Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec
• Encryption algorithm: 3DES
• Hash algorithm: MD5
• Diffie-Hellman Group: 2
• Maximum lifetime: 28,800 seconds (8 hours)
• Maximum Quick Modes: 100
You can specify alternative values for the above parameters in the ipsec_config add ike
command.
On Windows XP systems with SP2, IP Security policies are pre-configured with four IKE SA
proposals. The second IKE proposal matches the default HP-UX IPSec IKE proposal
3
, and will
be used by the two systems if no changes are made to the default configuration data. If these
IKE parameters meet your security requirements, you do not need to modify the IKE parameters
and can skip to “Step 10: Assigning the IP Security Policy” (page 30).
Use the following procedure to modify the Windows IKE SA parameters:
1. From the Policy Properties dialog box, select the General tag. The IP Security configuration
utility opens the General dialog box (Figure 13).
Click Advanced
4
. (Ignore the field labeled Check for policy changes. This field is used
only when the policy is stored in an Active Directory.)
Figure 13 General Policy Properties Dialog Box
2. The IP Security configuration utility opens the Key Exchange Settings dialog box (Figure 14).
3. By default, the first Windows XP proposal has the following parameters: Encryption - 3DES; Hash - SHA1;
Diffie-Hellman Group - 2. The third and fourth Windows proposals are weaker, and use DES encryption and
Diffie-Hellman Group 1. Refer to the Windows documentation for more information.
4. On Windows 2003 servers, this button is labeled Settings.
Configuring a Windows Host-to-Host Policy 27