Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home

HP-UX IPSec version A.02.00 Administrator's Guide: HP-UX 11i version 1 and HP-UX 11i version 2
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
   
 

HP Part Number: J4256-90009

Published: June 2004

© Copyright 2004 Hewlett-Packard Development Company L.P.

Table of Contents

Preface: About This Document
Intended Audience
New and Changed Documentation in This Edition
Publishing History
What’s in This Document
Typographical Conventions
Related Documents
HP Encourages Your Comments
OpenSSL Copyright Notice
1 HP-UX IPSec Overview
Introduction
Authentication Header (AH)
Transport and Tunnel Modes
Encapsulating Security Payload (ESP)
ESP Encryption
Transport and Tunnel Modes
ESP with Authentication and Encryption
Internet Key Exchange (IKE)
Security Associations (SAs) and IKE Phases
Generating Shared Keys: Diffie-Hellman
IKE Primary Authentication
Re-using Negotiations
IKE Automatic Re-keying
Manual Keys
HP-UX IPSec Topologies
Host-to-Host Topology
Host-to-Gateway Topology
Host-to-Host Tunnel Topology
Gateway-to-Gateway Topology
HP-UX IPSec Configuration and Management Features
2 Installing HP-UX IPSec
HP-UX IPSec Product Requirements
Disk Requirements
Security Certificate Configuration Utility Requirements
Step 1: Verifying HP-UX IPSec Installation and Configuration Prerequisites
Step 2: Loading the HP-UX IPSec Software
Step 3: Setting the HP-UX IPSec Password
Re-establishing the HP-UX IPSec Password
Step 4: Completing Post-Installation Migration Requirements
3 Configuring HP-UX IPSec
Maximizing Security
Bypass List
Strong End System Model
Using ipsec_config
General Syntax Information
ipsec_config add
ipsec_config batch
ipsec_config delete
ipsec_config show
Profile File
Dynamic Configuration Updates
nocommit Argument
Configuration Overview
Step 1: Configuring Host IPSec Policies
Policy Order and Selection
ipsec_config add host Syntax
Host IPSec Policy Configuration Examples
Step 2: Configuring Tunnel IPSec Policies
ipsec_config add tunnel Syntax
Tunnel IPSec Policy Configuration Example
Step 3: Configuring IKE Policies
Policy Order and Selection
ipsec_config add ike Syntax
ipsec_config add IKE Command Examples
Step 4: Configuring Preshared Keys Using Authentication Records
Remote Multi-homed Systems
Configuring IKE ID Information with Preshared Keys
ipsec_config add auth Syntax
Authentication Record Configuration Examples
Step 5: Configuring Certificates
Step 6: Configuring the Bypass List (Local IPv4 Addresses)
Logical Interfaces
Example
Maximizing Security
ipsec_config add bypass Syntax
Bypass Configuration Example
Step 7: Verify Batch File Syntax
Step 8: Committing the Batch File Configuration and Verifying Operation
Step 9: Configuring HP-UX IPSec to Start Automatically
ipsec_config add startup Syntax
Step 10: Creating Backup Copies of the Batch File and Configuration Database
Baltimore Configuration Files
VeriSign Configuration Files
4 Using Certificates with HP-UX IPSec
Overview
Security Certificates and Public Key Cryptography
Digital Signatures
IKE Public Key Distribution
Requirements
Using VeriSign Certificates
Overview
VeriSign Certificate Tasks
Step 1: Verifying Prerequisites
Step 2: Configuring Web Proxy Server Parameters
Step 3: Registering the Administrator
Step 4: Requesting and Receiving Certificates
Using Baltimore Certificates
Baltimore Certificate Tasks
Step 1: Verifying Prerequisites
Step 2: Requesting the Baltimore Certificate
Step 3: Configuring the Baltimore Certificate
Configuring Authentication Records with IKE IDs
Configuring Authentication Records with Certificate-Based Authentication
Retrieving the Certificate Revocation List (CRL)
VeriSign
Baltimore
Manually Retrieving a CRL for VeriSign or Baltimore
5 Troubleshooting HP-UX IPSec
IPSec Operation
Establishing Security Associations (SAs)
Internal Processing
Troubleshooting Utilities Overview
Getting General Information
Getting SA Information
Getting Policy Information
Getting Interface Information
Viewing and Configuring Audit Information
Enabling and Disabling Tracing
Troubleshooting Procedures
Checking Status
Isolating HP-UX IPSec Problems from Upper-layer Problems
Checking Policy Configuration
Configuring HP-UX IPSec Auditing
Viewing Audit Files
Reporting Problems
Troubleshooting Scenarios
HP-UX IPSec Incorrectly Passes Packets
HP-UX IPSec Incorrectly Attempts to Encrypt/Authenticate Packets
HP-UX IPSec Attempts to Encrypt/Authenticate and Fails
ISAKMP/MM SA Negotiation Fails (Main Mode processing failed, MM negotiation timeout)
ISAKMP Primary Authentication with Preshared Key Fails
