HP UX IPSec Software Add IPSec/QM SAs to the Kernel SA Database, Inbound Data AH or ESP Packet

Page 155

Troubleshooting HP-UX IPSec

IPSec Operation

For the IPSec/QM SAs to be successfully established, both systems must agree on the type of transform (AH, ESP), including the authentication or encryption algorithm used. They must also negotiate SA lifetimes.

5.Add IPSec/QM SAs to the Kernel SA Database

The IPSec/QM SAs are added to the kernel SA database by the IKE daemon. Each SA includes an SPI (Security Parameters Index) a number assigned by the receiving system to reference the SA. The SPI for outbound data is assigned by the remote system, while the SPI for the inbound data is established by the local system. The SPI is included in the AH or ESP header so that the destination system can process inbound packets with the correct SA parameters including encryption key(s).

Inbound Data

AH or ESP Packet

If the inbound packet has an Authentication Header (AH) and/or an Encapsulating Security Payload (ESP), HP-UX IPSec checks the kernel SA database for inbound packets for an entry with the same SPI and source IP address. If one exists, it uses the information in the SA to properly decrypt or authenticate the packet. If the inbound packet has multiple SPIs (a nested AH and ESP packet), HP-UX IPSec searches the kernel SA database for each SPI.

If no matching entry exists, HP-UX IPSec will check if there is an IKE policy that applies to the remote system. If there is not, this is an error and possible intrusion attempt. HP-UX IPSec sends an audit message to the audit daemon. HP-UX IPSec discards the packet.

If the local system has an IKE policy that applies to the remote system, HP-UX IPSec will assume that a valid IPSec/QM SA previously existed, but the SPI entry no longer exists because the local system has re-booted. The local system will attempt to establish a new ISAKMP/MM SA with the remote system, and to send an ISAKMP INITIAL-CONTACT notify message. The INITIAL-CONTACT notify message notifies the remote system that the local system has re-started IPSec. The remote system may delete its information for all SAs established with the local node and

