HP-UX IPSec A.03.00.01 Release Notes (HP-UX 11i Version 3)

Hexadecimal storage for preshared key values starting with 0x

The ipsec_config utility now stores preshared key values that start with 0x as hexadecimal

values. (In releases prior to A.03.00, ipsec_config stored all preshared key values as ASCII

strings.)

This change can cause configuration mismatches with previous HP-UX IPSec versions. For example,

if an HP-UX IPSec A.03.00 system and an HP-UX IPSec A.02.00 system both configure the value

0x123 for a preshared key, IKE negotiations will fail.

Host and tunnel policy changes

The following sections describe product changes related to host and tunnel policies.

Nested transforms and DES transforms are obsolete

Nested transforms and all transforms using DES are obsolete. The migration utility replaces any

DES transforms (actions) in host or tunnel policies with the default actions in the /var/adm/ipsec/

.ipsec_profile file. For host policies, the default action is DISCARD. For tunnel policies, the

default action is the ESP_AES128_HMAC_SHA1 transform.

Support for fallback to clear in host policies

Host policies now support the flag FALLBACK_TO_CLEAR. This flag enables you to configure a

host policy to secure packets if the peer supports IPsec and allow packets to pass in clear text

(fallback to clear) if IKE requests to the remote system fail, or if the remote system initiates packets

in clear text.

This feature is useful when configuring host policies for remote subnets where not all nodes in the

subnet support IPsec.

WARNING! Using the FALLBACK_TO_CLEAR flag is a security risk. It can allow packets from

non-secure nodes to communicate with the local system.

Support for multiple source and destination arguments in host and tunnel policies

You can specify up to 20 instances of the -source and -destination arguments in the

ipsec_config add host and ipsec_config add tunnel commands.

This feature is not supported with manual keys.

Support for IP Address and port number ranges in host policies

You can specify IP address or port number ranges in source and destination arguments (-source

and -destination) for IPsec host policies.

This feature is not supported with manual keys.

Support for IP Address ranges in tunnel policies

You can specify IP address ranges in the end-to-end source and destination arguments (-source

and -destination) for IPsec tunnel policies.

Port numbers and services are ignored in tunnel policies

Port numbers and service names are ignored in end-to-end source and destination arguments for

IPsec tunnel policies. They are no longer documented.

New and changed features in A.03.00.00 11