Manualshelf

HP-UX IPSec A.03.00 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
12345678910
“Certificate Changes” (page 11)
“The ipsec_config add cert Command is Deprecated” (page 11)
“Support for 4096 Bit Key Pairs for Certificates” (page 12)
“Support for PKCS#12 Certificates” (page 12)
“Certificate Retrieval from LDAP Directories” (page 12)
“Support for Multiple Level Public Key Infrastructures” (page 12)
“Certificate Revocation List cron File Change” (page 12)
“Support for RFC 4301 Security Processing for ICMP Errors” (page 12)
“Profile File Changes” (page 12)
“Mobile IPv6 Support Is Obsolete” (page 13)
“Gateway Policies Are Obsolete” (page 13)
IKE Policy Changes
The following sections describe product changes related to IKE policies.
Support for IKE Version 2
HP-UX IPSec now supports IKE version 2 (IKEv2) in addition to IKE version 1 (IKEv1).
IKEv1 and IKEv2 Policies Replace IKE Policies
Policies for ike are replaced by ikev1 and ikev2 policies.
The migration utility converts each existing ike policy to an ikev1 policy as follows:
The IKE authentication (-auth) value is ignored. The ikev1 policies do not include a value
for the IKE authentication method. The IKE authentication method is now specified in
authentication records using the -local_method and -remote_method arguments.
The maximum quick modes (-maxqm) value is converted to a value for perfect forward
secrecy (PFS, -pfs). The ikev1 policies do not include a value for maximum quick modes.
If the -maxqm value is 1, the migration utility creates an ikev1 policy with PFS ON. If the
-maxqm value is greater than 1, the migration utility creates an ikev1 policy with PFS OFF.
default IKEv1 and IKEv2 Policies
The product includes preloaded IKEv1 and IKEv2 policies named default. You can modify
these policies, but cannot delete them. The default policies are always last in the search order.
The ipsec_config add ike Command is Deprecated
The ipsec_config add ike command and related commands (ipsec_config delete
ike, ipsec_config show ike) are deprecated. These command are still supported, but not
documented. The ipsec_config add ike command and related commands will be obsolete
in future releases. HP recommends that you use the following commands instead:
ipsec_config add ikev1
ipsec_config delete ikev1
ipsec_config show ikev1
If you use the ipsec_config add ike command, ipsec_config creates an IKEv1 policy
and processes the -auth and -maxqm arguments as described in “IKEv1 and IKEv2 Policies
Replace IKE Policies” (page 8).
To display or delete an IKEv1 policy created using the ipsec_config add ike command, use
the ipsec_config show ikev1 or ipsec_config delete ikev1 command.
8