HP UX IPSec Software manual

Page 259

HP-UX IPSec and MC/ServiceGuard

Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard

Table 8-1

MC/ServiceGuard Port Numbers and Protocols (Continued)

 

 

 

 

 

Port

Protocols

Service

 

 

 

 

 

1476

TCP

HA - Logical Volume Manager.

 

 

 

Used as the destination port

 

 

 

between the cluster nodes.

 

 

 

 

 

5300

TCP, UDP

HA Cluster Heartbeat (hacl-hb).

 

 

 

Used as the destination port

 

 

 

between cluster nodes.

 

 

 

 

 

5301

TCP

HA Cluster General Services

 

 

 

(hacl-gs). Used as the destination

 

 

 

port between cluster nodes.

 

 

 

 

 

5302

TCP and UDP

HA Configuration (ha-cfg). Used

 

 

 

as destination ports between

 

 

 

cluster nodes.

 

 

 

These ports are also used as

 

 

 

destination ports on the cluster

 

 

 

nodes for requests from Cluster

 

 

 

Object Manager (COM) nodes, and

 

 

 

for MC/ServiceGuard remote

 

 

 

command execution requests.

 

 

 

 

 

5303

TCP and UDP

HA Cluster Probe (hacl-probe).

 

 

 

Used as the destination port

 

 

 

between cluster nodes.

 

 

 

TCP port 5303 is also used as the

 

 

 

destination port on Cluster Object

 

 

 

Manager (COM) nodes for

 

 

 

requests from COM clients.

 

 

 

 

 

5304

TCP

HA Cluster Commands

 

 

 

(hacl-local). Used as the

 

 

 

destination port between the

 

 

 

cluster nodes.

 

 

 

 

 

5305

TCP

HA Cluster Test (hacl-test). Used

 

 

 

as the destination port between

 

 

 

cluster nodes.

 

 

 

 

