ipsec_config(1M) ipsec_config(1M)
NAME
ipsec_config - add, delete, export, and show HP-UX IPSec configuration objects in the HP-UX IPSec configuration database
SYNOPSIS
[operation [object_type]]
DESCRIPTION
The command adds, deletes, exports, and shows HP-UX IPSec configuration objects in the HP-UX IPSec configuration database, If HP-UX IPSec
is active and running, also updates the HP-UX runtime IPSec policy database and runtime IKE information (IKE policies and authentication
records).
You must be superuser to run
The utility can operate in command-line mode or batch mode. In command-line mode, reads all input from the command line. In batch mode,
reads add and delete operations from a file. Batch mode allows administrators to add and delete multiple configuration objects in one
operation. HP-UX IPSec processes the operations in a batch file as a group. Batch mode is useful if you are adding or deleting configura-
tion records that may affect other records.
HP recommends that you use a batch file to add configuration information. A batch file provides a permanent record of the configuration
data and can be used to re-create the configuration database.
Separate command arguments using whitespace (blanks, tabs or newlines). Use a backslash line continuation character to continue command
input on subsequent lines.
Operations and Object Types
The command supports the following operations:
See
ipsec_config_add(1M) for more information.
See
ipsec_config_batch(1M) for more information.
See
ipsec_config_delete(1M) for more information.
See
ipsec_config_export(1M) for more information.
See
ipsec_config_show(1M) for more information.
object_type can be one of the following:
Authentication records, which specify Internet Key Exchange (IKE)
versions, authentication methods, identity information and preshared keys.
Bypass addresses.
security certificate for a Certificate Authority (used for IKE authentication
with RSA signatures).
Certificate Revocation List (CRL).
A CRL contains a list of revoked X.509 security certificates. If you have a CRL, HP-UX IPSec check it during the IKE
authentication process to verify that the remote system's security certificate is valid (not revoked).
Certificate Signing Request (CSR), which the HP-UX IPSec
administrator can submit to a Certificate Authority (CA) to request a signed X.509 security certificate.
Host IPsec policies, which specify HP-UX IPSec behavior for
processing IP packets when the local system is an end host.
IKE version 1 (IKEv1) policies.
IKE version 2 (IKEv2) policies.
security certificate for the local system (used for IKE authentication
with RSA signatures).
Start-up options.
Tunnel IPsec policies, which specify IPsec tunnel transform parameters.
Configuring Objects
In most HP-UX IPSec topologies, you must configure the following objects:
o Host IPsec policies
o Authentication records (IKE ID information and preshared keys)
To establish IPsec security, you must also have an IKE version 1 (IKEv1) or IKE version 2 (IKEv2) policy. The HP-UX IPSec product installs
a default IKEv1 policy and a default IKEv2 policy. You can use these default policies without modifications in many topologies.
HP recommends that you use the following procedure to configure HP-UX IPSec:
1. Create a batch file to configure IPsec policies and authentication records. An IKEv1 or IKEv2 policy is also required, but in
most cases you can use the default IKEv1 or IKEv2 installed with the product. If you want to configure host-to-host IPsec poli-
cies and use IKE with preshared keys for IKE authentication, create a batch file to contain the following statements:
See the command subsection in ipsec_config_add(1M) for syntax and usage information.
If you are using HP-UX IPSec with certificates (RSA signatures) for IKE authentication, you must also use the following com-
mands to configure certificates:
You must enter the above commands at the command-line prompt. (You cannot specify them in an batch file).
The command creates a certificate signing request (CSR). As an alternative, you can use a utility provided by the certificate
vendor to create the CSR.
2. Test the syntax of your batch file by entering the following command:
The option verifies the syntax without adding objects to the database.
3. If the syntax is correct, add the configuration information to the configuration database by entering the following command:
4. Start and verify HP-UX IPSec. Use the following command to start HP-UX IPSec:
Generate network traffic that uses IPsec. Use the following command to verify operation:
Verify that HP-UX IPSec has created Security Associations (SAs) with the appropriate systems.
5. Use the command to configure HP-UX IPSec to automatically start at system boot-up time.
ipsec_config Help
The displays help and usage information for the HP-UX IPSec operations. Use the following syntax to access help:
[operation [option_type]]
EXAMPLES
You have two systems, Apple and Banana Apple and Banana are not multihomed. You want to secure all telnet packets between the two systems
using IPsec ESP with AES, authenticated with SHA-1. The IKE version is IKEv1. This is a private network, and you will allow all other
packets to pass in clear text. You use the default IKEv1 policy.
On Apple, you configure:
o Two host IPsec policies
o One authentication record
The first host IPsec policy, telnetAB, secures outbound telnet connections (Apple is the telnet client). You do not need to specify the
source argument, since it will default to any IP address and any port, and the telnet client port number is dynamically allocated. The
second policy, telnetBA, secures inbound telnet connections (Apple is the telnet server).
The authentication record specifies the preshared key value used with (Banana):
The configuration on Banana is the mirror image of the configuration on Apple:
AUTHOR
was developed by HP.
FILES
configuration database.
default profile file.
SEE ALSO
ipsec_admin(1M), ipsec_config_add(1M), ipsec_config_batch(1M), ipsec_config_delete(1M), ipsec_config_export(1M), ipsec_config_show(1M),
ipsec_migrate(1M), ipsec_policy(1M), ipsec_report(1M).
HP-UX IPSec Software Required ipsec_config(1M)