HP UX IPSec Software manual Ipsecconfig Service Names, Service Port Protocol Name

Page 76

Configuring HP-UX IPSec

Step 1: Configuring Host IPSec Policies

prefix The prefix is the prefix length, or the number of leading bits that must match when comparing the IP address in a packet with ip_addr.

For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in both addresses must match. This prefix length is equivalent to an address mask of 255.255.255.255. Use a value less than 32 to specify a subnet address filter.

For IPv6 addresses, a prefix length of 128 bits indicates that all the bits in both addresses must match. Use a value less than 128 to specify a subnet address filter.

Range: 0 - 32 for an IPv4 address; 0 - 128 for an IPv6 address. If you are using manual keys, prefix must be 32 if ip_addr is an IPv4 address or 128 if ip_addr is an IPv6 address.

Default: 32 if ip_addr is a non-zero IPv4 address, 128 if ip_addr is a non-zero IPv6 address, or 0 (match any address) if ip_addr is an all-zeros address (0.0.0.0 or 0::0). You must specify a prefix value if you specify a port or service name as part of the address filter.

port The port is the upper-layer protocol (TCP or UDP) port number Specify the upper-layer protocol with the protocol argument described below.

Acceptable Values: 0 - 65535. 0 indicates all ports. The upper-layer protocol must be TCP or UDP if you specify a non-zero port number.

Default: 0 (all ports).

service_name The service_name is a character string that specifies a network service. The ipsec_config utility will add a policy to the configuration database with the appropriate port number and protocol, as listed below. You cannot specify service_name and protocol in the same policy.

Table 3-1

ipsec_config Service Names

 

 

 

 

 

 

 

 

 

Service

Port

 

Protocol

 

 

Name

 

 

 

 

 

 

 

 

 

 

 

 

 

 

DNS-TCP

53

 

TCP

 

 

 

 

 

 

 

 

DNS-UDP

53

 

UDP

 

 

 

 

 

 

 

 

FTP-DATA

20

 

TCP

 

 

 

 

 

 

 

 

 

 

 

 

 

