Manualshelf

HP-UX IPSec A.03.00.01 Release Notes (HP-UX 11i Version 3)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
12345678910
default IKEv1 and IKEv2 policies
The product includes preloaded IKEv1 and IKEv2 policies named default. You can modify these
policies, but cannot delete them. The default policies are always last in the search order.
The ipsec_config add ike command is deprecated
The ipsec_config add ike command and related commands (ipsec_config delete ike,
ipsec_config show ike) are deprecated. These command are still supported, but not
documented. The ipsec_config add ike command and related commands will be obsolete in
future releases. HP recommends that you use the following commands instead:
ipsec_config add ikev1
ipsec_config delete ikev1
ipsec_config show ikev1
If you use the ipsec_config add ike command, ipsec_config creates an IKEv1 policy
and processes the -auth and -maxqm arguments as described in “IKEv1 and IKEv2 policies
replace IKE policies (page 8).
To display or delete an IKEv1 policy created using the ipsec_config add ike command, use
the ipsec_config show ikev1 or ipsec_config delete ikev1 command.
The ipsec_config utility now supports the following commands for IKEv2 records:
ipsec_config add ikev2
ipsec_config delete ikev2
ipsec_config show ikev2
IKE DES encryption is obsolete
HP-UX IPSec no longer supports DES encryption for IKEv1 SAs. If an existing IKE policy has DES
encryption configured, the migration utility converts the DES value to the default IKEv1 encryption
algorithm in the profile file (3DES). The migration utility also converts the policy type to IKEv1 and
displays a warning.
If you are using an IKE policy with DES encryption to communicate with peers that still support
DES, you must modify the peer configuration to use 3DES or an alternate algorithm.
NOTE: RFC 4772 deprecates DES. DES is susceptible to brute-force attacks.
IKEv1 Perfect Forward Secrecy supported with keys only
HP-UX IPSec now supports IKE Perfect Forward Secrecy (PFS) with key protection only. This enables
IKE to reuse an existing IKE SA to negotiate a new IPsec SA pair and establish new keying
information when negotiating the IPsec SA pair.
In releases prior to A.03.00, HP-UX IPSec provided a form of PFS when the IKE maximum quick
modes value (-maxqm) was 1. This form of PFS used key and identity protection and required IKE
to establish a new IKE SA for each IPsec SA pair negotiated.
Do not enable PFS for negotiations with systems using an HP-UX IPSec release prior to A.03.00.
IKE support for multiple hash, encryption, and group values
IKEv1 and IKEv2 policies support multiple values for IKE hash, encryption, and Diffie-Hellman
(Oakley) group parameters.
IKE support for Diffie-Hellman groups 5 and 14
IKEv1 and IKEv2 policies support Diffie-Hellman groups 5 and 14.
New and changed features in A.03.00.00 9