HP UX IPSec Software manual Viewing Audit Files, Configuring Startup Audit Parameters

Page 170

Troubleshooting HP-UX IPSec

Troubleshooting Procedures

audit _level can be alert, error, warning, informative, or debug. A selected audit level includes all the lower audit levels.

audit_directory is the fully-qualified path name for the audit directory.

max_size is the maximum size for each audit file, in kilobytes. The range is 1 - 4294967294.

Configuring Startup Audit Parameters

To set the audit parameters used every time HP-UX IPSec starts, modify the startup record in the configuration database by entering a command similar to the following:

ipsec_config add startup [-autoboot ONOFF]

[-auditlvlaudit_level] [-auditdiraudit_directory]

[-maxsize max_size] ...

audit _level can be alert, error, warning, informative, or debug. A selected audit level includes all the lower audit levels.

audit_directory is the fully-qualified path name for the audit directory.

max_size is the maximum size for each audit file, in kilobytes. The range is 1 - 4294967294.

When you modify startup parameters in the configuration database, the changes do not take effect until the next time HP-UX IPSec starts.

The startup configuration object includes other operating parameters. Any parameters you do not specify are re-set to the default values, including the autoboot flag, which determines if HP-UX IPSec starts automatically at system startup time. To configure HP-UX IPSec to start automatically at system startup time, include the option -autoboot ON in the ipsec_config add startup command.

Viewing Audit Files

You must use the ipsec_report utility to view audit files.

First, determine the current audit file:

ipsec_admin -status

Then use the -auditoption of ipsec_report to display the file:

166

Chapter 5

Page 169 Page 171
Image 170
Page 169 Page 171
Contents HP-UX IPSec version A.02.00 Administrator’s Guide Manufacturing Part Number J4256-90009 JuneLegal Notices Contents Configuring HP-UX IPSec Contents Using Certificates with HP-UX IPSec Troubleshooting HP-UX IPSec Viii HP-UX IPSec and IPFilter HP-UX IPSec and HP-UX Mobile IPv6 HP-UX IPSec and MC/ServiceGuard Xii HP-UX IPSec and Linux Migrating from Previous Versions of HP-UX IPSec Glossary Xvi Tables Xviii Figures Figure C-2. Example 1 telnet BA Intended Audience New and Changed Documentation in This EditionXxii HP-UX IPSec and HP-UX Mobile IPv6 Use this chapter to learn Publishing HistoryWhat’s in This Document Related Documents Typographical ConventionsHP Encourages Your Comments OpenSSL Copyright Notice XxviXxvii Xxviii HP-UX IPSec Overview HP-UX IPSec Overview Introduction Introduction Authentication Header AH Transport and Tunnel Modes Symmetric Key AuthenticationTransport Mode Host aAH in Transport Mode Tunnel Mode AH in Tunnel ModeSymmetric Key Cryptosystem Encapsulating Security Payload ESPESP Encryption ESP header can be used in transport mode or tunnel mode IP data or payload e.g., TCP or UDP packet ESP Encryption in Transport ModeESP in Tunnel Mode ESP with Authentication and Encryption Authenticated ESPNested ESP in AH IPv6Security Associations SAs and IKE Phases Internet Key Exchange IKEGenerating Shared Keys Diffie-Hellman SA EstablishmentIKE Primary Authentication 10 Diffie-Hellman Key GenerationIKE Automatic Re-keying Re-using NegotiationsIKE Preshared Key Authentication Digital SignaturesManual Keys Host-to-Gateway Topology HP-UX IPSec TopologiesHost-to-Host Topology Host-to-Host Tunnel Topology 13 Host-to-Host Tunnel TopologyGateway-to-Gateway Topology 14 IPSec Gateway-to-Gateway TopologyHP-UX IPSec Configuration and Management Features HP-UX IPSec Configuration and Management Features HP-UX IPSec Configuration and Management Features Chapter Installing HP-UX IPSec Installing HP-UX IPSec Disk Requirements Security Certificate Configuration Utility RequirementsHP-UX IPSec Product Requirements Chapter Loading the HP-UX IPSec Software Do not run the HP-UX IPSec product when the system is booted Ipsecadmin -newpasswd Setting the HP-UX IPSec PasswordRe-establishing the HP-UX IPSec Password Completing Post-Installation Migration Requirements Configuring HP-UX IPSec Configuring HP-UX IPSec Strong End System Model Maximizing SecurityBypass List Ndd -set /dev/ip ipstrongesmodel Line Continuation Character \ General Syntax InformationArgument Delimiters Batch File Processing Batch File SyntaxIpsecconfig delete Profile FileCreating a Customized Profile File Using a Profile File with a Batch FileProfile File Structure Dynamic Configuration Updates Dynamic DeletionsConfiguration Overview Start-up options Configuration Overview Policy Order and Selection Configuring Host IPSec PoliciesDefault Host IPSec Policy Action PASSDISCARDtransformlist -flags flags Ipsecconfig add host hostpolicynameAutomatic Priority Increment Source and -destination Ipaddr/prefix/portnumberservicenameHostpolicyname Ipsecconfig Service Names Service Port Protocol NameIpsecconfig Service Names ProtocolprotocolidTunneltunnelpolicyname Default ALLPriorityprioritynumber Action Transformname/lifetimeseconds/lifetimekbytesTransform Name Description Ipsecconfig TransformsTransformname Ipsecconfig Transforms ESP3DESFlag Description Ipsecconfig add host FlagsFlags flags Host IPSec Policy Configuration Examples Configuring Host IPSec Policies Configuring Tunnel IPSec Policies Ipsecconfig add tunnel tunnelpolicynameTsource and -tdestination tunneladdress Default NoneTunnelpolicyname Ipaddr/prefix/portnumberservicename Subnet address filter TCP UDP Icmp ICMPV6 Igmp Actiontransformlist Lifetimekbytes Tunnel IPSec Policy Configuration ExampleLifetimeseconds Configuring Tunnel IPSec Policies Configuring IKE Policies Ikepolicyname Lifelifetimeseconds -maxqmmqmaxquickmodesAdd ike ikepolicyname Remoteipaddr/prefix Group AuthenticationauthenticationtypeAcceptable Values Maxqmmaxquickmodes Hash MD5SHA1Lifelifetimeseconds Ipsecconfig add IKE Command Examples DefaultRemote Multi-homed Systems Configuring Preshared Keys Using Authentication RecordsConfiguring IKE ID Information with Preshared Keys Add auth authname Ipsecconfig add auth authnameRemoteipaddr/prefix -presharedpresharedkey Authname Ipaddr/prefixUnique preshared key Authentication Record Configuration ExamplesHowever, HP strongly recommends that you configure an PresharedkeyConfiguring Preshared Keys Using Authentication Records Configuring Certificates Example Configuring the Bypass List Local IPv4 AddressesLogical Interfaces Bypass List Example Ipsecconfig add bypass ipaddressMaximizing Security Node1 Node2Ipaddress Bypass Configuration ExampleAdd bypass ipaddress Ipsecconfig batch batchfilename -nocommit Verify Batch File SyntaxIpsecconfig batch batchfilename