HP UX IPSec Software manual 256

Page 260

HP-UX IPSec and MC/ServiceGuard

Step 2: Configuring HP-UX Host IPSec Policies for MC/ServiceGuard

Table 8-1

 

MC/ServiceGuard Port Numbers and Protocols (Continued)

 

 

 

 

 

 

 

Port

Protocols

Service

 

 

 

 

 

 

 

5408

TCP

HA Distributed Lock Manager

 

 

 

 

(ha-dlm). Used as the destination

 

 

 

 

port between cluster nodes.

 

 

 

 

 

 

 

dynamic

TCP

MC/ServiceGuard network probes.

 

 

(49152-65535

 

Used as the source and destination

 

 

by default)

 

port between cluster nodes.

 

 

 

 

 

 

 

 

 

 

NOTE

 

This list of MC/ServiceGuard services may not be exhaustive. New

 

 

MC/ServiceGuard utilities may be developed that use port numbers

 

 

different from those listed above. You will need to add new policies as

 

 

appropriate to make sure that all MC/ServiceGuard utilities run

 

 

properly.

 

 

 

 

 

 

 

256

Chapter 8

Page 259 Page 261
Image 260
Page 259 Page 261
Contents HP-UX IPSec version A.02.00 Administrator’s Guide Manufacturing Part Number J4256-90009 JuneLegal Notices Contents Configuring HP-UX IPSec Contents Using Certificates with HP-UX IPSec Troubleshooting HP-UX IPSec Viii HP-UX IPSec and IPFilter HP-UX IPSec and HP-UX Mobile IPv6 HP-UX IPSec and MC/ServiceGuard Xii HP-UX IPSec and Linux Migrating from Previous Versions of HP-UX IPSec Glossary Xvi Tables Xviii Figures Figure C-2. Example 1 telnet BA Intended Audience New and Changed Documentation in This EditionXxii HP-UX IPSec and HP-UX Mobile IPv6 Use this chapter to learn Publishing HistoryWhat’s in This Document Related Documents Typographical ConventionsHP Encourages Your Comments OpenSSL Copyright Notice XxviXxvii Xxviii HP-UX IPSec Overview HP-UX IPSec Overview Introduction Introduction Authentication Header AH Symmetric Key Authentication Transport ModeTransport and Tunnel Modes Host aAH in Transport Mode Tunnel Mode AH in Tunnel ModeSymmetric Key Cryptosystem Encapsulating Security Payload ESPESP Encryption ESP header can be used in transport mode or tunnel mode IP data or payload e.g., TCP or UDP packet ESP Encryption in Transport ModeESP in Tunnel Mode ESP with Authentication and Encryption Authenticated ESPNested ESP in AH IPv6Security Associations SAs and IKE Phases Internet Key Exchange IKEGenerating Shared Keys Diffie-Hellman SA EstablishmentIKE Primary Authentication 10 Diffie-Hellman Key GenerationRe-using Negotiations IKE Preshared Key AuthenticationIKE Automatic Re-keying Digital SignaturesManual Keys Host-to-Gateway Topology HP-UX IPSec TopologiesHost-to-Host Topology Host-to-Host Tunnel Topology 13 Host-to-Host Tunnel TopologyGateway-to-Gateway Topology 14 IPSec Gateway-to-Gateway TopologyHP-UX IPSec Configuration and Management Features HP-UX IPSec Configuration and Management Features HP-UX IPSec Configuration and Management Features Chapter Installing HP-UX IPSec Installing HP-UX IPSec Disk Requirements Security Certificate Configuration Utility RequirementsHP-UX IPSec Product Requirements Chapter Loading the HP-UX IPSec Software Do not run the HP-UX IPSec product when the system is booted Ipsecadmin -newpasswd Setting the HP-UX IPSec PasswordRe-establishing the HP-UX IPSec Password Completing Post-Installation Migration Requirements Configuring HP-UX IPSec Configuring HP-UX IPSec Strong End System Model Maximizing SecurityBypass List Ndd -set /dev/ip ipstrongesmodel Line Continuation Character \ General Syntax InformationArgument Delimiters Batch File Processing Batch File SyntaxIpsecconfig delete Profile FileCreating a Customized Profile File Using a Profile File with a Batch FileProfile File Structure Dynamic Configuration Updates Dynamic DeletionsConfiguration Overview Start-up options Configuration Overview Policy Order and Selection Configuring Host IPSec PoliciesDefault Host IPSec Policy Action PASSDISCARDtransformlist -flags flags Ipsecconfig