ipsec_report(1M) ipsec_report(1M)
NAME
ipsec_report - report information about IPSec
SYNOPSIS
audit_file
report_file]
DESCRIPTION
The utility reports information about the active HP-UX IPSec system, including data from the Policy daemon, IKE (Internet Key Exchange)
daemon, the IPSec kernel, and the contents of the current active IPSec audit file.
The utility requires the optional HP-UX IPSec software. You must have superuser capability to run
Command-Line Arguments
accepts the following command-line arguments:
Displays report information for all options. This is the default
option when no options are given to ipsec_report.
Displays the current Security Associations (SAs).
The arguments display the current IKEv1 and IKEv2 SAs established by the IKE daemon.
The arguments display the current IPsec SAs kept in the kernel Security Association Engine database.
The or arguments display the IKEv1 and IKEv2 and IPsec SAs (it is equivalent to specifying and
Displays the IKEv1 and IKEv2 policies kept by the IKE daemon.
Displays the information about the active host IPsec policies
kept by the Policy daemon or displays the information about the configured host IPsec Policies An active host IPsec policy is a policy
that is associated with an active IP interface (a configured IP interface, up or down).
Displays the information about tunnel IPsec policies
kept by the Policy daemon.
Display the active IP interfaces (the IP interfaces configured in the system).
An active interface is an interface that is configured in the system with a non-zero IP address, and can be up or down.
Note that if you unplumb or remove the address for an interface by assigning it an all-zero IP address, may still show the interface
in the active interface list for 30 seconds, but after 30 seconds, HP-UX IPSec removes it from the active interface list.
Display the configured bypass list kept by the Policy daemon.
Displays the contents of
audit_file, an IPsec audit file. Use the command to determine the current IPsec audit file.
Display the audit records only for the specified entity.
This option must be used with option.
Redirects all report output to a report file. If the report file already
exists, overwrites the file; otherwise creates the file.
RETURN VALUE
Upon successful completion, returns 0; otherwise it returns 1.
ERRORS
fails if any of the following conditions is encountered:
o Command used incorrectly - the utility returns a usage message.
o IPSec is not active and the user attempts to use the option - the utility returns the message:
EXAMPLES
The following excerpts of command outputs are from a system with a local address
REPORT: ipsec_report -host active
The option displays information about the active host IPsec policy rules. The output for this rule also includes the information about
IPsec Security Associations (SAs) established.
HP-UX IPSec creates an active policy entry for each configured policy. If a configured IPsec policy specifies a wildcard source address,
HP-UX IPSec creates an policy for each each applicable active interface, and replaces the wildcard source address with the interface
address. In addition, HP-UX IPSec creates an active policy entry each time it uses a policy to create an SA pair.
The utility displays the policies in ascending priority order. The last entry is default host IPsec policy.
The command displays output similar to the following:
# ipsec_report -host active
------------------- Active Host Policy Rule ---------------------
Rule Name: telnet_in Priority: 10 Cookie: 3
Src IP Addr: 192.1.1.1 Port number: 23
Dst IP Addr: 192.1.1.3 Port number: 56122
Network Protocol: TCP Action: Dynamic key SA
State: Ready
FLAGS: EXCLUSIVE
Proposal 1: Transform: ESP-AES128-HMAC-SHA1
Lifetime Seconds: 28800
Lifetime Kbytes: 0
-- SA Pair --
SA Type: ESP
Encryption Algorithm: AES128-CBC
Authentication Algorithm: HMAC-SHA1
Outbound SPI (hex): 1FE472
Inbound SPI (hex): 241988
------------------- Active Host Policy Rule ---------------------
Rule Name: default Priority: 0 Cookie: 1
Action: Pass
The fields in the output for an command are defined as follows:
A character string used as the name of the rule.
The policy priority. HP-UX IPSec searches policies in priority order,
from low to high (a lower priority number has a higher priority).
An integer used to cross-reference entries in the cache and
policy (rule) tables kept by the Policy daemon. Only active rules with SAs have a cookie value.
The source IP address or address range.
The source or destination port number for the upper-layer protocol.
