature (the
SA is established and available for use), Larval (the SA is being
established), and Dead (the SA is expired and not usable).
- Security Association Type
Indicates the type of transform, such as AH (Authentication
Header) or ESP (Encapsulating Security Payload), and the authentication
or encryption algorithm used.
- Src IP Addr
The source IP address for the SA.
- Dst IP Addr
The destination IP address for the SA.
- Current Lifetimes
The current lifetime for the SA, as measured by the amount
of data sent and received (bytes processed), number of seconds since
the SA was added to the database (addtime) or the number of seconds
since the SA was first used to transmit or receive data (usetime).
- Hard Lifetimes
The maximum lifetimes for the SA, as negotiated
with the remote system. These are measured by the amount of data
sent or received (bytes processed), number of seconds since the
SA was added to the database (addtime) or the number of seconds
since the SA was first used to transmit or receive data (usetime).
If any of the three values is exceeded, the SA is deleted and a new
SA must be established if there is more data to send. Note that
a value of 0 for bytes processed indicates that the number of bytes
processed is ignored (there is no maximum lifetime based on bytes
sent or received).
ipsec_report -mad
-------------------- ISAKMP Main Mode SA ---------------------
Sequence number: 1
Role: Initiator Remote IP Address: 192.6.1.2
Oakley Group: 1 Authentication Method: Pre-shared Keys
Authentication Algorithm: HMAC-MD5 Encryption Algorithm:DES-CBC
Quick Modes Processed: 1 Lifetime (seconds): 28800 |
The -mad option displays the ISAKMP Main Mode SA entries,
which contain information about ISAKMP or "Main Mode" Security Associations
(SAs) established by the IKE daemon (ikmpd).
Fields are defined as follows:
- Sequence Number
An integer used internally by the IKE daemon to
index the entries.
- Role
Indicates if the local system initiated the ISAKMP
SA ( Initiator ) or responded to a remote request to establish the
ISAKMP SA ( Responder ).
- Oakley Group
The Oakley Group determines the numeric base for values
used in the Diffie-Hellman exchange of the ISAKMP protocol. Possible
values are defined in the Oakley Key Determination protocol specification
(RFC 2412) and include 1 (768-bit prime, Modular Exponentiation,
MODP) and 2 (1024-bit prime, MODP).
- Authentication Method
The method used by the two ISAKMP entities to verify each
other's identity, also known as primary authentication. Possible
values include Pre-shared Keys and RSA signature.
- Authentication Algorithm
The algorithm used to authenticate the ISAKMP protocol messages
after the initial exchange.
- Encryption Algorithm
The algorithm used to encrypt the ISAKMP protocol messages
after the initial exchange.
- Quick Modes Processed
This indicates the number times the ISAKMP SA was used to
negotiate a pair of IPSec SAs (each Quick Mode negotiation results
in a pair of IPSec SAs).
- Lifetime
The maximum lifetime for the ISAKMP SA, in seconds, as
negotiated with the remote ISAKMP entity. If this lifetime is exceeded,
the ISAKMP SA is deleted.
Printable version