add host hostpolicynameAutomatic Priority Increment Source and -destination Ipaddr/prefix/portnumberservicenameHostpolicyname Ipsecconfig Service Names Service Port Protocol NameIpsecconfig Service Names ProtocolprotocolidTunneltunnelpolicyname Default ALLPriorityprioritynumber Action Transformname/lifetimeseconds/lifetimekbytesTransform Name Description Ipsecconfig TransformsTransformname Ipsecconfig Transforms ESP3DESFlag Description Ipsecconfig add host FlagsFlags flags Host IPSec Policy Configuration Examples Configuring Host IPSec Policies Configuring Tunnel IPSec Policies Ipsecconfig add tunnel tunnelpolicynameTsource and -tdestination tunneladdress Default NoneTunnelpolicyname Ipaddr/prefix/portnumberservicename Subnet address filter TCP UDP Icmp ICMPV6 Igmp Actiontransformlist Lifetimekbytes Tunnel IPSec Policy Configuration ExampleLifetimeseconds Configuring Tunnel IPSec Policies Configuring IKE Policies Ikepolicyname Lifelifetimeseconds -maxqmmqmaxquickmodesAdd ike ikepolicyname Remoteipaddr/prefix Group AuthenticationauthenticationtypeAcceptable Values Maxqmmaxquickmodes Hash MD5SHA1Lifelifetimeseconds Ipsecconfig add IKE Command Examples DefaultRemote Multi-homed Systems Configuring Preshared Keys Using Authentication RecordsConfiguring IKE ID Information with Preshared Keys Add auth authname Ipsecconfig add auth authnameRemoteipaddr/prefix -presharedpresharedkey Authname Ipaddr/prefixAuthentication Record Configuration Examples However, HP strongly recommends that you configure anUnique preshared key PresharedkeyConfiguring Preshared Keys Using Authentication Records Configuring Certificates Example Configuring the Bypass List Local IPv4 AddressesLogical Interfaces Ipsecconfig add bypass ipaddress Maximizing SecurityBypass List Example Node1 Node2Ipaddress Bypass Configuration ExampleAdd bypass ipaddress Ipsecconfig batch batchfilename -nocommit Verify Batch File SyntaxIpsecconfig batch batchfilename Ipsecconfig show allIpsecadmin -status Ipsecreport -cacheIpsecreport -all 108 Add startup -autoboot on Configuring HP-UX IPSec to Start AutomaticallyIpsecconfig add startup -autoboot on 110 Baltimore Configuration Files VeriSign Configuration Files112 Using Certificates with HP-UX 114 Public Key Distribution OverviewSecurity Certificates and Public Key Cryptography Digital Signatures IKE Public Key DistributionRequirements Using VeriSign Certificates OverviewStep VeriSign Certificate TasksVeriSign PKI Data Flow Verifying Prerequisites Export DISPLAY=displaydevice0.0 Configuring Web Proxy Server ParametersIpsecmgr Registering the Administrator Requesting and Receiving Certificates 124 Chapter 125 Using Baltimore Certificates Baltimore Certificate TasksChapter 127 Requesting the Baltimore Certificate Configuring the Baltimore Certificate 130 Chapter 131 132 Chapter 133 Configuring Authentication Records with IKE IDs Chapter 135 Syntax Determining the IPv4 Address in the SubjectAlternativeNameVeriSign SubjectAlternativeName Add auth authname -remoteipaddr/prefix Ltypelocalidtype Lvalue localidRtyperemoteidtype RidremoteidCN=commonName,O=organization,C=country,OU=organizationUnit ExamplesAdd auth Black -remote 10.10.10.10 -ltype IPV4 \ -lid Baltimore Retrieving the Certificate Revocation List CRLVeriSign Manually Retrieving a CRL for VeriSign or Baltimore 144 Troubleshooting HP-UX IPSec 146 Authenticate Each Peer’s Identity Authenticate IdentitiesIPSec Operation Establishing Security Associations SAsEstablish ISAKMP/MM SA Establish IPSec/QM SAsInternal Processing Outbound ProcessingOutbound Data Query the Kernel Policy Engine Query the Policy Manager DaemonEstablish an ISAKMP/MM SA Add IPSec/QM SAs to the Kernel SA Database Inbound Data AH or ESP Packet152 Processing Inbound Tunnel Packets Clear Text PacketEstablishing Tunnel Security Associations 154 Troubleshooting Utilities Overview Getting Policy Information Getting General InformationGetting SA Information