NAME
The HP-UX IPSec Administration Program is used to administer
HP-UX IPSec.
SYNOPSIS
/usr/sbin/ipsec_admin -start
/usr/sbin/ipsec_admin -policy policy_file
/usr/sbin/ipsec_admin -stop
/usr/sbin/ipsec_admin -status
/usr/sbin/ipsec_admin -newpasswd password
/usr/sbin/ipsec_admin -audit audit_directory
/usr/sbin/ipsec_admin -auditlvl [alert|error|warning|informative|debug|]
/usr/sbin/ipsec_admin -maxsize max_audit_file_size
/usr/sbin/ipsec_admin -traceon [tcp|udp|igmp|all]
/usr/sbin/ipsec_admin -traceoff [tcp|udp|igmp|all]
/usr/sbin/ipsec_admin -flushsa
/usr/sbin/ipsec_admin -flushp
/usr/sbin/ipsec_admin -deletesa remote_ip_address
DESCRIPTION
ipsec_admin is an administration program that provides HP-UX IPSec system
administration tasks such as starting and stopping the HP-UX IPSec
subsystem and getting status on the HP-UX IPSec subsystem. The HP-UX
IPSec subsystem includes the user-space key management daemon, audit
daemon, policy daemon, and the HP-UX IPSec kernel portion.
At any time, the Security Administrator can also:
Change the audit directory
Get status of the HP-UX IPSec subsystem
Enable or disable Level 4 tracing for TCP, UDP or
IGMP
Change the HP-UX IPSec password
ipsec_admin requires the optional HP-UX IPSec software. ipsec_admin can only be run by the root user and is protected by
the HP-UX IPSec password. The HP-UX IPSec password must be entered from
the keyboard (it cannot be redirected from a file).
OPTIONS
ipsec_admin recognizes the following command-line options and arguments.
- -start (Abbr: -st)
Starts the HP-UX IPSec subsystem, including all user-space
daemons.
- -policy policy_file (Abbr.: -p)
Specifies the Security Policy file other than the
default file to use when the HP-UX IPSec subsystem is started. Default
is /var/adm/ipsec/policies.text.
- -stop (Abbr.: -sp)
Stops the HP-UX IPSec subsystem which includes all user-space
daemons.
- -status (Abbr.: -s)
Reports the current status of the HP-UX IPSec subsystem.
The report will display the current state of HP-UX IPSec (active
or not active). If active, the HP-UX IPSec daemons that are currently
running and the Audit and Policy files in use are also displayed. Also
any Level 4 tracing is displayed.
- -newpasswd password (Abbr.: -np)
Changes password for HP-UX IPSec password protected
programs and files. The password must be at least 15 characters.
Once the HP-UX IPSec password has been established, this option
is valid only if the HP-UX IPSec subsystem is running.
- -audit audit_directory (Abbr.: -au)
Specifies the Audit directory other than the default directory
to use when the HP-UX IPSec subsystem is started. Default is /var/adm/ipsec.
This option is also valid with the -start option.
- -auditlvl (Abbr.: -al)
Changes the Audit level for the HP-UX IPSec subsystem.
The levels are shown in ascending order. Higher audit levels include
all lower levels. Default Audit level is error which includes alert
messages. A definition of each class is shown below.
Alert. These
messages include security violations and attacks, password violations,
errors that may prevent correct operation of the product, any error condition
that is not recoverable, authentication problems, major security
changes, unknown message types, and changing of the HP-UX IPSec password
or audit level.
Error. These messages include
recoverable error conditions, syntax errors, unsupported features, bad
packets, and unknown message types.
Warning. These messages provide
notification to the user about non-intrusive security events.
Informative. These messages
provide detailed event logging for debugging and troubleshooting purposes.
This option is also valid with the -start option.
- -maxsize (Abbr.:-m)
Specifies the maximum size in kilobytes of an Audit
file before a new one is created. The default is 100 kbytes.
This option is also valid with the -start option.
- -traceon (Abbr.:-tn)
Enables Level 4 tracing for TCP, UDP, or IGMP. If ALL
is selected, then all three protocols are traced. ipsec_admin uses nettl to enable Level 4 tracing. Tracing output is directed
to /var/admin/ipsec/nettl.TRCC0 and /var/adm/ipsec/nettl.TRC1 if nettl is not already enabled for tracing. If it is, then the
trace file would be the one already started by nettl.
This option is also valid with the -start option.
- -traceoff (Abbr.: -tf)
Disable any Level 4 tracing
enabled with the -traceon option.
- -flushsa (Abbr.: -fa)
This option allows the Security Administrator to
flush all of the ISAKMP/MM SAs and IPSec/QM SAs. It can also be
used to clear the SA database without restarting HP-UX IPSec.
This option is automatically executed when the user executes
the -stop option.
- -flushp (Abbr.: -fp)
This option allows the Security Administrator to
flush the Security Policy data base kept by the Policy daemon and
the kernel policy engine during startup.
This option is automatically executed when the user executes
the -stop option.
- -deletesa (Abbr.: -da)
This option allows the Security Administrator to
delete the ISAKMP MM SA and IPSec/QM SAs for a given remote_IP_address.
EXAMPLE
----------------- IPSec Status Report -----------------secauditd program: Running and responding
secpolicyd program: Running and responding
ikmpd program: Running and responding
IPSec kernel: Up
IPSec Audit level: Error
IPSec Audit file: /var/adm/ipsec/auditThu-Dec-24-15-21-49-1998.log
Max Audit file size: 100 KBytes
IPSec Policy file: /var/adm/ipsec/policies.txt
Level 4 tracing: None-------------- End of IPSec Status Report ------------- |
In normal operation, the status for the secauditd, secpolicyd and ikmpd daemons is Running and responding and the status of the
IPSec kernel status is Up.
Printable version