Ipsecconfig show allIpsecadmin -status Ipsecreport -cacheIpsecreport -all 108 Add startup -autoboot on Configuring HP-UX IPSec to Start AutomaticallyIpsecconfig add startup -autoboot on 110 Baltimore Configuration Files VeriSign Configuration Files112 Using Certificates with HP-UX 114 Public Key Distribution OverviewSecurity Certificates and Public Key Cryptography Digital Signatures IKE Public Key DistributionRequirements Using VeriSign Certificates OverviewStep VeriSign Certificate TasksVeriSign PKI Data Flow Verifying Prerequisites Export DISPLAY=displaydevice0.0 Configuring Web Proxy Server ParametersIpsecmgr Registering the Administrator Requesting and Receiving Certificates 124 Chapter 125 Using Baltimore Certificates Baltimore Certificate TasksChapter 127 Requesting the Baltimore Certificate Configuring the Baltimore Certificate 130 Chapter 131 132 Chapter 133 Configuring Authentication Records with IKE IDs Chapter 135 Syntax Determining the IPv4 Address in the SubjectAlternativeNameVeriSign SubjectAlternativeName Add auth authname -remoteipaddr/prefix Ltypelocalidtype Lvalue localidRtyperemoteidtype RidremoteidCN=commonName,O=organization,C=country,OU=organizationUnit ExamplesAdd auth Black -remote 10.10.10.10 -ltype IPV4 \ -lid Baltimore Retrieving the Certificate Revocation List CRLVeriSign Manually Retrieving a CRL for VeriSign or Baltimore 144 Troubleshooting HP-UX IPSec 146 IPSec Operation Authenticate Each Peer’s IdentityAuthenticate Identities Establishing Security Associations SAsEstablish ISAKMP/MM SA Establish IPSec/QM SAsOutbound Data Query the Kernel Policy Engine Internal ProcessingOutbound Processing Query the Policy Manager DaemonEstablish an ISAKMP/MM SA Add IPSec/QM SAs to the Kernel SA Database Inbound Data AH or ESP Packet152 Processing Inbound Tunnel Packets Clear Text PacketEstablishing Tunnel Security Associations 154 Troubleshooting Utilities Overview Getting Policy Information Getting General InformationGetting SA Information Configured Ipsecreport -host configuredIpsecconfig show gateway Ipsecconfig show tunnelViewing and Configuring Audit Information Getting Interface InformationEnabling and Disabling Tracing Ipsecreport -all -file filename Troubleshooting ProceduresChecking Status Chapter 161 Isolating HP-UX IPSec Problems from Upper-layer Ipsecadmin -traceon tcp udp igmp allExamining the Policy Cache and Policy Entries Checking Policy ConfigurationUsing ipsecpolicy Configuring HP-UX IPSec Auditing Audit LevelIpsecadmin -al auditlevel -au auditdirectory Ipsecadmin -maxsize maxauditfilesizeDynamically Setting Audit Parameters Audit Files and DirectoryViewing Audit Files Configuring Startup Audit ParametersIpsecconfig add startup -autoboot Onoff Auditlvlauditlevel -auditdirauditdirectoryRecorded by specified entities Where entityname is one of the following namesFiltering Audit File Output by Entity Ipsecreport -audit auditfile -entity entitynameReporting Problems Output from ipsecadmin -status Output from ipsecreport -allChapter 169 HP-UX IPSec Incorrectly Passes Packets Troubleshooting ScenariosProblem Symptoms SolutionHP-UX IPSec Attempts to Encrypt/Authenticate and Fails Ipsecreport -audit /var/adm/ipsec/auditdateinfo.log Ipsecreport -mad Ipsecreport -audit fileAdditional Information ISAKMP/MM SA Negotiation Fails Main Mode Processing failed, MM negotiation timeoutChapter 175 Isakmp Primary Authentication with Preshared Key Fails Isakmp Primary Authentication Fails with CertificatesISAKMP/MM SA Negotiation Succeeded, IPSec/QM SA DetailsManual Keys Fail Invalid Sadbadd Nettl -log e d -e streams Streams Logging Messages and Additional Audit File EntriesNettl -ss Netfmt /var/adm/nettl.LOG000 mylogoutputHP-UX Will Not Start ipsecadmin -startFails Ipsecadmin -auditlvl warning182 Corrupt or Missing Configuration Database Ipsecmigrate -s oldconfigfile -d newconfigfile Using the Skeleton Database FileAutoboot is Not Working Properly Administrator Cannot Get a Local VeriSign Certificate186 Security Policy Database Limit Exceeded Kernel 188 HP-UX IPSec and IPFilter 190 IPFilter Scenario One IPFilter and IPSec BasicsIPFilter and IPSec 192 IPSec UDP Negotiation IPFilter Scenario Two194 When Traffic Appears to be Blocked Scenario ThreePacket with IPSec-Encrypted TCP Data Allowing Protocol 50 and Protocol 51 TrafficPacket with Encrypted TCP Data Protocol 51 traffic, then IPSec traffic will not get through Scenario FourIPSec Gateways HP-UX IPSec and HP-UX Mobile 200 Correspondent Nodes Mobile Node and Home AddressCare-of Address Home AgentNode Home Agents and Basic OperationMobile IPv6 Basic Operation Correspondent Node to Mobile Mobile IPv6 Route Optimization Route OptimizationMobile IPv6 Basic Operation Mobile Node to Correspondent Prefix Discovery Messages Securing Mobile IPv6 with HP-UX IPSecAcknowledgement messages Binding Messages Between the Home Agent and Mobile NodeChapter 205 Payload Packets Routed Through the