Ipsecreport -host configured Ipsecconfig show gatewayConfigured Ipsecconfig show tunnelViewing and Configuring Audit Information Getting Interface InformationEnabling and Disabling Tracing Ipsecreport -all -file filename Troubleshooting ProceduresChecking Status Chapter 161 Isolating HP-UX IPSec Problems from Upper-layer Ipsecadmin -traceon tcp udp igmp allExamining the Policy Cache and Policy Entries Checking Policy ConfigurationUsing ipsecpolicy Configuring HP-UX IPSec Auditing Audit LevelIpsecadmin -maxsize maxauditfilesize Dynamically Setting Audit ParametersIpsecadmin -al auditlevel -au auditdirectory Audit Files and DirectoryConfiguring Startup Audit Parameters Ipsecconfig add startup -autoboot OnoffViewing Audit Files Auditlvlauditlevel -auditdirauditdirectoryWhere entityname is one of the following names Filtering Audit File Output by EntityRecorded by specified entities Ipsecreport -audit auditfile -entity entitynameReporting Problems Output from ipsecadmin -status Output from ipsecreport -allChapter 169 HP-UX IPSec Incorrectly Passes Packets Troubleshooting ScenariosProblem Symptoms SolutionHP-UX IPSec Attempts to Encrypt/Authenticate and Fails Ipsecreport -audit /var/adm/ipsec/auditdateinfo.log Ipsecreport -mad Ipsecreport -audit fileAdditional Information ISAKMP/MM SA Negotiation Fails Main Mode Processing failed, MM negotiation timeoutChapter 175 Isakmp Primary Authentication with Preshared Key Fails Isakmp Primary Authentication Fails with CertificatesISAKMP/MM SA Negotiation Succeeded, IPSec/QM SA DetailsManual Keys Fail Invalid Sadbadd Streams Logging Messages and Additional Audit File Entries Nettl -ssNettl -log e d -e streams Netfmt /var/adm/nettl.LOG000 mylogoutputHP-UX Will Not Start ipsecadmin -startFails Ipsecadmin -auditlvl warning182 Corrupt or Missing Configuration Database Ipsecmigrate -s oldconfigfile -d newconfigfile Using the Skeleton Database FileAutoboot is Not Working Properly Administrator Cannot Get a Local VeriSign Certificate186 Security Policy Database Limit Exceeded Kernel 188 HP-UX IPSec and IPFilter 190 IPFilter Scenario One IPFilter and IPSec BasicsIPFilter and IPSec 192 IPSec UDP Negotiation IPFilter Scenario Two194 When Traffic Appears to be Blocked Scenario ThreePacket with IPSec-Encrypted TCP Data Allowing Protocol 50 and Protocol 51 TrafficPacket with Encrypted TCP Data Protocol 51 traffic, then IPSec traffic will not get through Scenario FourIPSec Gateways HP-UX IPSec and HP-UX Mobile 200 Mobile Node and Home Address Care-of AddressCorrespondent Nodes Home AgentNode Home Agents and Basic OperationMobile IPv6 Basic Operation Correspondent Node to Mobile Mobile IPv6 Route Optimization Route OptimizationMobile IPv6 Basic Operation Mobile Node to Correspondent Securing Mobile IPv6 with HP-UX IPSec Acknowledgement messagesPrefix Discovery Messages Binding Messages Between the Home Agent and Mobile NodeChapter 205 Payload Packets Routed Through the Home Agent Chapter 207 Understanding Gateway IPSec Policies Gateway IPSec PoliciesUsing Manual Keys Configuration ProcedureUsing the HP-UX Strong Random Number Generator Troubleshooting Manual Key Problems210 Syntax Actiontransformname Inand -outmanualkeysaspecificationSourcehomeagentaddr Chapter 213 2B, 2C Home Agent Mobile Node Mobile IPv6 Home Test Init and Home Test PacketsCorrespondent Node Segments Return Routability Messages ConfiguringGateway IPSec Policy for Home Agent 216 Tunnel rrtunnelname -action Forward -flags MIPV6 Tunnelrrtunnelname218 Chapter 219 220 Chapter 221 222 Protocol ALL -priority prioritynumber Action Forward -flags MIPV6224 Tunnelpayloadtunnelname Ipsecconfig add tunnel payloadtunnelname Mobile IPv6 Configuration Example Binding MessagesReturn Routability Messages 3ffe83fffef71111Return Routability Tunnel IPSec Policy Optional Prefix Discovery MessagesGateway IPSec Policy for Home Agent Mobile Node Segments Optional Payload Messages Routed Through the