Chapter 5

151

Page 154 Page 156
Image 155
Page 154 Page 156
Contents Manufacturing Part Number J4256-90009 June HP-UX IPSec version A.02.00 Administrator’s GuideLegal Notices Contents Configuring HP-UX IPSec Contents Using Certificates with HP-UX IPSec Troubleshooting HP-UX IPSec Viii HP-UX IPSec and IPFilter HP-UX IPSec and HP-UX Mobile IPv6 HP-UX IPSec and MC/ServiceGuard Xii HP-UX IPSec and Linux Migrating from Previous Versions of HP-UX IPSec Glossary Xvi Tables Xviii Figures Figure C-2. Example 1 telnet BA New and Changed Documentation in This Edition Intended AudienceXxii HP-UX IPSec and HP-UX Mobile IPv6 Use this chapter to learn Publishing HistoryWhat’s in This Document Typographical Conventions Related DocumentsHP Encourages Your Comments Xxvi OpenSSL Copyright NoticeXxvii Xxviii HP-UX IPSec Overview HP-UX IPSec Overview Introduction Introduction Authentication Header AH Host a Symmetric Key AuthenticationTransport Mode Transport and Tunnel ModesAH in Transport Mode AH in Tunnel Mode Tunnel ModeSymmetric Key Cryptosystem Encapsulating Security Payload ESPESP Encryption ESP header can be used in transport mode or tunnel mode IP data or payload e.g., TCP or UDP packet ESP Encryption in Transport ModeESP in Tunnel Mode Authenticated ESP ESP with Authentication and EncryptionIPv6 Nested ESP in AHInternet Key Exchange IKE Security Associations SAs and IKE PhasesSA Establishment Generating Shared Keys Diffie-Hellman10 Diffie-Hellman Key Generation IKE Primary AuthenticationDigital Signatures Re-using NegotiationsIKE Preshared Key Authentication IKE Automatic Re-keyingManual Keys Host-to-Gateway Topology HP-UX IPSec TopologiesHost-to-Host Topology 13 Host-to-Host Tunnel Topology Host-to-Host Tunnel Topology14 IPSec Gateway-to-Gateway Topology Gateway-to-Gateway TopologyHP-UX IPSec Configuration and Management Features HP-UX IPSec Configuration and Management Features HP-UX IPSec Configuration and Management Features Chapter Installing HP-UX IPSec Installing HP-UX IPSec Disk Requirements Security Certificate Configuration Utility RequirementsHP-UX IPSec Product Requirements Chapter Loading the HP-UX IPSec Software Do not run the HP-UX IPSec product when the system is booted Ipsecadmin -newpasswd Setting the HP-UX IPSec PasswordRe-establishing the HP-UX IPSec Password Completing Post-Installation Migration Requirements Configuring HP-UX IPSec Configuring HP-UX IPSec Strong End System Model Maximizing SecurityBypass List Ndd -set /dev/ip ipstrongesmodel Line Continuation Character \ General Syntax InformationArgument Delimiters Batch File Syntax Batch File ProcessingProfile File Ipsecconfig deleteCreating a Customized Profile File Using a Profile File with a Batch FileProfile File Structure Dynamic Deletions Dynamic Configuration UpdatesConfiguration Overview Start-up options Configuration Overview Policy Order and Selection Configuring Host IPSec PoliciesDefault Host IPSec Policy Action PASSDISCARDtransformlist -flags flags Ipsecconfig add host hostpolicynameAutomatic Priority Increment Source and -destination Ipaddr/prefix/portnumberservicenameHostpolicyname Service Port Protocol Name Ipsecconfig Service NamesProtocolprotocolid Ipsecconfig Service NamesTunneltunnelpolicyname Default ALLPriorityprioritynumber Transformname/lifetimeseconds/lifetimekbytes ActionTransform Name Description Ipsecconfig TransformsTransformname ESP3DES Ipsecconfig TransformsFlag Description Ipsecconfig add host FlagsFlags flags Host IPSec Policy Configuration Examples Configuring Host IPSec Policies Ipsecconfig add tunnel tunnelpolicyname Configuring Tunnel IPSec PoliciesTsource and -tdestination tunneladdress Default NoneTunnelpolicyname Ipaddr/prefix/portnumberservicename Subnet address filter TCP UDP Icmp ICMPV6 Igmp Actiontransformlist Lifetimekbytes Tunnel IPSec Policy Configuration ExampleLifetimeseconds Configuring Tunnel IPSec Policies Configuring IKE Policies Ikepolicyname Lifelifetimeseconds -maxqmmqmaxquickmodesAdd ike ikepolicyname Remoteipaddr/prefix Group AuthenticationauthenticationtypeAcceptable Values Maxqmmaxquickmodes Hash MD5SHA1Lifelifetimeseconds Default Ipsecconfig add IKE Command ExamplesRemote Multi-homed Systems Configuring Preshared Keys Using Authentication RecordsConfiguring IKE ID Information with Preshared Keys Add auth authname Ipsecconfig add auth authnameRemoteipaddr/prefix -presharedpresharedkey Ipaddr/prefix AuthnamePresharedkey Authentication Record Configuration ExamplesHowever, HP strongly recommends that you configure an Unique preshared keyConfiguring Preshared Keys Using Authentication Records Configuring Certificates Example Configuring the Bypass List Local IPv4 AddressesLogical Interfaces Node1 Node2 Ipsecconfig add bypass ipaddressMaximizing Security Bypass List ExampleIpaddress Bypass Configuration ExampleAdd bypass ipaddress Verify Batch File Syntax Ipsecconfig batch batchfilename -nocommitIpsecconfig show all Ipsecconfig