72

Chapter 3

Page 75 Page 77
Image 76
Page 75 Page 77
Contents HP-UX IPSec version A.02.00 Administrator’s Guide Manufacturing Part Number J4256-90009 JuneLegal Notices Contents Configuring HP-UX IPSec Contents Using Certificates with HP-UX IPSec Troubleshooting HP-UX IPSec Viii HP-UX IPSec and IPFilter HP-UX IPSec and HP-UX Mobile IPv6 HP-UX IPSec and MC/ServiceGuard Xii HP-UX IPSec and Linux Migrating from Previous Versions of HP-UX IPSec Glossary Xvi Tables Xviii Figures Figure C-2. Example 1 telnet BA Intended Audience New and Changed Documentation in This EditionXxii What’s in This Document Publishing HistoryHP-UX IPSec and HP-UX Mobile IPv6 Use this chapter to learn Related Documents Typographical ConventionsHP Encourages Your Comments OpenSSL Copyright Notice XxviXxvii Xxviii HP-UX IPSec Overview HP-UX IPSec Overview Introduction Introduction Authentication Header AH Symmetric Key Authentication Transport ModeTransport and Tunnel Modes Host aAH in Transport Mode Tunnel Mode AH in Tunnel ModeESP Encryption Encapsulating Security Payload ESPSymmetric Key Cryptosystem ESP header can be used in transport mode or tunnel mode ESP in Tunnel Mode ESP Encryption in Transport ModeIP data or payload e.g., TCP or UDP packet ESP with Authentication and Encryption Authenticated ESPNested ESP in AH IPv6Security Associations SAs and IKE Phases Internet Key Exchange IKEGenerating Shared Keys Diffie-Hellman SA EstablishmentIKE Primary Authentication 10 Diffie-Hellman Key GenerationRe-using Negotiations IKE Preshared Key AuthenticationIKE Automatic Re-keying Digital SignaturesManual Keys Host-to-Host Topology HP-UX IPSec TopologiesHost-to-Gateway Topology Host-to-Host Tunnel Topology 13 Host-to-Host Tunnel TopologyGateway-to-Gateway Topology 14 IPSec Gateway-to-Gateway TopologyHP-UX IPSec Configuration and Management Features HP-UX IPSec Configuration and Management Features HP-UX IPSec Configuration and Management Features Chapter Installing HP-UX IPSec Installing HP-UX IPSec HP-UX IPSec Product Requirements Security Certificate Configuration Utility RequirementsDisk Requirements Chapter Loading the HP-UX IPSec Software Do not run the HP-UX IPSec product when the system is booted Re-establishing the HP-UX IPSec Password Setting the HP-UX IPSec PasswordIpsecadmin -newpasswd Completing Post-Installation Migration Requirements Configuring HP-UX IPSec Configuring HP-UX IPSec Bypass List Maximizing SecurityStrong End System Model Ndd -set /dev/ip ipstrongesmodel Argument Delimiters General Syntax InformationLine Continuation Character \ Batch File Processing Batch File SyntaxIpsecconfig delete Profile FileProfile File Structure Using a Profile File with a Batch FileCreating a Customized Profile File Dynamic Configuration Updates Dynamic DeletionsConfiguration Overview Start-up options Configuration Overview Default Host IPSec Policy Configuring Host IPSec PoliciesPolicy Order and Selection Automatic Priority Increment Ipsecconfig add host hostpolicynameAction PASSDISCARDtransformlist -flags flags Hostpolicyname Ipaddr/prefix/portnumberservicenameSource and -destination Ipsecconfig Service Names Service Port Protocol NameIpsecconfig Service Names ProtocolprotocolidPriorityprioritynumber Default ALLTunneltunnelpolicyname Action Transformname/lifetimeseconds/lifetimekbytesTransformname Ipsecconfig TransformsTransform Name Description Ipsecconfig Transforms ESP3DESFlags flags Ipsecconfig add host FlagsFlag Description Host IPSec Policy Configuration Examples Configuring Host IPSec Policies Configuring Tunnel IPSec Policies Ipsecconfig add tunnel tunnelpolicynameTunnelpolicyname Default NoneTsource and -tdestination tunneladdress Ipaddr/prefix/portnumberservicename Subnet address filter TCP UDP Icmp ICMPV6 Igmp Actiontransformlist Lifetimeseconds Tunnel IPSec Policy Configuration ExampleLifetimekbytes Configuring Tunnel IPSec Policies Configuring IKE Policies Add ike ikepolicyname Lifelifetimeseconds -maxqmmqmaxquickmodesIkepolicyname Remoteipaddr/prefix Acceptable Values AuthenticationauthenticationtypeGroup Lifelifetimeseconds Hash MD5SHA1Maxqmmaxquickmodes Ipsecconfig add IKE Command Examples DefaultConfiguring IKE ID Information with Preshared Keys Configuring Preshared Keys Using Authentication RecordsRemote Multi-homed Systems Remoteipaddr/prefix -presharedpresharedkey Ipsecconfig add auth authnameAdd auth authname Authname Ipaddr/prefixAuthentication Record Configuration Examples However, HP strongly recommends that you configure anUnique preshared key PresharedkeyConfiguring Preshared Keys Using Authentication Records Configuring Certificates Logical Interfaces Configuring the Bypass List Local IPv4 AddressesExample Ipsecconfig add bypass ipaddress Maximizing SecurityBypass List Example Node1 Node2Add bypass ipaddress Bypass Configuration ExampleIpaddress Ipsecconfig batch batchfilename -nocommit Verify Batch File SyntaxIpsecconfig batch batchfilename