Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec
Configuring a Windows End-to-End Tunnel Policy
The only IPsec tunnel topology supported between an HP-UX system and a Windows system is
an end-to-end tunnel.
5
The procedure for configuring an end-to-end tunnel policy on Windows
system is the same as procedure for configuring a host policy, except that you must configure
two, non-mirrored rules: one rule for outbound packets and one rule for inbound packets, as
described in the sections that follow.
NOTE: Do not configure any other rules in the policy with the HP-UX system address as the
destination address. This prevents the Microsoft system from applying the tunnel transform over
a host-to-host (transport) transform. In end-to-end tunnel topologies, HP-UX IPSec does not
support transport transforms over a tunnel transform.
Outbound Tunnel Rule Requirements
The outbound tunnel rule must have the following parameters:
• Filter List: One filter, with the following parameters:
— Address:
◦ Source address: the HP-UX system's address.
◦ Destination address: this must be a specific IP address and must be the Windows
system's address.
◦ Mirrored: no (the Mirrored box is cleared).
— Protocol Type: none (wildcard). The Windows documentation states that the filters in
tunnel rules must not specify protocols or ports to ensure that IP Security can correctly
process IP fragments.
• Tunnel Setting
— Tunnel endpoint: the HP-UX system's address. This is the address of the tunnel endpoint
closest to the destination. Since this is an end-to-end tunnel, it is the same as the
destination address in the address filter.
Inbound Tunnel Rule Requirements
The inbound tunnel rule must have the following parameters:
• Filter List: One filter, with the following parameters:
— Address:
◦ Source address: the Windows system's address.
◦ Destination address: this must be a specific IP address and must be the HP-UX
system's address.
◦ Mirrored: no (the Mirrored box is cleared).
— Protocol Type: none (wildcard).
• Tunnel Setting
— Tunnel endpoint: the Windows system's address. This is the address of the tunnel
endpoint closest to the destination. Since this is an end-to-end tunnel, it is the same as
the destination address in the address filter
Configuring a Tunnel Rule
Use the following procedure to configure an outbound or inbound tunnel rule.
5. You can also configure an IPsec topology where packets exchanged between an HP-UX system and a Windows
system are tunneled through an IPsec gateway device, but neither HP-UX nor Windows systems can be configured
as IPsec gateways. The only topology in which an HP-UX system can act as an IPsec gateway is when the HP-UX
system is a Home Agent for Mobile IPv6 clients. The HP-UX IPSec Administrator's Guide describes how to configure
a host-to-gateway IPsec topology using HP-UX and a Cisco router.
Configuring a Windows End-to-End Tunnel Policy 33