Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing and Administering IPSec/9000 > Chapter 2 Troubleshooting IPSec/9000

ipsec_policy
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

NAME

ipsec_policy is the IPSec/9000 policy tester program.

SYNOPSIS

/usr/sbin/ipsec_policy [-sa src_ip_addr]

[-sp src_port]

[-da dst_ip_addr]

[-dp dst_port]

[-p network_protocol]

DESCRIPTION

ipsec_policy is an utility program which allows the Security Administrator to query an active Security Policy data base kept by the policy daemon to determine which IPSec Policy and ISAKMP policy will be used for an outbound IP packet based on an association or 5-tuple entered by the Security Administrator. The association consists of a source IP address, source port number, destination IP address, destination port number, and network protocol. The association can either be entered on the command line or ipsec_policy can prompt the user for the elements if no elements are entered. If a command line contains fewer than five elements, then the elements not entered will be defaulted.

ipsec_policy requires the optional IPSec/9000 software. ipsec_policy can only be run by the root user and is protected by the IPSec/9000 password. The IPSec/9000 password must be entered from the keyboard (it cannot be redirected from a file).

OPTIONS

-sa src_ip_addr

Specifies the source IP address (src_ip_addr) of the association. src_ip_addr must be entered in dot notation. Because ipsec_policy determines which IPSec policy is used for outbound packets, the source address should be an address for an interface on the local system. If omitted, any IP address is assumed.

-sp src_port

Specifies the source port number (src_port) of the association. src_port must be an unsigned number in the range from 1 to 65535. If omitted, any port number is assumed.

If you are making a query for an outbound client-server application where the client port number can be any user-space port, such as telnet, you may want to specify a dummy user-space port number for the source port such as 1024.

-da dst_ip_addr

Specifies the destination IP address (dst_ip_addr) of the association. dst_ip_addr must be entered in dot notation. If omitted, any IP address is assumed.

If you are making a query for an outbound client-server application where the client port number can be any user-space port (such as telnet), you may want to specify a "dummy" user-space port number for the destination port such as 1024.

-dp dst_port

Specifies the destination IP address (dst_port) of the association. dst_port must be an unsigned number in the range from 1 to 65535. If omitted, any port number is assumed.

If you are making a query for an outbound client-server application where the client port number can be any user-space port, such as telnet, you may want to specify a dummy user-space port number for the source port such as 1024.

-p network_protocol

Specifies the network_protocol of the association. Valid values for network_protocol are TCP, UDP, ICMP, or IGMP. If omitted, any network protocol is assumed.

EXAMPLES

  1. On system A (15.13.115.101), you want to determine which policy will be used for outbound telnet traffic to system B (15.13.115.112) or when local users telnet to system B. Since the telnet clients on system A will use any unused user-space TCP port and the telnet daemons on system B will use TCP port 23, you would use the following command:

    # ipsec_policy -sa 15.13.115.101 -sp 1024 -da 15.13.115.112 -dp 23 -p tcp-------------------Ordered Policy Rule--------------------
    Rule ID: telnet_out
    Cookie: 2    State: Ready
    Src IP Addr: 15.13.115.101   Prefix Length: 32   Src Port number: *
    Dst IP Addr: 15.13.115.112   Prefix Length: 32   Dst Port number: 23
    Network Protocol: TCP    Direction: outbound
    Filter: Secure
    Shared SA: Yes
    Number of SA(s) Needed: 1
    Number of SA(s) Created: 1
    Kernel Requests Queued: 0
    -- SA Number 1 --
       Security Association Type: ESP
      Encryption Algorithm: 3DES-CBC
      Authentication Algorithm: None
      SPI (hex): 13BDB7
       SPI updated: ISAKMP---------------- Default ISAKMP Rule ---------------------
    Rule ID: default
    Rule Type: Default    Cookie: 8594
    Group Type: 1    Authentication Method: Pre-shared Keys
    Authentication Algorithm: HMAC-MD5    Encryption Algorithm:DES-CBC
    Number of Quick Modes: 100    Lifetime (seconds): 28800

    NOTE: The source port is a dummy user-space port (1024) for the client.

  2. On system A (15.1.1.1), you want to determine which IPSec policy will be used for inbound telnet traffic from system B (15.2.2.2), or when users on system B telnet to the local system. Since the local telnet daemons will use TCP port 23 and clients on system B will use any unused user-space TCP port, you would use the following command.

    ipsec_policy -sa 15.1.1.1 -sp 23 -da 15.2.2.2 -dp 1024 -p tcp

    NOTE: Since ipsec_policy determines the policy used for outbound packets, the query is formulated for replies from system A to system B. The source address is 15.1.1.1. The destination port is a dummy user-space port (1024) for the client.


ipsec_report
  		 


Chapter 3 IPSec/9000 Topologies  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2001 Hewlett-Packard Development Company, L.P.