Home Agent Payload Gateway IPSec PoliciesAdd gateway mn2222payloadtocn \ Protocol ALL -pri 300 -action Forward -flags MIPV6Payload Tunnel IPSec Policy Batch File Template 232 Chapter 233 234 HP-UX IPSec 236 MC/ServiceGuard Cluster Using HP-UX IPSec with MC/ServiceGuard Package Clients Not Using HP-UX IPSec A.01.07 or LaterChapter 239 MC/ServiceGuard Heartbeat Requirement Recommendation Configuration Steps 242 Configuring a Common HP-UX IPSec Password Configuring HP-UX Host IPSec Policies for MC/ServiceGuard Determining MC/ServiceGuard Cluster Information Configuring Host IPSec Policies for Package AddressesPrivate Dedicated Heartbeat Networks 10.0.0.0/8 Cluster Node IPSec Policies for Quorum Server1238 Address or Server WildcardCluster Node IPSec Policies for Remote Command Execution Quorum Server IPSec PoliciesServer Address Address or Wildcard Source IP Destination Protocol Address IP Address PortAddress or Command Wildcard Client address 514 Configuring Host IPSec Policies for ServiceGuard Manager Command Address Client address Or wildcardSource IP Destination Protoco Address IP Address Port Cluster Node Host IPSec Policies for ServiceGuard ManagerServiceGuard Manager Host IPSec Policies Cluster Node Host IPSec Policies for COM COM System Host IPSec PoliciesSummary MC/ServiceGuard Port Numbers Protocols MC/ServiceGuard Port Numbers and ProtocolsPort Protocols Service 5303Chapter 255 256 Cluster Client IKE policies Configuring HP-UX IPSec IKE policiesCluster IKE policies Preshared Key Configuration on Client Nodes Configuring Authentication Records for Preshared KeysPreshared Key Configuration on Cluster Nodes Preshared Keys Configuration on Cluster Nodes Preshared Keys Configuration on Client1Preshared Keys Configuration on Client2 Remote IP Address Key260 Configuring Authentication Records for Certificates Authentication Records and IKE ID InformationCluster Clients Chapter 263 IKE ID Configuration on Cluster Nodes IKE ID Configuration on Client1 and Client2Verifying and Testing the HP-UX IPSec Configuration Ipsecpolicy -sa 15.1.1.1 -daConfiguring HP-UX IPSec Start-up Options Distributing HP-UX IPSec Configuration Files 268 Configuring MC/ServiceGuard Cluster ConfigurationPackage Configuration Package Control ScriptMonitor Script Polling Interval Starting HP-UX IPSec MC/ServiceGuard Adding a Node to a Running Cluster272 HP-UX IPSec and Linux 274 Chapter 275 Configuration Example Product Specifications Appendix a RFC Number RFC Title IPSec RFCsRFC 3776 Mandatory Support 280 Product Restrictions Isakmp LimitationsIPv4 Icmp Messages IPv6 Icmp Messages Authentication Algorithms HP-UX IPSec TransformsComparative Key Lengths Algorithm Key LengthEncryption Algorithms ESP-DESTransform Lifetime Negotiation Migrating from Previous Versions Appendix B Pre-Installation Migration Instructions MD5 Version CompatibilityMigrating from Versions Prior to A.01.03 Ipsecreport -auditauditfilename -fileoutputfilenameNot Re-using Configuration Files Post-Installation Migration Instructions Configuration FileUsr/sbin/ipsecmigrate -s configfile -d newconfigfile Ipsecadmin -start292 HP-UX IPSec Configuration Examples Appendix C Example 1 telnet Between Two Systems Apple Configuration Figure C-1 Example 1 telnet ABIKE Policy Banana ConfigurationAuthentication Record with Preshared Key 298 Example 2 Authenticated ESP with Exceptions Figure C-3 Example 2 Network IPSec Policy with ExceptionsCarrot Configuration Ipsecconfig Batch File Entries Authentication RecordBlue Configuration Example 3 Host to GatewayHost IPSec Policy Priority 100 -action Pass -tunnel torouterTunnel IPSec Policy Add auth torouter -rem 16.6.6.6 -psk HelloExample 4 Manual Keys Dog ConfigurationCat Configuration Glossary Asymmetric keys, public/private keysDiffie-Hellman Encapsulating Security Payload ESPGlossary 307 Preshared Key Numerics 309310 311 312 313 314
Related manuals
Manual 48 pages 5.99 Kb Manual 8 pages 43.6 Kb

