HP-UX IPSec A.03.00 Release Notes

This document provides information about the A.03.00 release of HP-UX IPSec for HP-UX 11i

version 1 (B.11.11) and HP-UX 11i version 2 Update 2 (B.11.23).

Overview

The A.03.00 release of HP-UX IPSec contains the following changes:

• Defect fixes.

• Numerous enhancements to support IKE version 2 (IKEv2) and the IPsecv3 protocol

specifications. For more information, see “New and Changed Features” (page 7) .

HP-UX IPSec

HP-UX IPSec provides transparent encryption for IP-based applications. It also enhances the

privacy of Internet communications. HP-UX IPSec supports PKI-based authentication, rule-based

access control, and the Internet Key Exchange (IKE) protocol. It also serves as a framework for

open standards networking, requires no application modification to take advantage of

network-level security and can be a component of the HP Virtual Private Network (VPN) solution.

New and Changed Features

The documentation reflects the following changes to the HP-UX IPSec product:

• “IKE Policy Changes” (page 8)

— “Support for IKE Version 2” (page 8)

— “IKEv1 and IKEv2 Policies Replace IKE Policies” (page 8)

— “default IKEv1 and IKEv2 Policies” (page 8)

— “The ipsec_config add ike Command is Deprecated” (page 8)

— “IKE DES Encryption Is Obsolete” (page 9)

— “IKEv1 Perfect Forward Secrecy with Keys Only” (page 9)

— “IKE Support for Multiple Hash, Encryption, and Group Values” (page 9)

— “IKE Support for Diffie-Hellman Groups 5 and 14” (page 9)

— “IKE Support for AES128-CBC Encryption” (page 9)

• “Authentication Record Changes” (page 9)

— “Authentication Records are Mandatory” (page 9)

— “Authentication Records Specify the IKE (Key Management Protocol) Version” (page 10)

— “Authentication Records Include a Priority Value” (page 10)

— “Authentication Records Support the AUTOCONF Flag” (page 10)

— “Authentication Records Support Subtrees and Address Ranges for Remote ID Matching”

(page 10)

— “Hexadecimal Storage for Preshared Key Values Starting with 0x” (page 10)

• “Host and Tunnel Policy Changes” (page 10)

— “Nested Transforms and DES Transforms Are Obsolete” (page 10)

— “Support for Fallback to Clear in Host Policies” (page 10)

— “Support for Multiple Source and Destination Arguments in Host and Tunnel Policies”

(page 11)

— “Support for IP Address Ranges in Tunnel Policies” (page 11)

— “Support for IP Address and Port Number Ranges in Host Policies” (page 11)

— “Port Numbers and Services are Ignored in Tunnel Policies” (page 11)

— “Support for ICMPv4 and ICMPv6 Type Codes in Host Policies” (page 11)

— “Support for IPv6 Mobility Header Type Codes in Host Policies” (page 11)

Overview 7