In this example, it is the TCP port number. TCP port number 23 is the well-known port number for the telnet service(23).
The destination IP address or address range.
The upper-layer protocol in the IP header.
The action or transform applied to packets matching this entry.
Possible values follow:
Use dynamic keys to create IPsec SAs for an IPsec transform - an
Authentication Header, AH, and/or Encapsulating Security Payload, ESP.
Use manual keys to create IPsec SAs for an IPsec transform.
Pass in clear text.
Discard the packet.
If the action is or the entry will have information about the transform list for this policy.
The flags configured for this policy.
(This field is not present if there are no flags configured.)
Possible flags are defined as follows:
indicates that this policy is used for clients that use stateless or stateful
address autoconfiguration.
indicates that session-based keying will be used.
Only IP packets with the same 5-tuple (the same source IP address, destination IP address, network protocol, source port and des-
tination port) will share the same IPsec SA pair.
The status of the active rule.
Possible values for are (SAs are ready for use), (the initial state), (SAs are being negotiated).
The name of the tunnel policy used with this host policy.
This field is not present if no tunnel is configured for this host policy.
The number of pending requests from the kernel to form IPsec
SAs using this policy. Once the SA(s) are established, the queued kernel requests are processed and this value will be 0. This field
is only displayed when the value is not 0.
The proposed transforms in the transform list for this policy,
listed in preference order. Proposal 1 is the highest preference. The proposal information includes the transform type, lifetime
seconds and lifetime kilobytes. At least one transform type must match what is configured on the remote system, and the lifetime
parameters must be acceptable by the remote system.
Information about the SA created for this policy.
Indicates the IPsec transform for this SA.
Possible values are (Authentication Header) and (Encapsulating Security Payload).
The encryption algorithm used for the SA, as negotiated
with the remote system. (This field is only present if the Security Association Type is ESP.)
The authentication algorithm used for the SA, as negotiated
with the remote system. (This field is only present if the Security Association Type is AH or ESP.)
The Security Parameters
Index (SPI). The SPI is included in the IPsec AH or ESP protocol header transmitted to the remote system. The SPI is also used to
index IPsec SA entries in the kernel Security Association database.
REPORT: ipsec_report -host configured
The option displays information about the host IPsec Policies that were configured by the IPSec administrator and loaded by the IPsec Pol-
icy daemon.
The command displays output similar to the following:
# ipsec_report -host configured
----------------- Configured Host Policy Rule -------------------
Rule Name: telnet_in Priority: 10
Src IP Addr: 192.1.1.1 Port number: 23
Dst IP Addr: 192.1.1.0 Port number: 0
Network Protocol: TCP Action: Dynamic key SA
FLAGS: EXCLUSIVE
Proposal 1: Transform: ESP-AES128-HMAC-SHA1
Lifetime Seconds: 28800
Lifetime Kbytes: 0
----------------- Configured Host Policy Rule -------------------
Rule Name: default Priority: 0
Action: Pass
REPORT: ipsec_report -bypass
The option displays the local IP addresses configured in the bypass list. This command displays output similar to the following:
# ipsec_report -bypass
--------------------- Configured Bypass IP List ---------------------
IP Address: 192.2.2.1
REPORT: ipsec_report -ip
The option displays the active IP interfaces in the system (the interfaces configured with non-zero IP addresses in the system, up or
down). This command displays output similar to the following:
# ipsec_report -ip
--------------------------- System Configured Interface --------------
Interface Name: lan0 Address: 192.1.1.1
IPSec: On
--------------------------- System Configured Interface -------------
Interface Name: lan1 Address: 192.2.2.1
IPSec: Off
--------------------------- System Configured Interface ------------
Interface Name: lan0:1* Address: 192.1.3.3
IPSec: On
The fields in the output for an command are defined as follows:
The interface name, including the index.
An asterisk after the interface name indicates that the interface is configured but has been marked down (for example, because the
command was issued).
The IP Address of the interface.
The value indicates if HP-UX IPSec is in use for this interface.
means that HP-UX IPSec is applied to this interface. means that HP-UX IPSec bypasses this interface.
