strongSwan is a complete IPsec and IKEv1 implementation for Linux 2.4 and 2.6 kernels. It also fully supports the new IKEv2 protocol with Linux 2.6 kernels. It interoperates in both IKEv1 and IKEv2 mode with most other IPsec-based VPN products. The focus of the strongSwan project is on strong authentication mechanisms using X.509 public key certificates and optional secure storage of private keys on smartcards through a standardized PKCS#11 interface. A unique feature is the use of X.509 attribute certificates to implement advanced access control schemes based on group memberships. License: GNU General Public License (GPL) Changes:
Major performance improvements were made by introducing hash table lookups, allowing the setup of thousands of IKEv2 connections in seconds. Smartcard support for IKEv2 connections was added using the OpenSSL Engine API.
ipsec_config(1M)ipsec_config(1M)NAME
ipsec_config - add, delete, export, and show HP-UX IPSec configuration objects in the HP-UX IPSec configuration database
SYNOPSIS
[operation [object_type]]
DESCRIPTION
The command adds, deletes, exports, and shows HP-UX IPSec configuration objects in the HP-UX IPSec configuration database, If HP-UX IPSec
is active and running, also updates the HP-UX runtime IPSec policy database and runtime IKE information (IKE policies and authentication
records).
You must be superuser to run
The utility can operate in command-line mode or batch mode. In command-line mode, reads all input from the command line. In batch mode,
reads add and delete operations from a file. Batch mode allows administrators to add and delete multiple configuration objects in one
operation. HP-UX IPSec processes the operations in a batch file as a group. Batch mode is useful if you are adding or deleting configura-
tion records that may affect other records.
HP recommends that you use a batch file to add configuration information. A batch file provides a permanent record of the configuration
data and can be used to re-create the configuration database.
Separate command arguments using whitespace (blanks, tabs or newlines). Use a backslash line continuation character to continue command
input on subsequent lines.
Operations and Object Types
The command supports the following operations:
See
ipsec_config_add(1M) for more information.
See
ipsec_config_batch(1M) for more information.
See
ipsec_config_delete(1M) for more information.
See
ipsec_config_export(1M) for more information.
See
ipsec_config_show(1M) for more information.
object_type can be one of the following:
Authentication records, which specify Internet Key Exchange (IKE)
versions, authentication methods, identity information and preshared keys.
Bypass addresses.
security certificate for a Certificate Authority (used for IKE authentication
with RSA signatures).
Certificate Revocation List (CRL).
A CRL contains a list of revoked X.509 security certificates. If you have a CRL, HP-UX IPSec check it during the IKE
authentication process to verify that the remote system's security certificate is valid (not revoked).
Certificate Signing Request (CSR), which the HP-UX IPSec
administrator can submit to a Certificate Authority (CA) to request a signed X.509 security certificate.
Host IPsec policies, which specify HP-UX IPSec behavior for
processing IP packets when the local system is an end host.
IKE version 1 (IKEv1) policies.
IKE version 2 (IKEv2) policies.
security certificate for the local system (used for IKE authentication
with RSA signatures).
Start-up options.
Tunnel IPsec policies, which specify IPsec tunnel transform parameters.
Configuring Objects
In most HP-UX IPSec topologies, you must configure the following objects:
o Host IPsec policies
o Authentication records (IKE ID information and preshared keys)
To establish IPsec security, you must also have an IKE version 1 (IKEv1) or IKE version 2 (IKEv2) policy. The HP-UX IPSec product installs
a default IKEv1 policy and a default IKEv2 policy. You can use these default policies without modifications in many topologies.
HP recommends that you use the following procedure to configure HP-UX IPSec:
1. Create a batch file to configure IPsec policies and authentication records. An IKEv1 or IKEv2 policy is also required, but in
most cases you can use the default IKEv1 or IKEv2 installed with the product. If you want to configure host-to-host IPsec poli-
cies and use IKE with preshared keys for IKE authentication, create a batch file to contain the following statements:
See the command subsection in ipsec_config_add(1M) for syntax and usage information.
If you are using HP-UX IPSec with certificates (RSA signatures) for IKE authentication, you must also use the following com-
mands to configure certificates:
You must enter the above commands at the command-line prompt. (You cannot specify them in an batch file).
The command creates a certificate signing request (CSR). As an alternative, you can use a utility provided by the certificate
vendor to create the CSR.
2. Test the syntax of your batch file by entering the following command:
The option verifies the syntax without adding objects to the database.
3. If the syntax is correct, add the configuration information to the configuration database by entering the following command:
4. Start and verify HP-UX IPSec. Use the following command to start HP-UX IPSec:
Generate network traffic that uses IPsec. Use the following command to verify operation:
Verify that HP-UX IPSec has created Security Associations (SAs) with the appropriate systems.
5. Use the command to configure HP-UX IPSec to automatically start at system boot-up time.
ipsec_config Help
The displays help and usage information for the HP-UX IPSec operations. Use the following syntax to access help:
[operation [option_type]]
EXAMPLES
You have two systems, Apple and Banana Apple and Banana are not multihomed. You want to secure all telnet packets between the two systems
using IPsec ESP with AES, authenticated with SHA-1. The IKE version is IKEv1. This is a private network, and you will allow all other
packets to pass in clear text. You use the default IKEv1 policy.
On Apple, you configure:
o Two host IPsec policies
o One authentication record
The first host IPsec policy, telnetAB, secures outbound telnet connections (Apple is the telnet client). You do not need to specify the
source argument, since it will default to any IP address and any port, and the telnet client port number is dynamically allocated. The
second policy, telnetBA, secures inbound telnet connections (Apple is the telnet server).
The authentication record specifies the preshared key value used with (Banana):
The configuration on Banana is the mirror image of the configuration on Apple:
AUTHOR
was developed by HP.
FILES
configuration database.
default profile file.
SEE ALSO ipsec_admin(1M), ipsec_config_add(1M), ipsec_config_batch(1M), ipsec_config_delete(1M), ipsec_config_export(1M), ipsec_config_show(1M),
ipsec_migrate(1M), ipsec_policy(1M), ipsec_report(1M).
HP-UX IPSec Software Required ipsec_config(1M)