Manualshelf

HP-UX IPSec A.03.00 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
12345678910
The ipsec_config utility now supports the following commands for IKEv2 records:
ipsec_config add ikev2
ipsec_config delete ikev2
ipsec_config show ikev2
IKE DES Encryption Is Obsolete
HP-UX IPSec no longer supports DES encryption for IKEv1 SAs. If an existing IKE policy has
DES encryption configured, the migration utility converts the DES value to the default IKEv1
encryption algorithm in the profile file (3DES). The migration utility also converts the policy
type to IKEv1 and displays a warning.
If you are using an IKE policy with DES encryption to communicate with peers that still support
DES, you must modify the peer configuration to use 3DES or an alternate algorithm.
NOTE: RFC 4772 deprecates DES. DES is susceptible to brute-force attacks.
IKEv1 Perfect Forward Secrecy with Keys Only
HP-UX IPSec now supports IKE Perfect Forward Secrecy (PFS) with key protection only. This
enables IKE to reuse an existing IKE SA to negotiate a new IPsec SA pair and establish new
keying information when negotiating the IPsec SA pair.
In releases prior to A.03.00, HP-UX IPSec provided a form of PFS when the IKE maximum quick
modes value (-maxqm) was 1. This form of PFS used key and identity protection and required
IKE to establish a new IKE SA for each IPsec SA pair negotiated.
Do not enable PFS for negotiations with systems using an HP-UX IPSec release prior to A.03.00.
IKE Support for Multiple Hash, Encryption, and Group Values
IKEv1 and IKEv2 policies support multiple values for IKE hash, encryption, and Diffie-Hellman
(Oakley) group parameters.
IKE Support for Diffie-Hellman Groups 5 and 14
IKEv1 and IKEv2 policies support Diffie-Hellman groups 5 and 14.
IKE Support for AES128-CBC Encryption
IKEv1 and IKEv2 policies support AES128-CBC encryption.
Authentication Record Changes
The following sections describe product changes related to authentication records.
Authentication Records are Mandatory
In releases prior to A.03.00, authentication records were optional when the following conditions
were true:
the exchange mode was Main Mode (MM)
the authentication method was RSA signatures (RSASIG)
the local and remote nodes were not multihomed
the local and remote nodes used IPv4 addresses for IKE IDs
Authentication records are now mandatory for all peers. You can configure one authentication
record for multiple peers.
If you have a configuration from a prior release that does not have an authentication record for
all peers, you must create authentication records for all peers. The migration utility does not
create authentication records.
New and Changed Features 9