ISAKMP Primary Authentication Fails with Certificates
ISAKMP/MM SA Negotiation Succeeded, IPSec/QM SA Negotiation Fails (Quick Mode processing failed, QM negotiation timeout)
Manual Keys Fail
HP-UX Will Not Start (ipsec_admin -start Fails)
Corrupt or Missing Configuration Database
Autoboot is Not Working Properly
Administrator Cannot Get a Local VeriSign Certificate
Security Policy Database Limit Exceeded (Kernel Policy Cache Threshold reached or Kernel Policy Cache Threshold exceeded)
6 HP-UX IPSec and IPFilter
IPFilter and IPSec Basics
IPSec UDP Negotiation
When Traffic Appears to be Blocked
Allowing Protocol 50 and Protocol 51 Traffic
IPSec Gateways
7 HP-UX IPSec and HP-UX Mobile IPv6
Introduction
Mobile Node and Home Address
Care-of Address
Correspondent Nodes
Home Agent
Home Agents and Basic Operation
Route Optimization
Securing Mobile IPv6 with HP-UX IPSec
Configuration Overview
Understanding Gateway IPSec Policies
Using Manual Keys
Configuration Procedure
Step 1: (Required) Securing Binding Messages Between the Home Agent and Mobile Node
Syntax
Step 2: (Recommended) Securing Return Routability Messages Routed Through the Home Agent
Step 2A: Return Routability Messages: Configuring the Gateway IPSec Policy for Home Agent - Correspondent Node Segments
Step 2B: Return Routability Messages: Configuring the Gateway IPSec Policy for Home Agent - Mobile Node Segments
Step 2C: Return Routability Messages: Configuring the Home Agent - Mobile Node Tunnel
Step 3: (Recommended) Securing Prefix Discovery Messages Between the Home Agent and Mobile Node
Syntax
Step 4: (Optional) Securing Payload Packets Routed Through the Home Agent
Step 4A: Payload Packets: Configuring the Gateway IPSec Policy for Home Agent - Correspondent Node Segments
Step 4B: Payload Packets: Configuring the Gateway IPSec Policy for Home Agent - Mobile Node Segments
Step 4C: Payload Packets: Configuring the Home Agent - Mobile Node Tunnel
Mobile IPv6 Configuration Example
Binding Messages
Return Routability Messages
(Optional) Prefix Discovery Messages
(Optional) Payload Messages Routed Through the Home Agent
Batch File Template
8 HP-UX IPSec and MC/ServiceGuard
Introduction
Using HP-UX IPSec with MC/ServiceGuard
Configuration Overview
Requirements
MC/ServiceGuard Heartbeat Requirement and Recommendation
Configuration Steps
Step 1: Configuring a Common HP-UX IPSec Password
Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard
Overview
Determining MC/ServiceGuard Cluster Information
Configuring Host IPSec Policies for Package Addresses
Configuring PASS Host IPSec Policies for Heartbeat IP Addresses
Configuring Host IPSec Policies for MC/ServiceGuard Quorum Server
Configuring Host IPSec Policies for Remote Command Execution
Configuring Host IPSec Policies for ServiceGuard Manager
Configuring Host IPSec Policies for Cluster Object Manager (COM)
Summary: MC/ServiceGuard Port Numbers and Protocols
Step 3: Configuring HP-UX IPSec IKE policies
Cluster IKE policies
Cluster Client IKE policies
Step 4: Configuring Authentication Records for Preshared Keys
Preshared Key Configuration on Cluster Nodes
Preshared Key Configuration on Client Nodes
Example
Step 5: Configuring Authentication Records for Certificates
Certificates
Authentication Records and IKE ID Information
Example
Step 6: Verifying and Testing the HP-UX IPSec Configuration
Step 7: Configuring HP-UX IPSec Start-up Options
Step 8: Distributing HP-UX IPSec Configuration Files
Baltimore Configuration Files
VeriSign Configuration Files
Step 9: Configuring MC/ServiceGuard
Cluster Configuration
Package Configuration
Package Control Script
Monitor Script Polling Interval
Step 10: Starting HP-UX IPSec and MC/ServiceGuard
Adding a Node to a Running Cluster
9 HP-UX IPSec and Linux
Limitations of HP-UX IPSec Interoperating with Linux FreeSwan
Configuration Example
A Product Specifications
IPSec RFCs
RFC 3776 Mandatory Support
Product Restrictions
ISAKMP Limitations
IPv4 ICMP Messages
IPv6 ICMP Messages
HP-UX IPSec Transforms
Comparative Key Lengths
Authentication Algorithms
Encryption Algorithms
Transform Lifetime Negotiation
B Migrating from Previous Versions of HP-UX IPSec
Pre-Installation Migration Instructions
MD5 Version Compatibility
Migrating from Versions Prior to A.01.03
Post-Installation Migration Instructions
Configuration File
C HP-UX IPSec Configuration Examples
Example 1: telnet Between Two Systems
Apple Configuration
Banana Configuration
Example 2: Authenticated ESP with Exceptions
Carrot Configuration
Example 3: Host to Gateway
Blue Configuration
Example 4: Manual Keys
Dog Configuration
Cat Configuration
Glossary
Index