Chapter 8

255

Page 258 Page 260
Image 259
Page 258 Page 260
Contents Manufacturing Part Number J4256-90009 June HP-UX IPSec version A.02.00 Administrator’s GuideLegal Notices Contents Configuring HP-UX IPSec Contents Using Certificates with HP-UX IPSec Troubleshooting HP-UX IPSec Viii HP-UX IPSec and IPFilter HP-UX IPSec and HP-UX Mobile IPv6 HP-UX IPSec and MC/ServiceGuard Xii HP-UX IPSec and Linux Migrating from Previous Versions of HP-UX IPSec Glossary Xvi Tables Xviii Figures Figure C-2. Example 1 telnet BA New and Changed Documentation in This Edition Intended AudienceXxii What’s in This Document Publishing HistoryHP-UX IPSec and HP-UX Mobile IPv6 Use this chapter to learn Typographical Conventions Related DocumentsHP Encourages Your Comments Xxvi OpenSSL Copyright NoticeXxvii Xxviii HP-UX IPSec Overview HP-UX IPSec Overview Introduction Introduction Authentication Header AH Host a Symmetric Key AuthenticationTransport Mode Transport and Tunnel ModesAH in Transport Mode AH in Tunnel Mode Tunnel ModeESP Encryption Encapsulating Security Payload ESPSymmetric Key Cryptosystem ESP header can be used in transport mode or tunnel mode ESP in Tunnel Mode ESP Encryption in Transport ModeIP data or payload e.g., TCP or UDP packet Authenticated ESP ESP with Authentication and EncryptionIPv6 Nested ESP in AHInternet Key Exchange IKE Security Associations SAs and IKE PhasesSA Establishment Generating Shared Keys Diffie-Hellman10 Diffie-Hellman Key Generation IKE Primary AuthenticationDigital Signatures Re-using NegotiationsIKE Preshared Key Authentication IKE Automatic Re-keyingManual Keys Host-to-Host Topology HP-UX IPSec TopologiesHost-to-Gateway Topology 13 Host-to-Host Tunnel Topology Host-to-Host Tunnel Topology14 IPSec Gateway-to-Gateway Topology Gateway-to-Gateway TopologyHP-UX IPSec Configuration and Management Features HP-UX IPSec Configuration and Management Features HP-UX IPSec Configuration and Management Features Chapter Installing HP-UX IPSec Installing HP-UX IPSec HP-UX IPSec Product Requirements Security Certificate Configuration Utility RequirementsDisk Requirements Chapter Loading the HP-UX IPSec Software Do not run the HP-UX IPSec product when the system is booted Re-establishing the HP-UX IPSec Password Setting the HP-UX IPSec PasswordIpsecadmin -newpasswd Completing Post-Installation Migration Requirements Configuring HP-UX IPSec Configuring HP-UX IPSec Bypass List Maximizing SecurityStrong End System Model Ndd -set /dev/ip ipstrongesmodel Argument Delimiters General Syntax InformationLine Continuation Character \ Batch File Syntax Batch File ProcessingProfile File Ipsecconfig deleteProfile File Structure Using a Profile File with a Batch FileCreating a Customized Profile File Dynamic Deletions Dynamic Configuration UpdatesConfiguration Overview Start-up options Configuration Overview Default Host IPSec Policy Configuring Host IPSec PoliciesPolicy Order and Selection Automatic Priority Increment Ipsecconfig add host hostpolicynameAction PASSDISCARDtransformlist -flags flags Hostpolicyname Ipaddr/prefix/portnumberservicenameSource and -destination Service Port Protocol Name Ipsecconfig Service NamesProtocolprotocolid Ipsecconfig Service NamesPriorityprioritynumber Default ALLTunneltunnelpolicyname Transformname/lifetimeseconds/lifetimekbytes ActionTransformname Ipsecconfig TransformsTransform Name Description ESP3DES Ipsecconfig TransformsFlags flags Ipsecconfig add host FlagsFlag Description Host IPSec Policy Configuration Examples Configuring Host IPSec Policies Ipsecconfig add tunnel tunnelpolicyname Configuring Tunnel IPSec PoliciesTunnelpolicyname Default NoneTsource and -tdestination tunneladdress Ipaddr/prefix/portnumberservicename Subnet address filter TCP UDP Icmp ICMPV6 Igmp Actiontransformlist Lifetimeseconds Tunnel IPSec Policy Configuration ExampleLifetimekbytes Configuring Tunnel IPSec Policies Configuring IKE Policies Add ike ikepolicyname Lifelifetimeseconds -maxqmmqmaxquickmodesIkepolicyname Remoteipaddr/prefix Acceptable Values AuthenticationauthenticationtypeGroup Lifelifetimeseconds Hash MD5SHA1Maxqmmaxquickmodes Default Ipsecconfig add IKE Command ExamplesConfiguring IKE ID Information with Preshared Keys Configuring Preshared Keys Using Authentication RecordsRemote Multi-homed Systems Remoteipaddr/prefix -presharedpresharedkey Ipsecconfig add auth authnameAdd auth authname Ipaddr/prefix AuthnamePresharedkey Authentication Record Configuration ExamplesHowever, HP strongly recommends that you configure an Unique preshared keyConfiguring Preshared Keys Using Authentication Records Configuring Certificates Logical Interfaces Configuring the Bypass List Local IPv4 AddressesExample Node1 Node2 Ipsecconfig add bypass ipaddressMaximizing Security Bypass List ExampleAdd bypass ipaddress Bypass Configuration ExampleIpaddress Verify Batch File Syntax Ipsecconfig batch batchfilename -nocommitIpsecconfig show all Ipsecconfig