REPORT: ipsec_report -cache
The option displays the Cache Policy Rules. The Cache Policy Rules are maintained by the Kernel Policy Engine and record the action to be
taken for IP packets that match the 5-tuple (source IP address and port, destination IP address and port, and protocol) and direction.
Note that there are no entries for inbound IP packets that have been authenticated or encrypted using IPsec Authentication Headers (AH) or
Encapsulating Security Payload (ESP). This is because the system will receive these packets with a Security Parameters Index (SPI) in the
AH or ESP header. HP-UX will use the SPI to find an entry in the kernel Security Association database and not query the Kernel Policy
Engine for these packets.
The command displays output similar to the following:
# ipsec_report -cache
-------------------------Cache Policy Rule ---------------------------
Cache Policy Record: 9 Cookie: 3
Src IP Address: 192.1.1.1 Src Port number: 23
Dst IP Address: 192.1.1.3 Dst Port number: 56122
Network Protocol: TCP Direction: outbound
Action: Secure
-- SA Number 1 --
State: SA Created
SA Type: ESP
Tunnel SA: No
SPI (hex): 1FE472
Src IP Address: 192.1.1.1
Dst IP Address: 192.1.1.3
The fields in the output for an command are defined as follows:
An integer used internally by HP-UX IPSec to index the entries.
An integer used to cross-reference entries in the cache and
policy tables kept by the Policy daemon. All cache entries based on the same active policy entry will have the same cookie value.
The source IP address.
The source port number for the upper-layer protocol. In this
example, it is the TCP port number.
The destination IP address.
The destination port number for the upper-layer protocol. In this
example, it is the TCP port number and it is the well-known port for the telnet service(23).
The upper-layer protocol in the IP header.
Indicates if this cache entry is for inbound (packets received
by the local system or outbound (packets sent from the local system) packets.
Indicates the action or transform applied to packets matching this entry.
Possible values are (authenticate and/or encrypt using an IPsec transform: Authentication Header, AH, and/or Encapsulating Security
Payload, ESP), (pass in clear text), or (discard the packet).
If the action is and the direction is the entry will have information about the IPsec Security Associations (SAs) established for packets
matching the 5-tuple for this entry.
The SA fields are defined as follows:
Internal index for the SA for this packet (this is always 1).
Indicates the state of the SA. Possible values are (indicates that the SA has been established and is active), (indicates that this
SA is in the process of being created).
Indicates the IPsec transform for this SA.
Possible values are (Authentication Header) and (Encapsulating Security Payload).
Indicates if the SA being used to send the packet through
an IPsec tunnel.
The Security Parameters
Index (SPI). The SPI is included in the IPsec AH or ESP protocol header transmitted to the remote system. The SPI is also used to
index IPsec SA entries in the kernel Security Association database.
The source IP address that will be used in the IP header.
This may be different than the original source IP address if tunneling is being used.
The destination IP address that will be used in the IP header.
This may be different than the original destination IP address if tunneling is being used.
REPORT: ipsec_report -sa ipsec
The option displays information about the IPsec Security Associations, as maintained by the kernel Security Association Engine in the SA
database.
The command displays output similar to the following:
# ipsec_report -sa ipsec
------------------------ IPsec SA ------------------------
Sequence number: 1
SPI (hex): 1FE472 State: MATURE
SA Type: ESP with AES128-CBC encryption and HMAC-SHA1 authentication
Src IP Addr: 192.1.1.1 Dst IP Addr: 192.1.1.3
--- Current Lifetimes ---
bytes processed: 3384
addtime (seconds): 14
usetime (seconds): 12
--- Hard Lifetimes ---
bytes processed: 0
addtime (seconds): 28800
usetime (seconds): 0
--- Soft Lifetimes ---
bytes processed: 0
addtime (seconds): 24264
usetime (seconds): 0
------------------------ IPsec SA ------------------------
Sequence number: 2
SPI (hex): 241988 State: MATURE
SA Type: ESP with AES128-CBC encryption and HMAC-SHA1 authentication
Src IP Addr: 192.1.1.3 Dst IP Addr: 192.1.1.1
--- Current Lifetimes ---
bytes processed: 1648
addtime (seconds): 14
usetime (seconds): 12
--- Hard Lifetimes ---
bytes processed: 0
addtime (seconds): 28800
usetime (seconds): 0
--- Soft Lifetimes ---
bytes processed: 0
addtime (seconds): 24264
usetime (seconds): 0
The fields in the output for an command are defined as follows:
An integer used internally by the SA engine to index the entries.
