hpux ipsec_admin man page on unix.com

ipsec_admin(1M) ipsec_admin(1M)

NAME
ipsec_admin - HP-UX IPSec administration utility

SYNOPSIS
audit_directory] max_audit_file_size] spi_min_value] spi_max_value] spd_soft_limit] spd_hard_limit]

password

audit_directory

max_audit_file_size

remote_ip_address

DESCRIPTION
is a utility for performing HP-UX IPSec administration tasks such as starting and stopping the HP-UX IPSec subsystem and retrieving the
status of the HP-UX IPSec subsystem. The HP-UX IPSec subsystem includes the user-space key management daemon, audit daemon, policy daemon,
and the HP-UX IPSec kernel portion. You can also use to perform the following tasks:

o Set the audit level.

o Change the audit directory.

o Set the maximum audit file size.

o Get status on the HP-UX IPSec system.

o Enable or disable Level 4 tracing for TCP, UDP or IGMP.

o Delete the IKE and IPsec SAs for a give peer node.

o Set the "soft" and "hard" limits for the size of the Security Policy Database (SPD).

o Set the range from which HP-UX IPSec assigns Security Parameters Index (SPI) numbers for inbound, dynamic key Security Asso-
ciations (SAs). You can only change the SPI range when you start HP-UX IPSec.

o Change the HP-UX IPSec password. HP-UX IPSec does not have to be running when you change the password.

requires the optional HP-UX IPSec software.

You must have superuser capabilities to run

In order to change the HP-UX IPSec password, you must provide the existing HP-UX IPSec password. The HP-UX IPSec password must be entered
from the keyboard; it cannot be redirected from a file.

Options
recognizes the following command-line options and arguments:

Starts the HP-UX IPSec subsystem, including all user-space daemons.
If the configuration file to be used does not have the correct version, issues an error message and exits.

Stops the HP-UX IPSec subsystem, including all user-space daemons.

Reports the current status of the HP-UX IPSec subsystem.
The report displays the current state of HP-UX IPSec (active or not active). If active, displays the status of HP-UX IPSec
daemons that are currently running. It also displays the current audit file and any Level 4 tracing enabled.

Queries the current status of the HP-UX IPSec subsystem.
If HP-UX IPSec daemons are running and responding, returns a zero exit code to the shell; otherwise it returns a 1 exit code to
the shell.

Changes the HP-UX IPSec password.
The password must be at least 15 characters. HP-UX IPSec does not have to be running when you change the password.

Specifies the HP-UX IPSec audit directory.
HP-UX IPSec stores audit files in the audit directory. The default directory is

This option is also valid with the option.

Changes the audit level for the HP-UX IPSec subsystem.
The levels are shown in ascending order. Higher audit levels include all lower levels. The default audit level is which
includes messages.

This option is also valid with the option.

A definition of each class follows.

These messages include security violations and attacks,
password violations, errors that may prevent correct operation of the product, any error condition that is not recov-
erable, authentication problems, significant changes in security parameters, unknown message types, and changing of
the HP-UX IPSec password or audit level.

These messages include recoverable error conditions, syntax
errors, unsupported features, bad packets, and unknown message types.

These messages provide notification to the user about
non-intrusive security events.

These messages provide detailed event logging for
troubleshooting purposes.

These messages provide very detailed event logging for
debugging and troubleshooting purposes. The debug audit level generates many messages in the audit file.

Specifies the maximum size, in kilobytes, of an audit file before
HP-UX IPSec creates a new one.

Default: 100.

This option is also valid with the option.

Enables Level 4 tracing for TCP, UDP, or IGMP.
If is selected, all three protocols are traced. uses to enable Level 4 tracing. Tracing output is directed to and if is not
already enabled for tracing. If it is, the trace file is the file already started by See nettl(1M) for more information.

This option is also valid with the option.

Disables any Level 4 tracing enabled with the
option.

Specifies the lower bound for inbound, dynamic key
Security Parameters Index (SPI) numbers in hexadecimal, prefixed by 0x, or decimal.

Range: 1 - 4294967295 (0x1 - 0xFFFFFFFF hexadecimal).

Default: If you do not specify spi_min_value, the default is the value specified for the spi_min parameter in the section of
the profile file. The default spi_min value is 300.

Specifies the upper bound for inbound, dynamic key
Security Parameters Index (SPI) numbers in hexadecimal, prefixed by 0x, or decimal.

Range: 1 - 4294967295 (0x1 - 0xFFFFFFFF hexadecimal).

Default: If you do not specify spi_max_value, the default is the value specified for the spi_max parameter in the section of
the profile file. The default spi_max value is 2500000.

Specifies the "soft" limit for the size of the Security Policy Database (SPD).
The SPD is the HP-UX IPSec runtime policy database, with cached policy decisions for packet descriptors (five-tuples consisting
of exact, non-wildcard source IP address, destination IP address, protocol, source port, and destination port).

When the size of the SPD exceeds the soft limit, HP-UX IPSec logs a warning message to the system console, and logs an addi-
tional warning message to the system console for each 1000 SPD entries added.

The spd_soft_limit is measured in units of 1000 entries.

Range: 1 - 1000000 units of 1000 entries (1000 - 1000000000 entries).

Default: If you do not specify spd_soft_limit, the default is the value specified for the spd_soft parameter in the section of
the profile file. The default spd_soft value is 25 (25000 entries; approximately 58000 Kbytes of memory).

Specifies the "hard" limit for the size of the Security Policy Database (SPD).

When the size of the SPD exceeds the hard limit, HP-UX IPSec stops adding new cache entries, and discards any packets that do
not match existing entries.

The spd_hard_limit is measured in units of 1000 entries.

Range: 1 - 1000000 units of 1000 entries (1000 - 1000000000 entries).

Default: If you do not specify spd_hard_limit, the default is the value specified for the spd_hard parameter in the section of
the profile file. The default spd_hard value is 50 (50000 entries; approximately 116000 Kbytes of memory).

Allows the user to flush all the IKE
SAs and IPSec SAs. You can also use this option to clear the SA database without restarting HP-UX IPSec.

This option is automatically executed when you execute the option.

Allows the user to flush the Security
Policy data base kept by the Policy daemon and the kernel policy engine without restarting HP-UX IPSec.

This option is automatically executed when you execute the option.

Allows the user to delete the IKE SA
and IPSec SAs for a given remote_ip_address. remote_ip_address must be in dotted-decimal notation for IPv4 addresses or colon-
hexadecimal notation for IPv6 addresses.

RETURN VALUE
Upon successful completion, returns 0; otherwise it returns 1.

ERRORS
fails if any of the following conditions is encountered:

o Command used incorrectly - Usage message is returned.

EXAMPLES
produces the following report for the command

In normal operation, the status for the secauditd, secpolicyd, and daemons is and the status of the IPSec kernel status is

WARNINGS
requires the optional HP-UX IPSec software.

AUTHOR
was developed by HP.

FILES
configuration database.

default profile file.

SEE ALSO
ipsec_config(1M), ipsec_config_add(1M), ipsec_config_batch(1M), ipsec_config_delete(1M), ipsec_config_export(1M), ipsec_config_show(1M),
ipsec_migrate(1M), ipsec_policy(1M), ipsec_report(1M), nettl(1M).

HP-UX IPSec Software Required ipsec_admin(1M)

Similar Topics in the Unix Linux Community
IPSec - VPN using shared key
Usage of ipsec_admin
VPN IPSec Openswan

hpux man page for ipsec_admin