Manualshelf

HP-UX IPSec A.02.01 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
12345678910
HP-UX IPSec Release Notes
What’s in This Version
Chapter 14
Whats in This Version
The HP-UX IPSec Version A.02.01 product (J4256AA) is supported on HP-UX 11i version 1
(B.11.11) and HP-UX 11i v2 Update 2 (v2UD2) systems.
This version of HP-UX IPSec includes the following new and changed features:
HP-UX IPSec now supports IKE Aggressive Mode (AM) for IKE Phase 1 negotiations in
addition to Main Mode (MM) negotiations. In Aggressive Mode negotiations, the IKE
initiator sends ID information in the first packet. This enables the IKE responder to select
IKE SA parameters, such as the encryption information, based on identity information
instead of the IKE peer’s IP address. Aggressive Mode is quicker and requires the peers to
exchange fewer packets, but is less secure because the peers exchange identity
information in clear text.
The IKE protocol specification requires Main Mode support; Aggressive Mode support is
optional.
You configure Aggressive Mode in authentication records using the option -exchange AM
in the ipsec_config add auth command.
HP-UX IPSec now supports autoconfiguration clients (clients with dynamically assigned
IP addresses, such as IPv6 stateless autoconfiguration clients, and DHCP and DHCPv6
clients). To specify an autoconfiguration client, use the AUTOCONF flag in the
ipsec_config add host or add gateway command.
You must use IKE Aggressive Mode with autoconfiguration clients because these clients
do not have fixed IP addresses.
HP-UX IPSec now supports IKE (dynamic keys) with Mobile IPv6 clients. You must use
Aggressive Mode if you are using IKE with Mobile IPv6 clients because these clients send
packets using Mobile IPv6 Care-of Addresses, which are not fixed.
The bypass list can now contain IPv6 addresses.
HP-UX IPSec now supports generic utilities and methods for configuring and using
security certificates instead of providing vendor-specific methods. The following changes
are related to the change to generic certificate support:
—The ipsec_mgr GUI is no longer supported. The ipsec_config command supports
the following new commands to configure certificate-related information:
ipsec_config add csr: Creates a Certificate Signing Request (CSR) that the
administrator submits to the Certificate Authority (CA) to get a signed certificate
for the local system.