Manualshelf

HP-UX Secure Resource Partitions (SRP) A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP) Software
919293949596979899100
92
The output should include an IKE policy with the name SRP-compartment_name-base-1.
For example:
auth SRP-web2-base-1
-remote 10.2.2.2/32
-preshared myPresharedKey
-exchange MM
You can also use the ipsec_policy utility to verify the IPSec host rule selected for a packet
from the peer address. In the following example, the SRP compartment address is
19.2.0.2.1 and the peer address is 10.2.2.2. The ipsec_policy command queries
IPSec to determine which IPSec and IKE policies are selected for an outbound packet (-dir
out) with source IP address (-sa) 192.0.2.1 and destination IP address (-da) 10.2.2.2.
# ipsec_policy -sa 192.0.2.1 -da 10.2.2.2 -dir out
------------------- Active Host Policy Rule ---------------------
Rule Name: SRP-web2-base-1 ID: 8 Cookie: 3 Priority: 30
Src IP Addr: 192.0.2.1 Prefix: 32 Port number: 0
Dst IP Addr: 10.2.2.2 Prefix: 32 Port number: 0
Network Protocol: All Direction: outbound
Action: Dynamic key SA State: SPI(s) Not Established
Number of SA(s) Needed: 1 Pair(s)
Number of SA(s) Created: 0 Pair(s)
Kernel Requests Queued: 0
Proposal 1: Transform: ESP-AES128-HMAC-SHA1
Lifetime Seconds: 28800
Lifetime Kbytes: 0
---------------------------- IKE Rule -----------------------------
Rule Name: SRP-web2-base-1 Priority: 20 Cookie: 4
Remote IP Address: 10.2.2.2 Prefix: 32
Group Type: 2 Authentication Method: Pre-shared Keys
Authentication Algorithm: HMAC-MD5 Encryption Algorithm: 3DES-CBC
Number of Quick Modes: 100 Lifetime (seconds): 28800
Action: Secure
17.2 Troubleshooting Procedures
This section includes the following troubleshooting procedures:
17.2.1 Using the Security Containment Compartment Discover Feature
17.2.2 Removing or Disabling IPFilter
17.2.3 Removing or Disabling IPSec
17.2.1 Using the Security Containment Compartment Discover Feature
In a secure environment, you can use the Security Containment discover feature to remove
compartment restrictions and view the rules that are needed to allow access. (If you are not in a
secure environment, you can use IPFilter to allow access from only trusted systems before removing
compartment restrictions.)
You can use a procedure similar to the following to use the discover feature:
1. Stop the SRP compartment:
srp -stop compartment_name
2. Edit the compartment rules file (/etc/cmpt/compartment_name), and tag the
compartment definition at the beginning of the file with the discover keyword. This opens