Manualshelf

HP-UX IPSec A.03.00 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
10111213141516171819
profile file under the file name /var/adm/ipsec/.ipsec_profile.blank. When you run
the ipsec_migrate utility, ipsec_migrate saves the existing /var/adm/ipsec/
.ipsec_profile file in the /var/adm/ipsec/backup directory before moving the /var/
adm/ipsec/.ipsec_profile.blank file to /var/adm/ipsec/.ipsec_profile.
If you use customized settings in your profile file, edit the /var/adm/ipsec/
.ipsec_profile.blank file with your customized settings before running ipsec_migrate.
Mobile IPv6 Support Is Obsolete
HP-UX IPSec cannot secure Mobile IPv6 packets that the local system forwards when acting as
a Home Agent. HP-UX IPSec can still secure packets to a Mobile IPv6 client when the local node
is acting as a Correspondent Node. The MH (Mobility Header) protocol type in host and tunnel
policies is obsolete. The MIPV6 flag in host policies is obsolete.
Gateway Policies Are Obsolete
IPsec gateway policies are obsolete. The ipsec_config add gateway and related gateway
commands are not supported.
Known Problems Fixed in This Version
The following table lists the known problems and fixes in this release of HP-UX IPSec.
Table 1 Fixes in HP-UX IPSec A.03.00
DescriptionDefect ID
IKE authentication fails if the authentication record distinguishedName (DN) is a subset of
the certificate DN.
QXCR1000576842
Enhancement: ipsec_admin now logs any error messages at system start up time in
/etc/rc.log.
QXCR1000736150
Known Problems and Limitations
This section provides a list of known problems and limitations as known to HP at time of
publication. If workarounds are available, they are described.
Host Name Resolution
If you are using DNS, NIS or NIS+ to resolve hostnames to IP addresses and you have an
IPSec policy that discards, encrypts or authenticates packets to the DNS, NIS or NIS+ server,
you must configure your system to resolve the address for the local hostname and the
loopback name using the /etc/hosts file.
Workaround: Configure the hostname resolution services as follows:
— In the /etc/nsswitch.conf file, specify files as the first database for resolving
hostnames. You can then specify other sources (such as DNS) as backup databases, as
shown in the example below:
hosts: files [NOTFOUND=continue] dns
— In the /etc/hosts file, add an entry for the local hostname mapped to its IP address,
and an entry for the IP address 127.0.0.1 mapped to localhost and loopback,
as shown in the example below:
Known Problems Fixed in This Version 13