Ipsecconfig show allIpsecadmin -status Ipsecreport -cacheIpsecreport -all 108 Ipsecconfig add startup -autoboot on Configuring HP-UX IPSec to Start AutomaticallyAdd startup -autoboot on 110 Baltimore Configuration Files VeriSign Configuration Files112 Using Certificates with HP-UX 114 Security Certificates and Public Key Cryptography OverviewPublic Key Distribution Digital Signatures IKE Public Key DistributionRequirements Using VeriSign Certificates OverviewVeriSign PKI Data Flow VeriSign Certificate TasksStep Verifying Prerequisites Ipsecmgr Configuring Web Proxy Server ParametersExport DISPLAY=displaydevice0.0 Registering the Administrator Requesting and Receiving Certificates 124 Chapter 125 Using Baltimore Certificates Baltimore Certificate TasksChapter 127 Requesting the Baltimore Certificate Configuring the Baltimore Certificate 130 Chapter 131 132 Chapter 133 Configuring Authentication Records with IKE IDs Chapter 135 VeriSign SubjectAlternativeName Determining the IPv4 Address in the SubjectAlternativeNameSyntax Add auth authname -remoteipaddr/prefix Ltypelocalidtype Lvalue localidRtyperemoteidtype RidremoteidCN=commonName,O=organization,C=country,OU=organizationUnit ExamplesAdd auth Black -remote 10.10.10.10 -ltype IPV4 \ -lid VeriSign Retrieving the Certificate Revocation List CRLBaltimore Manually Retrieving a CRL for VeriSign or Baltimore 144 Troubleshooting HP-UX IPSec 146 Authenticate Each Peer’s Identity Authenticate IdentitiesIPSec Operation Establishing Security Associations SAsEstablish ISAKMP/MM SA Establish IPSec/QM SAsInternal Processing Outbound ProcessingOutbound Data Query the Kernel Policy Engine Query the Policy Manager DaemonEstablish an ISAKMP/MM SA Add IPSec/QM SAs to the Kernel SA Database Inbound Data AH or ESP Packet152 Establishing Tunnel Security Associations Clear Text PacketProcessing Inbound Tunnel Packets 154 Troubleshooting Utilities Overview Getting SA Information Getting General InformationGetting Policy Information Ipsecreport -host configured Ipsecconfig show gatewayConfigured Ipsecconfig show tunnelViewing and Configuring Audit Information Getting Interface InformationEnabling and Disabling Tracing Checking Status Troubleshooting ProceduresIpsecreport -all -file filename Chapter 161 Isolating HP-UX IPSec Problems from Upper-layer Ipsecadmin -traceon tcp udp igmp allUsing ipsecpolicy Checking Policy ConfigurationExamining the Policy Cache and Policy Entries Configuring HP-UX IPSec Auditing Audit LevelIpsecadmin -maxsize maxauditfilesize Dynamically Setting Audit ParametersIpsecadmin -al auditlevel -au auditdirectory Audit Files and DirectoryConfiguring Startup Audit Parameters Ipsecconfig add startup -autoboot OnoffViewing Audit Files Auditlvlauditlevel -auditdirauditdirectoryWhere entityname is one of the following names Filtering Audit File Output by EntityRecorded by specified entities Ipsecreport -audit auditfile -entity entitynameReporting Problems Output from ipsecadmin -status Output from ipsecreport -allChapter 169 Problem Troubleshooting ScenariosHP-UX IPSec Incorrectly Passes Packets Symptoms SolutionHP-UX IPSec Attempts to Encrypt/Authenticate and Fails Additional Information Ipsecreport -mad Ipsecreport -audit fileIpsecreport -audit /var/adm/ipsec/auditdateinfo.log ISAKMP/MM SA Negotiation Fails Main Mode Processing failed, MM negotiation timeoutChapter 175 Isakmp Primary Authentication with Preshared Key Fails Isakmp Primary Authentication Fails with CertificatesISAKMP/MM SA Negotiation Succeeded, IPSec/QM SA DetailsManual Keys Fail Invalid Sadbadd Streams Logging Messages and Additional Audit File Entries Nettl -ssNettl -log e d -e streams Netfmt /var/adm/nettl.LOG000 mylogoutputHP-UX Will Not Start ipsecadmin -startFails Ipsecadmin -auditlvl warning182 Corrupt or Missing Configuration Database Ipsecmigrate -s oldconfigfile -d newconfigfile Using the Skeleton Database FileAutoboot is Not Working Properly Administrator Cannot Get a Local VeriSign Certificate186 Security Policy Database Limit Exceeded Kernel 188 HP-UX IPSec and IPFilter 190 IPFilter and IPSec IPFilter and IPSec BasicsIPFilter Scenario One 192 IPSec UDP Negotiation IPFilter Scenario Two194 When Traffic Appears to be Blocked Scenario ThreePacket with Encrypted TCP Data Allowing Protocol 50 and Protocol 51 TrafficPacket with IPSec-Encrypted TCP Data Protocol 51 traffic, then IPSec traffic will not get through Scenario FourIPSec Gateways HP-UX IPSec and HP-UX Mobile 200 Mobile Node and Home Address Care-of AddressCorrespondent Nodes Home AgentMobile IPv6 Basic Operation Correspondent Node to Mobile Home Agents and Basic OperationNode Mobile IPv6 Basic Operation Mobile Node to Correspondent Route OptimizationMobile IPv6 Route Optimization Securing Mobile IPv6 with HP-UX IPSec Acknowledgement messagesPrefix Discovery Messages Binding Messages Between the Home Agent and Mobile NodeChapter 205 Payload Packets Routed Through the