Step 8: Committing the Batch File Configuration and Verifying Operation

Commit the batch file operations to the configuration database with the following command:

ipsec_config batch batch_file_name

Verify the contents of the configuration database with the following command:

ipsec_config show all

The ipsec_config utility displays the contents of the configuration database. The contents include the configuration parameters supplied by the profile file, and configuration records automatically generated by ipsec_config, such as records for default policies and one for startup options. The host and gateway IPSec policies are sorted in priority order. You will see an output similar to the following:

         startup
       -autoboot OFF
       -auditlvl ERROR
            :
            :
            host telnet_from_K
         -source 0.0.0.0/0/23
    -destination 192.6.2.55/32/0
       -protocol 6
       -priority 20
         -action ESP_3DES_HMAC_SHA1/28800/0
-flags EXCLUSIVE

            host default
         -action PASS

Start HP-UX IPSec with following command:

ipsec_admin -start

Check the status of HP-UX IPSec using the following command:

ipsec_admin -status

You will see a display similar to the following:

----------------- IPSec Status Report -----------------
Time:  Thu Dec 24 15:21:37 1998
secauditd program: Running and responding
secpolicyd program: Running and responding
ikmpd program: Running and responding
IPSec kernel: Up
IPSec Audit level: Error
IPSec Audit file: /var/adm/ipsec/auditThu-Dec-24-15-21-49-1998.log
Max Audit file size: 100 KBytes
Level 4 tracing: None
-------------- End of IPSec Status Report -------------

During normal operation, the status of the secauditd, secpolicyd and ikmpd programs will be Running and responding and the status of the IPSec kernel will be Up.

Verify IPSec policies with Pass or Discard transforms.

To verify proper operation of IPSec policies with Pass or Discard actions in the transform list, generate network traffic that matches the IPSec policy packet filter or that matches the IPSec policy IP address, port, and protocol parameters.

Enter the following command to determine the action taken by HP-UX IPSec.

ipsec_report -cache

Search the command output for the entry with the matching source and destination IP addresses, source and destination port numbers, and protocol. Check the value of the Filter field. This is the action taken by HP-UX IPSec. Match the transform configured for the IPSec policy pass or discard).

For more information on the ipsec_report command, refer to the ipsec_report(1M) manpage.

Verify host IPSec policies with AH or ESP transforms.

To verify proper operation of host IPSec policies with AH or ESP transforms, generate network traffic that matches the IPSec policy packet filter or that matches the IPSec policy IP address, port, and protocol parameters.

After doing so, enter the following commands:

ipsec_report -host

ipsec_report -sad

Or, run:

ipsec_report -all

From the output of ipsec_report, you can verify the status of the outbound IPSec SA for the packets using the IPSec policy you are verifying.

Check the active host IPSec policies (ipsec_report -host output) for entries that correspond to the IPSec policy you are verifying.

There will be multiple entries for each host IPSec policy. Find an outbound entry with SA information, including inbound and outbound SPIs:

----------------- Active IPSec Policy -----------
Rule Name: telnet_in   ID: 3    Cookie: 4   Priority: 10
Src IP Addr: 15.1.1.1 Prefix: 32 Port number:23
Dst IP Addr: 15.2.2.2 Prefix: 32 Port number: *
Network Protocol: *     Direction: outbound
Action: Dynamic key SA  State: Ready
Number of SA(s) Needed: 1 Pair(s)
Number of SA(s) Created: 1 Pairs(s)
Kernel Requests Queued: 0
Proposal 1: Transform: ESP-AES128-HMAC-SHA1
            Lifetime Seconds: 28800
            Lifetime Kbytes: 0
-- SA Pair Number 1 --
SA Type: ESP
Encryption Algorithm: AES128-CBC
Authentication Algorithm: HMAC-SHA1
Outbound SPI (hex): BE882
Inbound SPI (hex:) 13BDB7

You can also check the SA database output (ipsec_report -sad output) for the SAs with the corresponding SPIs:

------------- IPSec SA  ----------------
Sequence number: 1
SPI (hex): BE882    State: MATURE
SA Type: ESP with AES128-CBC encryption and HMAC-SHA1 authentication
Src IP Addr: 15.1.1.1      Dst IP Addr: 15.2.2.2
--- Current Lifetimes ---
      bytes processed:   6256
      addtime (seconds): 3
      usetime (seconds): 30
--- Hard Lifetimes ---
     bytes processed:   0
     addtime (seconds): 28800
     usetime (seconds): 28800

The information for the inbound IPSec SA corresponds to inbound traffic from the remote system (the source address is 15.2.2.2).

----------- IPSec SA  ------------------------
Sequence number: 2
SPI (hex): 13BDB7    State: MATURE
SA Type: ESP with AES128-CBC encryption and HMAC-SHA1 authentication
Src IP Addr: 15.2.2.2    Dst IP Addr: 15.1.1.1
--- Current Lifetimes ---
     bytes processed:   6344
     addtime (seconds): 31
     usetime (seconds): 30
--- Hard Lifetimes ---
     bytes processed:   0
     addtime (seconds): 28800
     usetime (seconds): 28800

For more information on the ipsec_report command, refer to
the ipsec_report(1M) manpage.

Verify any entries in the bypass list.

Enter the following command:

ipsec_report -bypass

In addition, you can enter the following commands and verify that none of the active host or gateway IPSec policies include addresses in the bypass list: