Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

Table 1 IPsec Parameters on Windows and HP-UX (continued)

NotesHP-UX ConfigurationWindows ConfigurationParameter

Specify it using the

-preshared argument of

the ipsec_config add

auth command.

Specify it in the

Authentication Methods for

a rule.

IKE Preshared Key

Specify it using the

-exchange argument of

the ipsec_config add

auth command. The

default value is MM (Main

Mode).

Windows supports only

Main Mode exchanges.

IKE Exchange Type

The Windows IP Security

Policy snap-in utility uses

minutes as the time unit.

The HP-UX ipsec_config

command uses seconds as

the time unit. See “IKE SA

Key (Master Key) Lifetime

Values” (page 42) for

additional information.

Specify it using the-life

argument in the

ipsec_config add ike

command.

Specify it in the Key

Exchange Settings dialog

box. (To navigate to the Key

Exchange Setting dialog

box, select the General tab

in the Policy Properties

dialog box, then select

Advanced settings.)

Maximum IKE SA Lifetime,

measured by time

See “Maximum Quick

Modes” (page 43) for

additional information.

Specify it using the-maxqm

argument in the

ipsec_config add ike

command.

Specify it in the Key

Exchange Settings dialog

box. (To navigate to the Key

Exchange Setting dialog

box, select the General tab

in the Policy Properties

dialog box, then select

Advanced settings.)

Maximum Quick Mode

(QM) negotiations per IKE

See “Perfect Forward

Secrecy (PFS)” (page 43) for

more information.

HP-UX does not support

PFS for session keys. HP-UX

supports only PFS for

master keys.

Specify PFS for master keys

using the-maxqm 1

argument in the

ipsec_config add ike

command.

Windows supports PFS for

keys only (PFS for session

keys) and supports PFS for

keys in conjunction with

PFS for all identities (PFS

for master keys).

Specify PFS for master keys

in the Key Exchange

Settings dialog box. (To

navigate to the Key

Exchange Setting dialog

box, select the General tab

in the Policy Properties

dialog box, then select

Advanced settings.)

Perfect Forward Secrecy

(PFS)

See “IKE Parameter

Selection” (page 42) for

additional information.

You can specify the

parameters for one IKE SA

proposal in an IKE policy,

using the -encryption,

-hash, and -group

arguments in an

ipsec_config add ike

command.

Specify it in the General

parameters for a policy. You

can configure multiple IKE

SA proposals and their

preference order.

IKE SA Proposals

Mirrored Filters

Microsoft filters can be mirrored (bi-directional) or not mirrored (uni-directional). If the filter is

mirrored, the filter will match IP packets with the source and destination addresses and ports

reversed. For example, a filter has the following specifications:

Source address: 10.1.1.1

Destination address: 10.2.2.2

Comparing HP-UX and Windows IPsec Configuration Parameters 41