Manualshelf

HP-UX Containers (SRP) A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Containers (SRP)
120121122123124125126127128129
128
An authentication record
The authentication record contains the specified remote IP address and preshared key value.
The default HP-UX IPSec values are used for all other parameters.
HP-UX IPSec default parameter values
For IPSec parameters not directly managed by the srp command, default values are read from the
IPSec profile file, /var/adm/ipsec/.ipsec_profile. You can view this text file to determine the
default IPSec parameters and determine what values need to be configured on the peer system. Some
of the main parameters and the default values set in the factory-installed profile file are as follows:
IKE exchange type: Main Mode
IKE hash algorithm: MD5
IKE encryption algorithm: 3DES
IKE Diffie-Hellman group: 2
Policy selection and priority
When IPSec selects policies, it selects the first policy that matches the search criteria. Because of this
selection algorithm, IPSec policies are typically ordered from most specific to least specific. The srp
command adds the policies using the IPSec automatic priority increment mechanism, where IPSec
determines the priority for a new policy by adding n to the current highest priority for that policy
category, where n is the automatic priority increment value. When a policy is added with this
mechanism, it becomes the last policy evaluated before the default policy in the category; you might
have to modify the priority value for your policies.
Using IPSec with IPFilter
HP-UX IPFilter is located below HP-UX IPSec in the networking stack. HP-UX IPFilter processes inbound
IP packets before HP-UX IPSec and processes outbound packets after HP-UX IPSec.
To use IPSec with IPFilter, you must configure IPFilter to pass the following packets:
IP packets with protocol 50 (IPsec Encapsulating Security Payload protocol, ESP)
IP packets with protocol 51 (IPsec Authentication Header protocol, AH)
UDP packets with port 500 (IPsec Internet Key Exchange protocol, IKE)
If HP-UX IPSec secures a packet (the packet has an AH or ESP header), HP-UX IPFilter cannot filter the
packet based on upper layer information, such as TCP port numbers and connection states, and ICMP
message types. The only upper-layer protocol information that HP-UX IPFilter processes is the IP
protocol number IPSec packets do not match any IPFilter rules based on the TCP, UDP, or ICMP
protocol type or based on field values for these protocols (such as port numbers).