Home Agent Chapter 207 Understanding Gateway IPSec Policies Gateway IPSec PoliciesUsing the HP-UX Strong Random Number Generator Using Manual KeysConfiguration Procedure Troubleshooting Manual Key Problems210 Syntax Actiontransformname Inand -outmanualkeysaspecificationSourcehomeagentaddr Chapter 213 2B, 2C Home Agent Mobile Node Mobile IPv6 Home Test Init and Home Test PacketsCorrespondent Node Segments Return Routability Messages ConfiguringGateway IPSec Policy for Home Agent 216 Tunnel rrtunnelname -action Forward -flags MIPV6 Tunnelrrtunnelname218 Chapter 219 220 Chapter 221 222 Protocol ALL -priority prioritynumber Action Forward -flags MIPV6224 Tunnelpayloadtunnelname Ipsecconfig add tunnel payloadtunnelname Return Routability Messages Mobile IPv6 Configuration ExampleBinding Messages 3ffe83fffef71111Return Routability Tunnel IPSec Policy Optional Prefix Discovery MessagesGateway IPSec Policy for Home Agent Mobile Node Segments Add gateway mn2222payloadtocn \ Optional Payload Messages Routed Through the Home AgentPayload Gateway IPSec Policies Protocol ALL -pri 300 -action Forward -flags MIPV6Payload Tunnel IPSec Policy Batch File Template 232 Chapter 233 234 HP-UX IPSec 236 MC/ServiceGuard Cluster Using HP-UX IPSec with MC/ServiceGuard Package Clients Not Using HP-UX IPSec A.01.07 or LaterChapter 239 MC/ServiceGuard Heartbeat Requirement Recommendation Configuration Steps 242 Configuring a Common HP-UX IPSec Password Configuring HP-UX Host IPSec Policies for MC/ServiceGuard Determining MC/ServiceGuard Cluster Information Configuring Host IPSec Policies for Package AddressesPrivate Dedicated Heartbeat Networks 1238 10.0.0.0/8Cluster Node IPSec Policies for Quorum Server Address or Server WildcardServer Address Address or Wildcard Cluster Node IPSec Policies for Remote Command ExecutionQuorum Server IPSec Policies Source IP Destination Protocol Address IP Address PortAddress or Command Wildcard Client address 514 Configuring Host IPSec Policies for ServiceGuard Manager Command Address Client address Or wildcardSource IP Destination Protoco Address IP Address Port Cluster Node Host IPSec Policies for ServiceGuard ManagerServiceGuard Manager Host IPSec Policies Cluster Node Host IPSec Policies for COM COM System Host IPSec PoliciesPort Protocols Service Summary MC/ServiceGuard Port Numbers ProtocolsMC/ServiceGuard Port Numbers and Protocols 5303Chapter 255 256 Cluster Client IKE policies Configuring HP-UX IPSec IKE policiesCluster IKE policies Preshared Key Configuration on Client Nodes Configuring Authentication Records for Preshared KeysPreshared Key Configuration on Cluster Nodes Preshared Keys Configuration on Client2 Preshared Keys Configuration on Cluster NodesPreshared Keys Configuration on Client1 Remote IP Address Key260 Configuring Authentication Records for Certificates Authentication Records and IKE ID InformationCluster Clients Chapter 263 IKE ID Configuration on Cluster Nodes IKE ID Configuration on Client1 and Client2Verifying and Testing the HP-UX IPSec Configuration Ipsecpolicy -sa 15.1.1.1 -daConfiguring HP-UX IPSec Start-up Options Distributing HP-UX IPSec Configuration Files 268 Package Configuration Configuring MC/ServiceGuardCluster Configuration Package Control ScriptMonitor Script Polling Interval Starting HP-UX IPSec MC/ServiceGuard Adding a Node to a Running Cluster272 HP-UX IPSec and Linux 274 Chapter 275 Configuration Example Product Specifications Appendix a RFC Number RFC Title IPSec RFCsRFC 3776 Mandatory Support 280 Product Restrictions Isakmp LimitationsIPv4 Icmp Messages IPv6 Icmp Messages Comparative Key Lengths Authentication AlgorithmsHP-UX IPSec Transforms Algorithm Key LengthEncryption Algorithms ESP-DESTransform Lifetime Negotiation Migrating from Previous Versions Appendix B Migrating from Versions Prior to A.01.03 Pre-Installation Migration InstructionsMD5 Version Compatibility Ipsecreport -auditauditfilename -fileoutputfilenameNot Re-using Configuration Files Usr/sbin/ipsecmigrate -s configfile -d newconfigfile Post-Installation Migration InstructionsConfiguration File Ipsecadmin -start292 HP-UX IPSec Configuration Examples Appendix C Example 1 telnet Between Two Systems Apple Configuration Figure C-1 Example 1 telnet ABIKE Policy Banana ConfigurationAuthentication Record with Preshared Key 298 Example 2 Authenticated ESP with Exceptions Figure C-3 Example 2 Network IPSec Policy with ExceptionsCarrot Configuration Ipsecconfig Batch File Entries Authentication RecordHost IPSec Policy Blue ConfigurationExample 3 Host to Gateway Priority 100 -action Pass -tunnel torouterTunnel IPSec Policy Add auth torouter -rem 16.6.6.6 -psk HelloExample 4 Manual Keys Dog ConfigurationCat Configuration Glossary Asymmetric keys, public/private keysDiffie-Hellman Encapsulating Security Payload ESPGlossary 307 Preshared Key Numerics 309310 311 312 313 314
Related manuals
Manual 48 pages 5.99 Kb Manual 8 pages 43.6 Kb