UX IPSec Software specifications

HP-UX IPSec Software is an integral component of the HP-UX operating system, providing robust and secure communication capabilities for enterprise environments. As organizations increasingly rely on secure networking solutions, HP-UX IPSec stands out with its comprehensive set of features and technologies designed to safeguard sensitive data.

One of the core characteristics of HP-UX IPSec Software is its implementation of the Internet Protocol Security (IPSec) framework. This technology secures Internet Protocol (IP) communications through authentication and encryption, ensuring the integrity and confidentiality of data transmissions. By leveraging IPSec, HP-UX provides a secure method for connecting remote users and secure sites over untrusted networks, such as the internet.

A notable feature of the HP-UX IPSec Software is its support for both transport and tunnel modes. The transport mode encrypts only the payload of the IP packet, whereas the tunnel mode encapsulates the entire IP packet within a new packet, allowing for secure communications between entire networks. This flexibility enables organizations to tailor their security strategies based on specific use cases and requirements.

HP-UX IPSec also emphasizes interoperability and compliance with industry standards. The software supports various encryption algorithms and authentication methods, including those defined by the Internet Engineering Task Force (IETF). This commitment to open standards ensures that HP-UX can seamlessly integrate with a diverse range of networking infrastructures and security solutions.

In addition to its security features, HP-UX IPSec Software offers administration tools that simplify the configuration and management of IPSec policies. The software includes a user-friendly command-line interface, allowing system administrators to specify security associations and policies efficiently. Moreover, comprehensive logging and monitoring capabilities help organizations keep track of their security posture and detect potential vulnerabilities.

Another essential characteristic of HP-UX IPSec Software is its scalability. Designed to accommodate the needs of both small and large enterprises, it can handle increased loads and adapt to changing security demands without compromising performance.

In conclusion, HP-UX IPSec Software stands as a vital solution for organizations seeking to protect their data transmissions over IP networks. With its core technologies, such as transport and tunnel modes, adherence to industry standards, user-friendly administration tools, and scalability, it provides a formidable layer of security in an increasingly interconnected world. This makes it a preferred choice for enterprises aiming to enhance their network security frameworks.
Top Page Image Contents