batch batchfilenameIpsecreport -cache Ipsecadmin -statusIpsecreport -all 108 Ipsecconfig add startup -autoboot on Configuring HP-UX IPSec to Start AutomaticallyAdd startup -autoboot on 110 VeriSign Configuration Files Baltimore Configuration Files112 Using Certificates with HP-UX 114 Security Certificates and Public Key Cryptography OverviewPublic Key Distribution IKE Public Key Distribution Digital SignaturesRequirements Overview Using VeriSign CertificatesVeriSign PKI Data Flow VeriSign Certificate TasksStep Verifying Prerequisites Ipsecmgr Configuring Web Proxy Server ParametersExport DISPLAY=displaydevice0.0 Registering the Administrator Requesting and Receiving Certificates 124 Chapter 125 Baltimore Certificate Tasks Using Baltimore CertificatesChapter 127 Requesting the Baltimore Certificate Configuring the Baltimore Certificate 130 Chapter 131 132 Chapter 133 Configuring Authentication Records with IKE IDs Chapter 135 VeriSign SubjectAlternativeName Determining the IPv4 Address in the SubjectAlternativeNameSyntax Add auth authname -remoteipaddr/prefix Lvalue localid LtypelocalidtypeRidremoteid RtyperemoteidtypeExamples CN=commonName,O=organization,C=country,OU=organizationUnitAdd auth Black -remote 10.10.10.10 -ltype IPV4 \ -lid VeriSign Retrieving the Certificate Revocation List CRLBaltimore Manually Retrieving a CRL for VeriSign or Baltimore 144 Troubleshooting HP-UX IPSec 146 Establishing Security Associations SAs Authenticate Each Peer’s IdentityAuthenticate Identities IPSec OperationEstablish IPSec/QM SAs Establish ISAKMP/MM SAQuery the Policy Manager Daemon Internal ProcessingOutbound Processing Outbound Data Query the Kernel Policy EngineEstablish an ISAKMP/MM SA Inbound Data AH or ESP Packet Add IPSec/QM SAs to the Kernel SA Database152 Establishing Tunnel Security Associations Clear Text PacketProcessing Inbound Tunnel Packets 154 Troubleshooting Utilities Overview Getting SA Information Getting General InformationGetting Policy Information Ipsecconfig show tunnel Ipsecreport -host configuredIpsecconfig show gateway ConfiguredGetting Interface Information Viewing and Configuring Audit InformationEnabling and Disabling Tracing Checking Status Troubleshooting ProceduresIpsecreport -all -file filename Chapter 161 Ipsecadmin -traceon tcp udp igmp all Isolating HP-UX IPSec Problems from Upper-layerUsing ipsecpolicy Checking Policy ConfigurationExamining the Policy Cache and Policy Entries Audit Level Configuring HP-UX IPSec AuditingAudit Files and Directory Ipsecadmin -maxsize maxauditfilesizeDynamically Setting Audit Parameters Ipsecadmin -al auditlevel -au auditdirectoryAuditlvlauditlevel -auditdirauditdirectory Configuring Startup Audit ParametersIpsecconfig add startup -autoboot Onoff Viewing Audit FilesIpsecreport -audit auditfile -entity entityname Where entityname is one of the following namesFiltering Audit File Output by Entity Recorded by specified entitiesOutput from ipsecadmin -status Output from ipsecreport -all Reporting ProblemsChapter 169 Problem Troubleshooting ScenariosHP-UX IPSec Incorrectly Passes Packets Solution SymptomsHP-UX IPSec Attempts to Encrypt/Authenticate and Fails Additional Information Ipsecreport -mad Ipsecreport -audit fileIpsecreport -audit /var/adm/ipsec/auditdateinfo.log Processing failed, MM negotiation timeout ISAKMP/MM SA Negotiation Fails Main ModeChapter 175 Isakmp Primary Authentication Fails with Certificates Isakmp Primary Authentication with Preshared Key FailsDetails ISAKMP/MM SA Negotiation Succeeded, IPSec/QM SAManual Keys Fail Invalid Sadbadd Netfmt /var/adm/nettl.LOG000 mylogoutput Streams Logging Messages and Additional Audit File EntriesNettl -ss Nettl -log e d -e streamsIpsecadmin -auditlvl warning HP-UX Will Not Start ipsecadmin -startFails182 Corrupt or Missing Configuration Database Using the Skeleton Database File Ipsecmigrate -s oldconfigfile -d newconfigfileAdministrator Cannot Get a Local VeriSign Certificate Autoboot is Not Working Properly186 Security Policy Database Limit Exceeded Kernel 188 HP-UX IPSec and IPFilter 190 IPFilter and IPSec IPFilter and IPSec BasicsIPFilter Scenario One 192 IPFilter Scenario Two IPSec UDP Negotiation194 Scenario Three When Traffic Appears to be BlockedPacket with Encrypted TCP Data Allowing Protocol 50 and Protocol 51 TrafficPacket with IPSec-Encrypted TCP Data Scenario Four Protocol 51 traffic, then IPSec traffic will not get throughIPSec Gateways HP-UX IPSec and HP-UX Mobile 200 Home Agent Mobile Node and Home AddressCare-of Address Correspondent NodesMobile IPv6 Basic Operation Correspondent Node to Mobile Home Agents and Basic OperationNode Mobile IPv6 Basic Operation Mobile Node to Correspondent Route OptimizationMobile IPv6 Route Optimization Binding Messages Between the Home Agent and Mobile Node Securing Mobile IPv6 with HP-UX IPSecAcknowledgement messages Prefix Discovery MessagesChapter 205 Payload Packets Routed Through the