The Security Parameters
Index (SPI). For outbound SAs (the source IP address is a local address), the SPI is selected by the remote system and is included in
the outbound IPsec AH or ESP protocol header. For inbound SAs, this is the SPI selected by the local system and is used to find the
correct SA when the local system receives a packet with an IPsec AH or ESP header.
The state of the IPsec SA.
Possible values are (the SA is established and available for use), (the SA is being established), and (the SA is expired and not
usable).
Indicates the type of transform, such as
(Authentication Header) or (Encapsulating Security Payload), and the authentication or encryption algorithm used.
The source IP address for the SA.
The destination IP address for the SA.
The current lifetime for the SA, as measured
by the amount of data sent and received (bytes processed), number of seconds since the SA was added to the database (addtime) or the
number of seconds since the SA was first used to transmit or receive data (usetime).
The maximum lifetimes for the SA, as negotiated with
the remote system. These are measured by the amount of data sent or received (bytes processed), number of seconds since the SA was
added to the database (addtime) or the number of seconds since the SA was first used to transmit or receive data (usetime).
If any of the three values is exceeded, the SA is deleted and a new SA must be established if there is more data to send. Note that a
value of 0 for bytes processed indicates that the number of bytes processed is ignored (there is no maximum lifetime based on bytes
sent or received).
This field is not present for manual keys. There are no maximum lifetimes for manual key SAs since they are static.
The maximum "soft" lifetimes for the SA.
When any of these values are exceeded, IKE will attempt to negotiate a new SA with the remote system.
This field is not present for manual keys. There are no maximum lifetimes for manual key SAs since they are static.
REPORT: ipsec_report -sa ike
The option displays the IKEv1 and IKEv2 entries, which contain information about IKE Security Associations (SAs) established by the IKE
daemon (ikmpd).
The command displays output similar to the following:
# ipsec_report -sa ike
------------------------ IKEv2 SA ----------------------------
Index: d7acae5476072ef9:80036a37b499c21d
Local IP Addr: 192.1.1.1/500
Remote IP Addr: 192.1.1.3/500
Role: Initiator State: Established
Auth Record: my_auth
Policy Name: default
Auth Method: PSK
ENCR: 3DES
HASH: AES-XCBC
PRF: HMAC-SHA1
DH Group: 2
PFS: off
The fields in the output for an command are defined as follows:
The IKE initiator cookie and IKE responder cookie, separated by a colon (:).
The IKE daemon uses these values to identify the IKE SA.
The local IP address and IKE daemon UDP port number.
The remote (peer) IP address and IKE daemon UDP port number.
Indicates if the local system initiated the IKE SA
or responded to a remote request to establish the IKE SA
The state of the SA. Possible values are
(the SA is established), (the SA is in the process of being deleted; waiting for a delete response from the peer), or (the SA is
deleted, but the entry has not been removed).
The name of the authentication record used to establish this SA.
Name of the IKEv1 or IKEv2 policy used to establish this SA.
The authentication method used to establish this SA.
The algorithm used to encrypt the IKE protocol
messages after the initial exchange.
Local IP Addr: 15.1.1.1
Remote IP Addr: 15.2.2.2 The algorithm used to authenticate the IKE protocol messages after the initial exchange.
The pseudo-random function used to generate keying material.
This field is present only if the IKE version is IKEv2.
The Diffie-Hellman (DH) Group. This determines the numeric base for values
used in the Diffie-Hellman exchange of the IKE protocol.
This indicates if Perfect Forward Secrecy (PFS) is enabled or not.
When PFS is enabled, the IKE daemon performs a Diffie-Hellman exchange for all IKE and IPsec SA negotiations after the initial IPsec
SA pair is created, and a new Diffie-Hellman exchange for any SA re-keying.