batch batchfilenameIpsecreport -cache Ipsecadmin -statusIpsecreport -all 108 Add startup -autoboot on Configuring HP-UX IPSec to Start AutomaticallyIpsecconfig add startup -autoboot on 110 VeriSign Configuration Files Baltimore Configuration Files112 Using Certificates with HP-UX 114 Public Key Distribution OverviewSecurity Certificates and Public Key Cryptography IKE Public Key Distribution Digital SignaturesRequirements Overview Using VeriSign CertificatesStep VeriSign Certificate TasksVeriSign PKI Data Flow Verifying Prerequisites Export DISPLAY=displaydevice0.0 Configuring Web Proxy Server ParametersIpsecmgr Registering the Administrator Requesting and Receiving Certificates 124 Chapter 125 Baltimore Certificate Tasks Using Baltimore CertificatesChapter 127 Requesting the Baltimore Certificate Configuring the Baltimore Certificate 130 Chapter 131 132 Chapter 133 Configuring Authentication Records with IKE IDs Chapter 135 Syntax Determining the IPv4 Address in the SubjectAlternativeNameVeriSign SubjectAlternativeName Add auth authname -remoteipaddr/prefix Lvalue localid LtypelocalidtypeRidremoteid RtyperemoteidtypeExamples CN=commonName,O=organization,C=country,OU=organizationUnitAdd auth Black -remote 10.10.10.10 -ltype IPV4 \ -lid Baltimore Retrieving the Certificate Revocation List CRLVeriSign Manually Retrieving a CRL for VeriSign or Baltimore 144 Troubleshooting HP-UX IPSec 146 Establishing Security Associations SAs Authenticate Each Peer’s IdentityAuthenticate Identities IPSec OperationEstablish IPSec/QM SAs Establish ISAKMP/MM SAQuery the Policy Manager Daemon Internal ProcessingOutbound Processing Outbound Data Query the Kernel Policy EngineEstablish an ISAKMP/MM SA Inbound Data AH or ESP Packet Add IPSec/QM SAs to the Kernel SA Database152 Processing Inbound Tunnel Packets Clear Text PacketEstablishing Tunnel Security Associations 154 Troubleshooting Utilities Overview Getting Policy Information Getting General InformationGetting SA Information Ipsecconfig show tunnel Ipsecreport -host configuredIpsecconfig show gateway ConfiguredGetting Interface Information Viewing and Configuring Audit InformationEnabling and Disabling Tracing Ipsecreport -all -file filename Troubleshooting ProceduresChecking Status Chapter 161 Ipsecadmin -traceon tcp udp igmp all Isolating HP-UX IPSec Problems from Upper-layerExamining the Policy Cache and Policy Entries Checking Policy ConfigurationUsing ipsecpolicy Audit Level Configuring HP-UX IPSec AuditingAudit Files and Directory Ipsecadmin -maxsize maxauditfilesizeDynamically Setting Audit Parameters Ipsecadmin -al auditlevel -au auditdirectoryAuditlvlauditlevel -auditdirauditdirectory Configuring Startup Audit ParametersIpsecconfig add startup -autoboot Onoff Viewing Audit FilesIpsecreport -audit auditfile -entity entityname Where entityname is one of the following namesFiltering Audit File Output by Entity Recorded by specified entitiesOutput from ipsecadmin -status Output from ipsecreport -all Reporting ProblemsChapter 169 HP-UX IPSec Incorrectly Passes Packets Troubleshooting ScenariosProblem Solution SymptomsHP-UX IPSec Attempts to Encrypt/Authenticate and Fails Ipsecreport -audit /var/adm/ipsec/auditdateinfo.log Ipsecreport -mad Ipsecreport -audit fileAdditional Information Processing failed, MM negotiation timeout ISAKMP/MM SA Negotiation Fails Main ModeChapter 175 Isakmp Primary Authentication Fails with Certificates Isakmp Primary Authentication with Preshared Key FailsDetails ISAKMP/MM SA Negotiation Succeeded, IPSec/QM SAManual Keys Fail Invalid Sadbadd Netfmt /var/adm/nettl.LOG000 mylogoutput Streams Logging Messages and Additional Audit File EntriesNettl -ss Nettl -log e d -e streamsIpsecadmin -auditlvl warning HP-UX Will Not Start ipsecadmin -startFails182 Corrupt or Missing Configuration Database Using the Skeleton Database File Ipsecmigrate -s oldconfigfile -d newconfigfileAdministrator Cannot Get a Local VeriSign Certificate Autoboot is Not Working Properly186 Security Policy Database Limit Exceeded Kernel 188 HP-UX IPSec and IPFilter 190 IPFilter Scenario One IPFilter and IPSec BasicsIPFilter and IPSec 192 IPFilter Scenario Two IPSec UDP Negotiation194 Scenario Three When Traffic Appears to be BlockedPacket with IPSec-Encrypted TCP Data Allowing Protocol 50 and Protocol 51 TrafficPacket with Encrypted TCP Data Scenario Four Protocol 51 traffic, then IPSec traffic will not get throughIPSec Gateways HP-UX IPSec and HP-UX Mobile 200 Home Agent Mobile Node and Home AddressCare-of Address Correspondent NodesNode Home Agents and Basic OperationMobile IPv6 Basic Operation Correspondent Node to Mobile Mobile IPv6 Route Optimization Route OptimizationMobile IPv6 Basic Operation Mobile Node to Correspondent Binding Messages Between the Home Agent and Mobile Node Securing Mobile IPv6 with HP-UX IPSecAcknowledgement messages Prefix Discovery MessagesChapter 205 Payload Packets Routed Through the