Home Agent Chapter 207 Gateway IPSec Policies Understanding Gateway IPSec PoliciesTroubleshooting Manual Key Problems Using Manual KeysConfiguration Procedure Using the HP-UX Strong Random Number Generator210 Syntax Sourcehomeagentaddr Inand -outmanualkeysaspecificationActiontransformname Chapter 213 Mobile IPv6 Home Test Init and Home Test Packets 2B, 2C Home Agent Mobile NodeGateway IPSec Policy for Home Agent Return Routability Messages ConfiguringCorrespondent Node Segments 216 Tunnelrrtunnelname Tunnel rrtunnelname -action Forward -flags MIPV6218 Chapter 219 220 Chapter 221 222 Action Forward -flags MIPV6 Protocol ALL -priority prioritynumber224 Tunnelpayloadtunnelname Ipsecconfig add tunnel payloadtunnelname 3ffe83fffef71111 Mobile IPv6 Configuration ExampleBinding Messages Return Routability MessagesGateway IPSec Policy for Home Agent Mobile Node Segments Optional Prefix Discovery MessagesReturn Routability Tunnel IPSec Policy Protocol ALL -pri 300 -action Forward -flags MIPV6 Optional Payload Messages Routed Through the Home AgentPayload Gateway IPSec Policies Add gateway mn2222payloadtocn \Payload Tunnel IPSec Policy Batch File Template 232 Chapter 233 234 HP-UX IPSec 236 MC/ServiceGuard Cluster Package Clients Not Using HP-UX IPSec A.01.07 or Later Using HP-UX IPSec with MC/ServiceGuardChapter 239 MC/ServiceGuard Heartbeat Requirement Recommendation Configuration Steps 242 Configuring a Common HP-UX IPSec Password Configuring HP-UX Host IPSec Policies for MC/ServiceGuard Configuring Host IPSec Policies for Package Addresses Determining MC/ServiceGuard Cluster InformationPrivate Dedicated Heartbeat Networks Address or Server Wildcard 10.0.0.0/8Cluster Node IPSec Policies for Quorum Server 1238Source IP Destination Protocol Address IP Address Port Cluster Node IPSec Policies for Remote Command ExecutionQuorum Server IPSec Policies Server Address Address or WildcardAddress or Command Wildcard Client address 514 Command Address Client address Or wildcard Configuring Host IPSec Policies for ServiceGuard ManagerServiceGuard Manager Host IPSec Policies Cluster Node Host IPSec Policies for ServiceGuard ManagerSource IP Destination Protoco Address IP Address Port COM System Host IPSec Policies Cluster Node Host IPSec Policies for COM5303 Summary MC/ServiceGuard Port Numbers ProtocolsMC/ServiceGuard Port Numbers and Protocols Port Protocols ServiceChapter 255 256 Cluster IKE policies Configuring HP-UX IPSec IKE policiesCluster Client IKE policies Preshared Key Configuration on Cluster Nodes Configuring Authentication Records for Preshared KeysPreshared Key Configuration on Client Nodes Remote IP Address Key Preshared Keys Configuration on Cluster NodesPreshared Keys Configuration on Client1 Preshared Keys Configuration on Client2260 Authentication Records and IKE ID Information Configuring Authentication Records for CertificatesCluster Clients Chapter 263 IKE ID Configuration on Client1 and Client2 IKE ID Configuration on Cluster NodesIpsecpolicy -sa 15.1.1.1 -da Verifying and Testing the HP-UX IPSec ConfigurationConfiguring HP-UX IPSec Start-up Options Distributing HP-UX IPSec Configuration Files 268 Package Control Script Configuring MC/ServiceGuardCluster Configuration Package ConfigurationMonitor Script Polling Interval Adding a Node to a Running Cluster Starting HP-UX IPSec MC/ServiceGuard272 HP-UX IPSec and Linux 274 Chapter 275 Configuration Example Product Specifications Appendix a RFC 3776 Mandatory Support IPSec RFCsRFC Number RFC Title 280 Isakmp Limitations Product RestrictionsIPv4 Icmp Messages IPv6 Icmp Messages Algorithm Key Length Authentication AlgorithmsHP-UX IPSec Transforms Comparative Key LengthsESP-DES Encryption AlgorithmsTransform Lifetime Negotiation Migrating from Previous Versions Appendix B Ipsecreport -auditauditfilename -fileoutputfilename Pre-Installation Migration InstructionsMD5 Version Compatibility Migrating from Versions Prior to A.01.03Not Re-using Configuration Files Ipsecadmin -start Post-Installation Migration InstructionsConfiguration File Usr/sbin/ipsecmigrate -s configfile -d newconfigfile292 HP-UX IPSec Configuration Examples Appendix C Example 1 telnet Between Two Systems Figure C-1 Example 1 telnet AB Apple ConfigurationAuthentication Record with Preshared Key Banana ConfigurationIKE Policy 298 Figure C-3 Example 2 Network IPSec Policy with Exceptions Example 2 Authenticated ESP with ExceptionsCarrot Configuration Authentication Record Ipsecconfig Batch File EntriesPriority 100 -action Pass -tunnel torouter Blue ConfigurationExample 3 Host to Gateway Host IPSec PolicyAdd auth torouter -rem 16.6.6.6 -psk Hello Tunnel IPSec PolicyCat Configuration Dog ConfigurationExample 4 Manual Keys Asymmetric keys, public/private keys GlossaryEncapsulating Security Payload ESP Diffie-HellmanGlossary 307 Preshared Key 309 Numerics310 311 312 313 314
Related manuals
Manual 48 pages 5.99 Kb Manual 8 pages 43.6 Kb

