Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX IPSec version A.01.06 Administrator's Guide: HP-UX 11i Version 2 > Chapter 3 Configuring HP-UX IPSec

Step 8: Verifying the Configuration
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Follow the steps below to verify your installation of HP-UX IPSec.

  1. Start HP-UX IPSec with following command:

    ipsec_admin -start

    You will be prompted for the HP-UX IPSec password.

    The default policy file is /var/adm/ipsec/policies.txt. Use the -p option with the ipsec_admin -start command to specify an alternate policy file if necessary.

    The command to stop HP-UX IPSec is:

    ipsec_admin -stop

  2. Check the status of HP-UX IPSec using the following command:

    ipsec_admin -status

    You will see a display similar to the following:

    ----------------- IPSec Status Report -----------------secauditd program: Running and responding
    secpolicyd program: Running and responding
    ikmpd program: Running and responding
    IPSec kernel: Up
    IPSec Audit level: Error
    IPSec Audit file: /var/adm/ipsec/auditThu-Dec-24-15-21-49-1998.log
    Max Audit file size: 100 KBytes
    IPSec Policy file: /var/adm/ipsec/policies.txt
    Level 4 tracing: None-------------- End of IPSec Status Report -------------

    During normal operation, the status of the secauditd, secpolicyd and ikmpd programs will be Running and responding and the status of the IPSec kernel will be Up.

  3. Verify IPSec policies with pass or discard transforms.

    To verify proper operation of IPSec policies with Pass or Discard actions in the transform list, generate network traffic that matches the IPSec policy packet filter or that matches the IPSec policy IP address, port, and protocol parameters.

    Run the following command to determine the action taken by HP-UX IPSec.

    ipsec_report -cache

    Search the command output for the entry with the matching source and destination IP addresses, source and destination port numbers, and protocol. Check the value of the Filter field. This is the action taken by HP-UX IPSec. Match the transform configured for the IPSec policy pass or discard).

    For more information on the ipsec_report command, refer to the ipsec_report(1M) man page (online and in Appendix E “Troubleshooting Tools Reference”).

  4. Verify IPSec policies with AH or ESP transforms.

    To verify proper operation of IPSec policies with AH or ESP transforms, generate network traffic that matches the IPSec policy’s packet filter or that matches the IPSec policy’s IP address, port, and protocol parameters.

    After doing so, run the following commands:

    ipsec_report -policy

    ipsec_report -sad

    Or, run:

    ipsec_report -all

    From the output of ipsec_report, you can verify the status of the outbound IPSec SA for the packets using the IPSec policy you are verifying.

    To verify the inbound IPSec SA, you must get the SPI (Security Parameters Index) established on the remote system for its corresponding outbound IPSec SA.

    Check the Hashed or Ordered Policy Rule output (-policy output) for entries that correspond to the IPSec policy you are verifying.

    There will be multiple entries for each IPSec policy. Find an outbound entry. The outbound entry for the policy you are verifying should have a Security Parameters Index (SPI), such as SPI (hex): BE882:

    Rule ID: telnet_in 
    Cookie: 3    State: Ready
    Src IP Addr: 15.1.1.1 Prefix Length: 32 Src Port number:23
    Dst IP Addr: 15.2.2.2 Prefix Length: 32 Dst Port number: *
    Network Protocol: *    Direction: outbound
    Filter: Secure
    Shared SA: Yes
    Number of SA(s) Needed: 1
    Number of SA(s) Created: 1
    Kernel Requests Queued: 0
    -- SA Number 1 --
    Security Association Type: ESP
    Encryption Algorithm: 3DES-CBC
    Authentication Algorithm: None
    SPI (hex): BE882
    SPI updated: ISAKMP

    Next, check the SA database output (-sad output) for the SA with the corresponding SPI:

    ------------- Security Association  ----------------Sequence number: 1
    SPI (hex): BE882    State: MATURESecurity Association Type: ESP with 3DES-CBC encryption and No authenticationSrc IP Addr: 15.1.1.1      Dst IP Addr: 15.2.2.2
    --- Current Lifetimes ---
          bytes processed:   6256
          addtime (seconds): 3
          usetime (seconds): 30
    --- Hard Lifetimes ---
         bytes processed:   0
                addtime (seconds): 28800
                 usetime (seconds): 28800

    On this system, there are only two IPSec SAs. The information for the second IPSec SA corresponds to inbound traffic from the remote system (the source address is 15.2.2.2), so we can assume that this second SA corresponds to the inbound traffic for the policy.

    ----------- Security Association  ------------------------
    Sequence number: 2
    SPI (hex): 13BDB7    State: MATURE
    Security Association Type: ESP with 3DES-CBC encryption and No authentication
    Src IP Addr: 15.2.2.2    Dst IP Addr: 15.1.1.1
    --- Current Lifetimes ---
         bytes processed:   6344
         addtime (seconds): 31
         usetime (seconds): 30
    --- Hard Lifetimes ---
         bytes processed:   0
         addtime (seconds): 28800
         usetime (seconds): 28800

    For more information on the ipsec_report command, refer to
    the ipsec_report(1M) man page (online and in Appendix E “Troubleshooting Tools Reference”).

Go on to “Step 9: Printing Formatted IPSec and ISAKMP Policies ”.



Step 7: Configuring Boot-up Options
  		 


Step 9: Printing Formatted IPSec and ISAKMP Policies  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2003 Hewlett-Packard Development Company, L.P.