Home Agent Chapter 207 Gateway IPSec Policies Understanding Gateway IPSec PoliciesTroubleshooting Manual Key Problems Using Manual KeysConfiguration Procedure Using the HP-UX Strong Random Number Generator210 Syntax Actiontransformname Inand -outmanualkeysaspecificationSourcehomeagentaddr Chapter 213 Mobile IPv6 Home Test Init and Home Test Packets 2B, 2C Home Agent Mobile NodeCorrespondent Node Segments Return Routability Messages ConfiguringGateway IPSec Policy for Home Agent 216 Tunnelrrtunnelname Tunnel rrtunnelname -action Forward -flags MIPV6218 Chapter 219 220 Chapter 221 222 Action Forward -flags MIPV6 Protocol ALL -priority prioritynumber224 Tunnelpayloadtunnelname Ipsecconfig add tunnel payloadtunnelname 3ffe83fffef71111 Mobile IPv6 Configuration ExampleBinding Messages Return Routability MessagesReturn Routability Tunnel IPSec Policy Optional Prefix Discovery MessagesGateway IPSec Policy for Home Agent Mobile Node Segments Protocol ALL -pri 300 -action Forward -flags MIPV6 Optional Payload Messages Routed Through the Home AgentPayload Gateway IPSec Policies Add gateway mn2222payloadtocn \Payload Tunnel IPSec Policy Batch File Template 232 Chapter 233 234 HP-UX IPSec 236 MC/ServiceGuard Cluster Package Clients Not Using HP-UX IPSec A.01.07 or Later Using HP-UX IPSec with MC/ServiceGuardChapter 239 MC/ServiceGuard Heartbeat Requirement Recommendation Configuration Steps 242 Configuring a Common HP-UX IPSec Password Configuring HP-UX Host IPSec Policies for MC/ServiceGuard Configuring Host IPSec Policies for Package Addresses Determining MC/ServiceGuard Cluster InformationPrivate Dedicated Heartbeat Networks Address or Server Wildcard 10.0.0.0/8Cluster Node IPSec Policies for Quorum Server 1238Source IP Destination Protocol Address IP Address Port Cluster Node IPSec Policies for Remote Command ExecutionQuorum Server IPSec Policies Server Address Address or WildcardAddress or Command Wildcard Client address 514 Command Address Client address Or wildcard Configuring Host IPSec Policies for ServiceGuard ManagerSource IP Destination Protoco Address IP Address Port Cluster Node Host IPSec Policies for ServiceGuard ManagerServiceGuard Manager Host IPSec Policies COM System Host IPSec Policies Cluster Node Host IPSec Policies for COM5303 Summary MC/ServiceGuard Port Numbers ProtocolsMC/ServiceGuard Port Numbers and Protocols Port Protocols ServiceChapter 255 256 Cluster Client IKE policies Configuring HP-UX IPSec IKE policiesCluster IKE policies Preshared Key Configuration on Client Nodes Configuring Authentication Records for Preshared KeysPreshared Key Configuration on Cluster Nodes Remote IP Address Key Preshared Keys Configuration on Cluster NodesPreshared Keys Configuration on Client1 Preshared Keys Configuration on Client2260 Authentication Records and IKE ID Information Configuring Authentication Records for CertificatesCluster Clients Chapter 263 IKE ID Configuration on Client1 and Client2 IKE ID Configuration on Cluster NodesIpsecpolicy -sa 15.1.1.1 -da Verifying and Testing the HP-UX IPSec ConfigurationConfiguring HP-UX IPSec Start-up Options Distributing HP-UX IPSec Configuration Files 268 Package Control Script Configuring MC/ServiceGuardCluster Configuration Package ConfigurationMonitor Script Polling Interval Adding a Node to a Running Cluster Starting HP-UX IPSec MC/ServiceGuard272 HP-UX IPSec and Linux 274 Chapter 275 Configuration Example Product Specifications Appendix a RFC Number RFC Title IPSec RFCsRFC 3776 Mandatory Support 280 Isakmp Limitations Product RestrictionsIPv4 Icmp Messages IPv6 Icmp Messages Algorithm Key Length Authentication AlgorithmsHP-UX IPSec Transforms Comparative Key LengthsESP-DES Encryption AlgorithmsTransform Lifetime Negotiation Migrating from Previous Versions Appendix B Ipsecreport -auditauditfilename -fileoutputfilename Pre-Installation Migration InstructionsMD5 Version Compatibility Migrating from Versions Prior to A.01.03Not Re-using Configuration Files Ipsecadmin -start Post-Installation Migration InstructionsConfiguration File Usr/sbin/ipsecmigrate -s configfile -d newconfigfile292 HP-UX IPSec Configuration Examples Appendix C Example 1 telnet Between Two Systems Figure C-1 Example 1 telnet AB Apple ConfigurationIKE Policy Banana ConfigurationAuthentication Record with Preshared Key 298 Figure C-3 Example 2 Network IPSec Policy with Exceptions Example 2 Authenticated ESP with ExceptionsCarrot Configuration Authentication Record Ipsecconfig Batch File EntriesPriority 100 -action Pass -tunnel torouter Blue ConfigurationExample 3 Host to Gateway Host IPSec PolicyAdd auth torouter -rem 16.6.6.6 -psk Hello Tunnel IPSec PolicyExample 4 Manual Keys Dog ConfigurationCat Configuration Asymmetric keys, public/private keys GlossaryEncapsulating Security Payload ESP Diffie-HellmanGlossary 307 Preshared Key 309 Numerics310 311 312 313 314
Related manuals
Manual 48 pages 5.99 Kb Manual 8 pages 43.6 Kb

