|
|
United States-English | |
|
|
 |
|
HP-UX IPSec version A.02.00 Administrator's Guide: HP-UX 11i version 1 and HP-UX 11i version 2 > Chapter 3 Configuring HP-UX
IPSec
Using ipsec_config |
|
|
The ipsec_config utility adds, deletes and displays HP-UX IPSec configuration objects stored in the configuration database, /var/adm/ipsec/config.db. If HP-UX IPSec is active and running, ipsec_config also adds and deletes configuration information in the runtime policy database. The ipsec_config utility supports the following commands:
The ipsec_config add command adds objects to the configuration database. For example, the following command adds a host IPSec policy to the configuration database. ipsec_config add host my_host_policy -source 10.1.1.1 \ The ipsec_config batch command allows you to use ipsec_config in batch mode. In batch mode, ipsec_config reads add and delete operations from a file. Batch mode allows administrators to add and delete multiple configuration objects in one operation. This is useful if you are adding or deleting configuration records that affect other operations. HP recommends that you use a batch file to add configuration information. A batch file provides a permanent record of the configuration data and can be used to re-create the configuration database. The ipsec_config utility processes the operations in a batch file as a group. If one operation is invalid, all operations in the batch file fail. The ipsec_config utility first verifies each operation in the batch file for syntax errors and collisions (object names and priority values) with existing entries in the configuration database. If all operations in the batch file are valid, the HP-UX IPSec infrastructure updates the configuration database with all operations at the same time. If HP-UX IPSec is active and running, the HP-UX IPSec infrastructure also updates the runtime policy database. The syntax for add and delete operations in ipsec_config batch files is the same as the syntax for ipsec_config add and ipsec_config delete commands, but without the leading ipsec_config command name. For example, the following entry is a valid add operation for a batch file: add host my_host_policy -source 10.1.1.1 \ The ipsec_config delete command deletes objects from the configuration and runtime databases. For example, the following command deletes the host IPSec policy my_host_policy from the configuration database: ipsec_config delete host my_host_policy The ipsec_config delete command displays objects in the configuration database. For example, the following command displays the host IPSec policies in the configuration database: ipsec_config show host The ipsec_config show all command displays the entire contents of the database. An ipsec_config profile file contains default argument values that are evaluated in ipsec_config add commands if the user does not specify the values in the command. The values are evaluated once, when the policy is added to the configuration database. Values used from the profile file become part of the configuration record for the policy. You can specify a profile file name with the -profile argument as part of an ipsec_config command. By default, ipsec_config uses the /var/adm/ipsec/.ipsec_profile profile file, which is shipped with HP-UX IPSec. In most topologies, you can use the default values supplied in the /var/adm/ipsec/.ipsec_profile file. HP-UX IPSec also has internal default values that are the same as the values in the /var/adm/ipsec/.ipsec_profile file shipped with the product. If the /var/adm/ipsec/.ipsec_profile file does not exist and the user does not specify an alternate profile file, HP-UX IPSec uses its internal default values. The profile argument is illegal inside batch files (you cannot specify the profile argument as part of a statement inside a batch file). You can specify the profile argument as part of the ipsec_config batch command line and ipsec_config will apply it to all entries in the batch file. Refer to the ipsec_config(1M) manpage for more information. The profile file is separated into sections that contain default parameter values for different configuration objects. For example, the HostPolicy-Defaults section contains defaults for host IPSec policies, which are created using the ipsec_config add host command. Each section is delimited by BEGIN and END statements. In most topologies, you can use the default values in /var/adm/ipsec/.ipsec_profile. If you want to create a customized profile file, make a copy of the /var/adm/ipsec/.ipsec_profile file and edit the copy with a text editor. You may want to create a customized profile file to change the default source address parameter (source parameter) in the following topologies:
The default source address parameter values in /var/adm/ipsec/.ipsec_profile are 0.0.0.0/0/0 (IPv4 address 0.0.0.0, address prefix length 0, port 0). This matches any IPv4 address and any port number. In most topologies, this is appropriates since the default source (local) address will be any IPv4 address on the local system. If you have a network that primarily contains IPv6 addresses, you can change the source parameter value to match any IPv6 address and any port number (0:0/0/0) in the HostPolicy-Defaults, GWPolicy-Defaults, and TunnelPolicy-Defaults sections of the profile file. You can also change the remote parameter value in the IKEPolicy-Defaults section to match any IPv6 address (0::0/0). If the local system is multihomed with one public IP interface and one or more private IP interfaces, you may want to secure only the one public IP interface. In this case, you can set the default source parameter value to the address of the public IP interface in the HostPolicy-Defaults, GWPolicy-Defaults, and TunnelPolicy-Defaults sections of the profile file. The ipsec_config utility dynamically updates the configuration database. If HP-UX IPSec is running, ipsec_config also updates the runtime IPSec policy database, and runtime IKE configuration data (IKE policies and authentication records). If you delete an object while HP-UX IPSec is running, HP-UX IPSec deletes it from its runtime database. If you delete an IPSec policy, HP-UX IPSec deletes any associated IPSec/QM SAs. If you delete an IKE policy, HP-UX deletes any associated ISAKMP/MM SAs. IPSec/QM SAs negotiated using the ISAKMP/MM SAs may continue to operate, but IKE peers will be unable to send control messages for the affected IPSec/QM SAs. The nocommit argument validates entries but does not update the configuration and runtime databases. The nocommit argument is illegal inside batch files (you cannot specify the nocommit argument as part of a statement inside a batch file). You can specify the nocommit argument as part of the ipsec_config batch command line and ipsec_config will apply it to all entries in the batch file. Refer to the ipsec_config(1M) manpage for more information. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 Printable version |
|
|
|
|
|
|||||||||||||||
|
|||||||||||||||