UX IPSec Software specifications

HP-UX IPSec Software is an integral component of the HP-UX operating system, providing robust and secure communication capabilities for enterprise environments. As organizations increasingly rely on secure networking solutions, HP-UX IPSec stands out with its comprehensive set of features and technologies designed to safeguard sensitive data.

One of the core characteristics of HP-UX IPSec Software is its implementation of the Internet Protocol Security (IPSec) framework. This technology secures Internet Protocol (IP) communications through authentication and encryption, ensuring the integrity and confidentiality of data transmissions. By leveraging IPSec, HP-UX provides a secure method for connecting remote users and secure sites over untrusted networks, such as the internet.

A notable feature of the HP-UX IPSec Software is its support for both transport and tunnel modes. The transport mode encrypts only the payload of the IP packet, whereas the tunnel mode encapsulates the entire IP packet within a new packet, allowing for secure communications between entire networks. This flexibility enables organizations to tailor their security strategies based on specific use cases and requirements.

HP-UX IPSec also emphasizes interoperability and compliance with industry standards. The software supports various encryption algorithms and authentication methods, including those defined by the Internet Engineering Task Force (IETF). This commitment to open standards ensures that HP-UX can seamlessly integrate with a diverse range of networking infrastructures and security solutions.

In addition to its security features, HP-UX IPSec Software offers administration tools that simplify the configuration and management of IPSec policies. The software includes a user-friendly command-line interface, allowing system administrators to specify security associations and policies efficiently. Moreover, comprehensive logging and monitoring capabilities help organizations keep track of their security posture and detect potential vulnerabilities.

Another essential characteristic of HP-UX IPSec Software is its scalability. Designed to accommodate the needs of both small and large enterprises, it can handle increased loads and adapt to changing security demands without compromising performance.

In conclusion, HP-UX IPSec Software stands as a vital solution for organizations seeking to protect their data transmissions over IP networks. With its core technologies, such as transport and tunnel modes, adherence to industry standards, user-friendly administration tools, and scalability, it provides a formidable layer of security in an increasingly interconnected world. This makes it a preferred choice for enterprises aiming to enhance their network security frameworks.
Top Page Image Contents