Manualshelf

HP-UX IPSec A.02.01 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
12345678910
HP-UX IPSec Release Notes
What’s in This Version
Chapter 16
HP-UX IPSec searches for the Java runtime components in the directory /opt/java1.4.
If you install the JRE in another directory, you must set the JAVA_HOME environment
variable to the appropriate location.
•The ipsec_config command no longer allows you to configure transforms for
Encapsulated Security Protocol (ESP) without authentication. You cannot configure the
following transforms:
ESP_AES128
ESP_DES
ESP_3DES
Existing policies that use the above transforms will continue to operate, but HP strongly
recommends that you replace them with ESP transforms that also provide authentication,
such as ESP_AES128_HMAC_SHA1.
If you have specified any of the above transforms in an ipsec_config
profile file entry, you must change the entry to contain a legal
transform, such as ESP_AES128_HMAC_SHA1.
The syntax of the ipsec_migrate utility has changed. The new syntax is as follows:
ipsec_migrate [-p
policy_file_name
]
ISAKMP/Main Mode (ISAKMP/MM) Security Associations (SAs) are now referred to as
IKE SAs. The term “Main Mode” is used only when needed to distinguish the type of
exchange mode used to negotiate the IKE SA.
Tunnel endpoint address (-tsource and -tdestination) parameters are no longer
required in the ipsec_config add tunnel command. If you do not specify a tunnel
endpoint, HP-UX IPSec uses the end-to-end source or destination address and prefix as
the tunnel endpoint address. If the end-to-end source or destination is a subnet, the
tunnel policy can be used to form multiple tunnels with different endpoints.
IKE now supports key identifiers as an IKE ID type when using preshared keys with
Aggressive Mode. The ipsec_config add auth command now accepts KEY-ID for the
local and remote ID type options.
•The ipsec_report utility supports the following new options:
-sa ike: The -sa ike option displays IKE SAs (Main Mode and Aggressive Mode).
(The -sa ike option replaces the -mad option.)
-sa ipsec: The -sa ipsec option displays IPSec SAs. (The -sa ipsec option
replaces the -sad option.)