Manualshelf

HP-UX IPSec A.02.00.01 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
12345678910
HP-UX IPSec Release Notes
What’s in This Version
Chapter 1 5
Certificate IDs are configured in authentication records. The authentication records are
indexed and searched by remote IP address. There is no longer a certificate ID record for
the local system (127.0.0.0).
•The ipsec_report utility supports the following new options:
-entity (used with the -audit option): The -entity option allows you to specify one
or more entities when displaying an audit file (-audit). This allows you to selectively
display audit records logged by specify entities.
-host: The -host option displays IPSec policies loaded by the policy daemon.
-ike: The -ike option displays IKE policies loaded by the policy daemon.
-gateway: The -gateway option displays gateway IPSec policies loaded by the policy
daemon.
-tunnel: The -tunnel option displays tunnel IPSec policies loaded by the policy
daemon.
The ipsec_report options -ipsec and -isakmp are still supported, but only for
backwards compatibility and are not documented. The ipsec_report option -ipsec
reports host IPSec policies (it is now equivalent to the -host option). The
ipsec_report option -isakmp reports IKE policies (it is now equivalent to the -ike
option).
•The ipsec_policy utility now allows you to specify a direction for the packet parameters.
•The ipsec_admin utility supports the following new options to set general operating
parameters:
-spd_soft: The -spd_soft option allows you to specify the “soft” limit for the size of
the Security Policy Database (SPD). The SPD is the HP-UX IPSec runtime policy
database, with cached policy decisions for packet descriptors (five-tuples consisting of
exact, non-wildcard source IP address, destination IP address, protocol, source port,
and destination port).
-spd_hard: The -spd_hard option allows you to specify the “hard” limit for the size of
the SPD.
-spi_min: The -spi_min option allows you to specify the lower bound for inbound,
dynamic key Security Parameters Index (SPI) numbers.
-spi_max: The -spi_max option allows you to specify the upper bound for inbound,
dynamic key Security Parameters Index (SPI) numbers.
IPv6 IKE functionality, formerly provided by the daemon ikmpdv6, is now provided by
ikmpd. The ikmpdv6 daemon is no longer shipped with the product.