Home Agent Chapter 207 Understanding Gateway IPSec Policies Gateway IPSec PoliciesUsing Manual Keys Configuration ProcedureUsing the HP-UX Strong Random Number Generator Troubleshooting Manual Key Problems210 Syntax Sourcehomeagentaddr Inand -outmanualkeysaspecificationActiontransformname Chapter 213 2B, 2C Home Agent Mobile Node Mobile IPv6 Home Test Init and Home Test PacketsGateway IPSec Policy for Home Agent Return Routability Messages ConfiguringCorrespondent Node Segments 216 Tunnel rrtunnelname -action Forward -flags MIPV6 Tunnelrrtunnelname218 Chapter 219 220 Chapter 221 222 Protocol ALL -priority prioritynumber Action Forward -flags MIPV6224 Tunnelpayloadtunnelname Ipsecconfig add tunnel payloadtunnelname Mobile IPv6 Configuration Example Binding MessagesReturn Routability Messages 3ffe83fffef71111Gateway IPSec Policy for Home Agent Mobile Node Segments Optional Prefix Discovery MessagesReturn Routability Tunnel IPSec Policy Optional Payload Messages Routed Through the Home Agent Payload Gateway IPSec PoliciesAdd gateway mn2222payloadtocn \ Protocol ALL -pri 300 -action Forward -flags MIPV6Payload Tunnel IPSec Policy Batch File Template 232 Chapter 233 234 HP-UX IPSec 236 MC/ServiceGuard Cluster Using HP-UX IPSec with MC/ServiceGuard Package Clients Not Using HP-UX IPSec A.01.07 or LaterChapter 239 MC/ServiceGuard Heartbeat Requirement Recommendation Configuration Steps 242 Configuring a Common HP-UX IPSec Password Configuring HP-UX Host IPSec Policies for MC/ServiceGuard Determining MC/ServiceGuard Cluster Information Configuring Host IPSec Policies for Package AddressesPrivate Dedicated Heartbeat Networks 10.0.0.0/8 Cluster Node IPSec Policies for Quorum Server1238 Address or Server WildcardCluster Node IPSec Policies for Remote Command Execution Quorum Server IPSec PoliciesServer Address Address or Wildcard Source IP Destination Protocol Address IP Address PortAddress or Command Wildcard Client address 514 Configuring Host IPSec Policies for ServiceGuard Manager Command Address Client address Or wildcardServiceGuard Manager Host IPSec Policies Cluster Node Host IPSec Policies for ServiceGuard ManagerSource IP Destination Protoco Address IP Address Port Cluster Node Host IPSec Policies for COM COM System Host IPSec PoliciesSummary MC/ServiceGuard Port Numbers Protocols MC/ServiceGuard Port Numbers and ProtocolsPort Protocols Service 5303Chapter 255 256 Cluster IKE policies Configuring HP-UX IPSec IKE policiesCluster Client IKE policies Preshared Key Configuration on Cluster Nodes Configuring Authentication Records for Preshared KeysPreshared Key Configuration on Client Nodes Preshared Keys Configuration on Cluster Nodes Preshared Keys Configuration on Client1Preshared Keys Configuration on Client2 Remote IP Address Key260 Configuring Authentication Records for Certificates Authentication Records and IKE ID InformationCluster Clients Chapter 263 IKE ID Configuration on Cluster Nodes IKE ID Configuration on Client1 and Client2Verifying and Testing the HP-UX IPSec Configuration Ipsecpolicy -sa 15.1.1.1 -daConfiguring HP-UX IPSec Start-up Options Distributing HP-UX IPSec Configuration Files 268 Configuring MC/ServiceGuard Cluster ConfigurationPackage Configuration Package Control ScriptMonitor Script Polling Interval Starting HP-UX IPSec MC/ServiceGuard Adding a Node to a Running Cluster272 HP-UX IPSec and Linux 274 Chapter 275 Configuration Example Product Specifications Appendix a RFC 3776 Mandatory Support IPSec RFCsRFC Number RFC Title 280 Product Restrictions Isakmp LimitationsIPv4 Icmp Messages IPv6 Icmp Messages Authentication Algorithms HP-UX IPSec TransformsComparative Key Lengths Algorithm Key LengthEncryption Algorithms ESP-DESTransform Lifetime Negotiation Migrating from Previous Versions Appendix B Pre-Installation Migration Instructions MD5 Version CompatibilityMigrating from Versions Prior to A.01.03 Ipsecreport -auditauditfilename -fileoutputfilenameNot Re-using Configuration Files Post-Installation Migration Instructions Configuration FileUsr/sbin/ipsecmigrate -s configfile -d newconfigfile Ipsecadmin -start292 HP-UX IPSec Configuration Examples Appendix C Example 1 telnet Between Two Systems Apple Configuration Figure C-1 Example 1 telnet ABAuthentication Record with Preshared Key Banana ConfigurationIKE Policy 298 Example 2 Authenticated ESP with Exceptions Figure C-3 Example 2 Network IPSec Policy with ExceptionsCarrot Configuration Ipsecconfig Batch File Entries Authentication RecordBlue Configuration Example 3 Host to GatewayHost IPSec Policy Priority 100 -action Pass -tunnel torouterTunnel IPSec Policy Add auth torouter -rem 16.6.6.6 -psk HelloCat Configuration Dog ConfigurationExample 4 Manual Keys Glossary Asymmetric keys, public/private keysDiffie-Hellman Encapsulating Security Payload ESPGlossary 307 Preshared Key Numerics 309310 311 312 313 314
Related manuals
Manual 48 pages 5.99 Kb Manual 8 pages 43.6 Kb