UX IPSec Software specifications

HP-UX IPSec Software is an integral component of the HP-UX operating system, providing robust and secure communication capabilities for enterprise environments. As organizations increasingly rely on secure networking solutions, HP-UX IPSec stands out with its comprehensive set of features and technologies designed to safeguard sensitive data.

One of the core characteristics of HP-UX IPSec Software is its implementation of the Internet Protocol Security (IPSec) framework. This technology secures Internet Protocol (IP) communications through authentication and encryption, ensuring the integrity and confidentiality of data transmissions. By leveraging IPSec, HP-UX provides a secure method for connecting remote users and secure sites over untrusted networks, such as the internet.

A notable feature of the HP-UX IPSec Software is its support for both transport and tunnel modes. The transport mode encrypts only the payload of the IP packet, whereas the tunnel mode encapsulates the entire IP packet within a new packet, allowing for secure communications between entire networks. This flexibility enables organizations to tailor their security strategies based on specific use cases and requirements.

HP-UX IPSec also emphasizes interoperability and compliance with industry standards. The software supports various encryption algorithms and authentication methods, including those defined by the Internet Engineering Task Force (IETF). This commitment to open standards ensures that HP-UX can seamlessly integrate with a diverse range of networking infrastructures and security solutions.

In addition to its security features, HP-UX IPSec Software offers administration tools that simplify the configuration and management of IPSec policies. The software includes a user-friendly command-line interface, allowing system administrators to specify security associations and policies efficiently. Moreover, comprehensive logging and monitoring capabilities help organizations keep track of their security posture and detect potential vulnerabilities.

Another essential characteristic of HP-UX IPSec Software is its scalability. Designed to accommodate the needs of both small and large enterprises, it can handle increased loads and adapt to changing security demands without compromising performance.

In conclusion, HP-UX IPSec Software stands as a vital solution for organizations seeking to protect their data transmissions over IP networks. With its core technologies, such as transport and tunnel modes, adherence to industry standards, user-friendly administration tools, and scalability, it provides a formidable layer of security in an increasingly interconnected world. This makes it a preferred choice for enterprises aiming to enhance their network security frameworks.
Top Page Image Contents