REPORT: ipsec_report -tunnel
The command displays the information about tunnel IPsec policies kept by the Policy daemon.
The command displays output similar to the following:
# ipsec_report -tunnel
-------------------------------------------------------------------------
ipsec_report -tunnel
-------------------- Tunnel Policy Rule ----------------------
Tunnel Name: mipv6_tunnel_name Cookie: 3
Tunnel Src IP Addr: fe80::260:1111:2222:3333 Tunnel Dst IP Addr: fe80::230:6666
:7777:8888
Src IP Addr: 0::0
Dst IP Addr: fe80::230:6666:7777:8888
Network Protocol: TCP Action: Manual Key SA
Transform: ESP-DES-HMAC-SHA1
-- SA Number 1 --
SPI (hex): 3EB
SA Type: ESP
Authentication Algorithm: HMAC-SHA1
Encryption Algorithm: DES-CBC
Src IP Addr: fe80::230:6666:7777:8888
Dst IP Addr: fe80::260:1111:2222:3333
SA direction: INBOUND
-- SA Number 2 --
SPI (hex): 3EA
SA Type: ESP
Authentication Algorithm: HMAC-SHA1
Encryption Algorithm: DES-CBC
Src IP Addr: fe80::260:b1111:2222:3333
Dst IP Addr: fe80::230:6666:7777:8888
SA direction: OUTBOUND
The fields in the output for an command are defined as follows:
A character string used as the name of the tunnel policy.
An integer used internally by IPSec to identify the entries.
This field is not present if the tunnel source address
was not configured in the tunnel IPsec policy and the output is for a configured (static) policy. If the output is for a dynamic pol-
icy created for a tunnel SA, this field contains the IP address of the actual tunnel endpoint.
This field is not present if the tunnel destination address
was not configured in the tunnel IPsec policy and the output is for a configured (static) policy. If the output is for a dynamic pol-
icy created for a tunnel SA, this field contains the IP address of the actual tunnel endpoint.
The source proxy (end host) IP address.
(The source end-to-end address for outbound packets; the destination end-to-end address for inbound packets.)
The destination proxy (end host) IP address.
(The destination end-to-end address for outbound packets; the source end-to-end address for inbound packets.)
(This field is only present if the network protocol is TCP, UDP, or ALL.)
The source or destination port number for the upper-layer protocol.
The destination proxy (end host) IP address.
The upper-layer protocol in the IP header.
The type of IPsec SAs for this tunnel.
Possible values follow:
Use dynamic keys to create IPsec SAs for the transform - an
Authentication Header (AH) and/or Encapsulating Security Payload (ESP).
Use manual keys to create IPsec SAs for the transform.
(This field is only present for dynamic key SAs.)
The state of the SAs. Possible values for are as follows:
(SAs are ready for use)
(the IKE daemon has not started negotiating the IPSec/MM SAs)
(the IKE daemon is negotiating the IPSec/MM SAs)
(error state)
Information about the inbound and outbound SAs.
The Security Parameters
Index (SPI). The SPI is included in the IPsec AH or ESP protocol header transmitted to the remote system. The SPI is also used to
index IPsec SA entries in the kernel Security Association database.
Indicates the IPsec transform for this SA.
Possible values are (Authentication Header) and (Encapsulating Security Payload).
The authentication algorithm used for the SA, as negotiated
with the remote system. (This field is only present if the Security Association Type is AH or ESP.)
The encryption algorithm used for the SA, as negotiated
with the remote system. (This field is only present if the Security Association Type is ESP.)
The source IP address for this SA.
The destination IP address for this SA.
The direction for this SA.
Possible values are and
AUTHOR
was developed by HP.
SEE ALSO
ipsec_admin(1M), ipsec_config(1M), ipsec_config_add(1M), ipsec_config_batch(1M), ipsec_config_delete(1M), ipsec_config_export(1M),
ipsec_config_show(1M), ipsec_migrate(1M), ipsec_policy(1M).
IPSec Software Required ipsec_report(1M)