List of Figures

1-1 Symmetric Key Authentication
1-2 AH in Transport Mode
1-3 AH in Tunnel Mode
1-4 Symmetric Key Cryptosystem
1-5 ESP Encryption in Transport Mode
1-6 ESP in Tunnel Mode
1-7 Authenticated ESP
1-8 Nested ESP in AH
1-9 SA Establishment
1-10 Diffie-Hellman Key Generation
1-11 IPSec Host-to-Host Topology
1-12 Host-to-Gateway (VPN) Topology
1-13 Host-to-Host Tunnel Topology
1-14 IPSec Gateway-to-Gateway Topology
3-1 Bypass List Example
4-1 VeriSign PKI Data Flow
4-2 VeriSign SubjectAlternativeName
5-1 Security Associations
5-2 Outbound Processing
6-1 IPFilter and IPSec
6-2 IPFilter Scenario One
6-3 IPFilter Scenario Two
6-4 Scenario Three
6-5 Packet with Encrypted TCP Data
6-6 Packet with IPSec-Encrypted TCP Data
6-7 Scenario Four
7-1 Mobile IPv6 Basic Operation: Correspondent Node to Mobile Node
7-2 Mobile IPv6 Basic Operation: Mobile Node to Correspondent Node
7-3 Mobile IPv6 Route Optimization
7-4 Gateway IPSec Policies
7-5 Mobile IPv6 Home Test Init and Home Test Packets
8-1 MC/ServiceGuard Cluster
C-1 Example 1: telnet AB
C-2 Example 1: telnet BA
C-3 Example 2: Network IPSec Policy with Exceptions
C-4 Host to Gateway Configuration Example

List of Tables

Publishing History Details
3-1 ipsec_config Service Names
3-2 ipsec_config Transforms
3-3 ipsec_config add host Flags
5-1 Getting General Information
5-2 Getting SA Information
5-3 Getting Policy Information
5-4 Getting Interface Information
5-5 Viewing and Configuring Audit Information
5-6 Enabling and Disabling Tracing
8-1 MC/ServiceGuard Port Numbers and Protocols
A-1 Supported IPSec RFCs
A-2 AH and ESP Algorithms and Key Lengths
   


Preface: About This Document  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2004 Hewlett-Packard Development Company, L.P.