|
|
IPSec using racoon w/ kerberos authentication
|
|
ipsec_config(1M) ipsec_config(1M) NAME
ipsec_config - add, delete, export, and show HP-UX IPSec configuration objects in the HP-UX IPSec configuration database SYNOPSIS
[operation [object_type]] DESCRIPTION
The command adds, deletes, exports, and shows HP-UX IPSec configuration objects in the HP-UX IPSec configuration database, If HP-UX IPSec is active and running, also updates the HP-UX runtime IPSec policy database and runtime IKE information (IKE policies and authentication records). You must be superuser to run The utility can operate in command-line mode or batch mode. In command-line mode, reads all input from the command line. In batch mode, reads add and delete operations from a file. Batch mode allows administrators to add and delete multiple configuration objects in one operation. HP-UX IPSec processes the operations in a batch file as a group. Batch mode is useful if you are adding or deleting configura- tion records that may affect other records. HP recommends that you use a batch file to add configuration information. A batch file provides a permanent record of the configuration data and can be used to re-create the configuration database. Separate command arguments using whitespace (blanks, tabs or newlines). Use a backslash line continuation character to continue command input on subsequent lines. Operations and Object Types The command supports the following operations: See ipsec_config_add(1M) for more information. See ipsec_config_batch(1M) for more information. See ipsec_config_delete(1M) for more information. See ipsec_config_export(1M) for more information. See ipsec_config_show(1M) for more information. object_type can be one of the following: Authentication records, which specify Internet Key Exchange (IKE) versions, authentication methods, identity information and preshared keys. Bypass addresses. security certificate for a Certificate Authority (used for IKE authentication with RSA signatures). Certificate Revocation List (CRL). A CRL contains a list of revoked X.509 security certificates. If you have a CRL, HP-UX IPSec check it during the IKE authentication process to verify that the remote system's security certificate is valid (not revoked). Certificate Signing Request (CSR), which the HP-UX IPSec administrator can submit to a Certificate Authority (CA) to request a signed X.509 security certificate. Host IPsec policies, which specify HP-UX IPSec behavior for processing IP packets when the local system is an end host. IKE version 1 (IKEv1) policies. IKE version 2 (IKEv2) policies. security certificate for the local system (used for IKE authentication with RSA signatures). Start-up options. Tunnel IPsec policies, which specify IPsec tunnel transform parameters. Configuring Objects In most HP-UX IPSec topologies, you must configure the following objects: o Host IPsec policies o Authentication records (IKE ID information and preshared keys) To establish IPsec security, you must also have an IKE version 1 (IKEv1) or IKE version 2 (IKEv2) policy. The HP-UX IPSec product installs a default IKEv1 policy and a default IKEv2 policy. You can use these default policies without modifications in many topologies. HP recommends that you use the following procedure to configure HP-UX IPSec: 1. Create a batch file to configure IPsec policies and authentication records. An IKEv1 or IKEv2 policy is also required, but in most cases you can use the default IKEv1 or IKEv2 installed with the product. If you want to configure host-to-host IPsec poli- cies and use IKE with preshared keys for IKE authentication, create a batch file to contain the following statements: See the command subsection in ipsec_config_add(1M) for syntax and usage information. If you are using HP-UX IPSec with certificates (RSA signatures) for IKE authentication, you must also use the following com- mands to configure certificates: You must enter the above commands at the command-line prompt. (You cannot specify them in an batch file). The command creates a certificate signing request (CSR). As an alternative, you can use a utility provided by the certificate vendor to create the CSR. 2. Test the syntax of your batch file by entering the following command: The option verifies the syntax without adding objects to the database. 3. If the syntax is correct, add the configuration information to the configuration database by entering the following command: 4. Start and verify HP-UX IPSec. Use the following command to start HP-UX IPSec: Generate network traffic that uses IPsec. Use the following command to verify operation: Verify that HP-UX IPSec has created Security Associations (SAs) with the appropriate systems. 5. Use the command to configure HP-UX IPSec to automatically start at system boot-up time. ipsec_config Help The displays help and usage information for the HP-UX IPSec operations. Use the following syntax to access help: [operation [option_type]] EXAMPLES
You have two systems, Apple and Banana Apple and Banana are not multihomed. You want to secure all telnet packets between the two systems using IPsec ESP with AES, authenticated with SHA-1. The IKE version is IKEv1. This is a private network, and you will allow all other packets to pass in clear text. You use the default IKEv1 policy. On Apple, you configure: o Two host IPsec policies o One authentication record The first host IPsec policy, telnetAB, secures outbound telnet connections (Apple is the telnet client). You do not need to specify the source argument, since it will default to any IP address and any port, and the telnet client port number is dynamically allocated. The second policy, telnetBA, secures inbound telnet connections (Apple is the telnet server). The authentication record specifies the preshared key value used with (Banana): The configuration on Banana is the mirror image of the configuration on Apple: AUTHOR
was developed by HP. FILES
configuration database. default profile file. SEE ALSO
ipsec_admin(1M), ipsec_config_add(1M), ipsec_config_batch(1M), ipsec_config_delete(1M), ipsec_config_export(1M), ipsec_config_show(1M), ipsec_migrate(1M), ipsec_policy(1M), ipsec_report(1M). HP-UX IPSec Software Required ipsec_config(1M)
