Manualshelf

Configuring Microsoft Windows Vista and Windows Server 2008 to Operate with HP-UX IPSec

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
12345678
2
Introduction
This document contains tips for configuring IPsec on Microsoft Windows Vista and Windows Server
2008 systems to operate with HP-UX IPSec versions A.02.01 and later. For information on
configuring IPsec on Microsoft Windows XP and Windows 2003 systems to operate with HP-UX
IPSec, see in Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec.
The intended audience for this document is a network security administrator who is familiar with
Microsoft Windows Vista or Windows Server 2008, the HP-UX IPSec product, and the IP Security
protocol suite.
Related Documentation
The following documents are available from the HP Technical Documentation website at
http://docs.hp.com:
For information on configuring IPsec on Microsoft Windows XP and Windows 2003 systems to
operate with HP-UX IPSec, see Configuring Microsoft Windows IP Security to Operate with HP-UX
IPSec.
For general information about configuring HP-UX IPSec, see the HP-UX IPSec A.02.01 Administrator's
Guide or the HP-UX IPSec A.03.00 Administrator's Guide.
For information about configuring HP-UX IPSec to use Microsoft Windows security certificates, see
Using Microsoft Windows Certificates with HP-UX IPSec A.02.01and Using Microsoft Windows
Certificates with HP-UX IPSec A.03.00.
Protocol implementation differences
HP-UX and Microsoft Windows both implement the IP Security protocol suite. However, there are
features in the protocol suite that HP-UX implemented that Microsoft did not implement, and vice-versa.
There are also differences in default parameter values.
IKE version
At the time this document was published, Microsoft Windows Vista and Windows Server 2008
supported only Internet Key Exchange (IKE) IKE version 1. HP-UX IPSec version A.03.00 supports IKE
version 1 and IKE version 2. In this document, the term “IKE” refers to IKE version 1.
IKE authentication method
The Windows default IKE authentication method is Kerberos. RFC 2408 defines an optional Kerberos
Token payload, but does not describe how to implement it. HP-UX IPSec does not support Kerberos for
IKE authentication. You must configure the Microsoft connection security rule to use certificates or
preshared keys for IKE authentication.
On HP-UX A.02.00 and A.02.01 systems, you specify the IKE authentication method using the
authentication option in the ipsec_config add ike command.
On HP-UX A.03.00 systems, you specify the IKE authentication method using the –local_method
and –remote_method options in the ipsec_config add auth command.
IKE default algorithms
The Windows advanced firewall configures the IKE encryption and hash (integrity) algorithms as pairs
in security methods. By default, the Windows configuration contains the following security methods:
AES-128 encryption and SHA-1 integrity
AES-128 encryption and MD5 integrity