UX IPSec Software specifications

HP-UX IPSec Software is an integral component of the HP-UX operating system, providing robust and secure communication capabilities for enterprise environments. As organizations increasingly rely on secure networking solutions, HP-UX IPSec stands out with its comprehensive set of features and technologies designed to safeguard sensitive data.

One of the core characteristics of HP-UX IPSec Software is its implementation of the Internet Protocol Security (IPSec) framework. This technology secures Internet Protocol (IP) communications through authentication and encryption, ensuring the integrity and confidentiality of data transmissions. By leveraging IPSec, HP-UX provides a secure method for connecting remote users and secure sites over untrusted networks, such as the internet.

A notable feature of the HP-UX IPSec Software is its support for both transport and tunnel modes. The transport mode encrypts only the payload of the IP packet, whereas the tunnel mode encapsulates the entire IP packet within a new packet, allowing for secure communications between entire networks. This flexibility enables organizations to tailor their security strategies based on specific use cases and requirements.

HP-UX IPSec also emphasizes interoperability and compliance with industry standards. The software supports various encryption algorithms and authentication methods, including those defined by the Internet Engineering Task Force (IETF). This commitment to open standards ensures that HP-UX can seamlessly integrate with a diverse range of networking infrastructures and security solutions.

In addition to its security features, HP-UX IPSec Software offers administration tools that simplify the configuration and management of IPSec policies. The software includes a user-friendly command-line interface, allowing system administrators to specify security associations and policies efficiently. Moreover, comprehensive logging and monitoring capabilities help organizations keep track of their security posture and detect potential vulnerabilities.

Another essential characteristic of HP-UX IPSec Software is its scalability. Designed to accommodate the needs of both small and large enterprises, it can handle increased loads and adapt to changing security demands without compromising performance.

In conclusion, HP-UX IPSec Software stands as a vital solution for organizations seeking to protect their data transmissions over IP networks. With its core technologies, such as transport and tunnel modes, adherence to industry standards, user-friendly administration tools, and scalability, it provides a formidable layer of security in an increasingly interconnected world. This makes it a preferred choice for enterprises aiming to enhance their network security frameworks.
Top Page Image Contents