UX IPSec Software specifications

HP-UX IPSec Software is an integral component of the HP-UX operating system, providing robust and secure communication capabilities for enterprise environments. As organizations increasingly rely on secure networking solutions, HP-UX IPSec stands out with its comprehensive set of features and technologies designed to safeguard sensitive data.

One of the core characteristics of HP-UX IPSec Software is its implementation of the Internet Protocol Security (IPSec) framework. This technology secures Internet Protocol (IP) communications through authentication and encryption, ensuring the integrity and confidentiality of data transmissions. By leveraging IPSec, HP-UX provides a secure method for connecting remote users and secure sites over untrusted networks, such as the internet.

A notable feature of the HP-UX IPSec Software is its support for both transport and tunnel modes. The transport mode encrypts only the payload of the IP packet, whereas the tunnel mode encapsulates the entire IP packet within a new packet, allowing for secure communications between entire networks. This flexibility enables organizations to tailor their security strategies based on specific use cases and requirements.

HP-UX IPSec also emphasizes interoperability and compliance with industry standards. The software supports various encryption algorithms and authentication methods, including those defined by the Internet Engineering Task Force (IETF). This commitment to open standards ensures that HP-UX can seamlessly integrate with a diverse range of networking infrastructures and security solutions.

In addition to its security features, HP-UX IPSec Software offers administration tools that simplify the configuration and management of IPSec policies. The software includes a user-friendly command-line interface, allowing system administrators to specify security associations and policies efficiently. Moreover, comprehensive logging and monitoring capabilities help organizations keep track of their security posture and detect potential vulnerabilities.

Another essential characteristic of HP-UX IPSec Software is its scalability. Designed to accommodate the needs of both small and large enterprises, it can handle increased loads and adapt to changing security demands without compromising performance.

In conclusion, HP-UX IPSec Software stands as a vital solution for organizations seeking to protect their data transmissions over IP networks. With its core technologies, such as transport and tunnel modes, adherence to industry standards, user-friendly administration tools, and scalability, it provides a formidable layer of security in an increasingly interconnected world. This makes it a preferred choice for enterprises aiming to enhance their network security frameworks.
Top Page Image Contents