HP-UX IPSec A.03.00.01 Release Notes (HP-UX 11i Version 3)

• “Host and tunnel policy changes” (page 11)

“Nested transforms and DES transforms are obsolete” (page 11)◦

◦ “Support for fallback to clear in host policies” (page 11)

◦ “Support for multiple source and destination arguments in host and tunnel policies”

(page 11)

◦ “Support for IP Address ranges in tunnel policies” (page 11)

◦ “Support for IP Address and port number ranges in host policies” (page 11)

◦ “Port numbers and services are ignored in tunnel policies” (page 11)

◦ “Support for ICMPv4 and ICMPv6 type codes in host policies” (page 12)

◦ “Support for IPv6 mobility header type codes in host policies” (page 12)

• “Certificate changes” (page 12)

“The ipsec_config add cert command is deprecated” (page 12)◦

◦ “Support for 4096 bit key pairs for certificates” (page 12)

◦ “Support for PKCS#12 certificates” (page 12)

◦ “Certificate retrieval from LDAP directories” (page 12)

◦ “Support for multiple level Public Key Infrastructures” (page 12)

◦ “Certificate revocation list cron file change” (page 13)

• “Support for RFC 4301 security processing for ICMP errors” (page 13)

• “Profile file changes” (page 13)

• “Mobile IPv6 support is obsolete” (page 13)

• “Gateway policies are obsolete” (page 13)

IKE policy changes

The following sections describe product changes related to IKE policies.

Support for IKE version 2

HP-UX IPSec now supports IKE version 2 (IKEv2) in addition to IKE version 1 (IKEv1).

IKEv1 and IKEv2 policies replace IKE policies

Policies for ike are replaced by ikev1 and ikev2 policies.

The migration utility converts each existing ike policy to an ikev1 policy as follows:

• The IKE authentication (-auth) value is ignored. The ikev1 policies do not include a value

for the IKE authentication method. The IKE authentication method is now specified in

authentication records using the -local_method and -remote_method arguments.

• The maximum quick modes (-maxqm) value is converted to a value for perfect forward secrecy

(PFS, -pfs). The ikev1 policies do not include a value for maximum quick modes. If the

-maxqm value is 1, the migration utility creates an ikev1 policy with PFS ON. If the -maxqm

value is greater than 1, the migration utility creates an ikev1 policy with PFS OFF.

8 New and changed features