HP-UX IPSec A.03.01.01 Release Notes (HP-UX 11i Version 3)

New and changed features in A.03.00.00

The documentation reflects the following changes to the HP-UX IPSec product:

• “IKE policy changes” (page 9)

“Support for IKE version 2” (page 9)◦

◦ “IKEv1 and IKEv2 policies replace IKE policies” (page 9)

◦ “default IKEv1 and IKEv2 policies” (page 9)

◦ “The ipsec_config add ike command is deprecated” (page 9)

◦ “IKE DES encryption is obsolete” (page 9)

◦ “IKEv1 Perfect Forward Secrecy supported with keys only” (page 10)

◦ “IKE support for multiple hash, encryption, and group values” (page 10)

◦ “IKE support for Diffie-Hellman groups 5 and 14” (page 10)

◦ “IKE support for AES128-CBC encryption” (page 10)

• “Authentication record changes” (page 10)

“Authentication records are mandatory” (page 10)◦

◦ “Authentication records specify the IKE (key management protocol) version” (page 11)

◦ “Authentication records include a priority alue” (page 10)

◦ “Authentication records support the AUTOCONF flag” (page 11)

◦ “Authentication records support subtrees and address ranges for remote ID matching”

(page 11)

◦ “Hexadecimal storage for preshared key values starting with 0x” (page 11)

• “Host and tunnel policy changes” (page 11)

“Nested transforms and DES transforms are obsolete” (page 11)◦

◦ “Support for fallback to clear in host policies” (page 11)

◦ “Support for multiple source and destination arguments in host and tunnel policies”

(page 11)

◦ “Support for IP Address ranges in tunnel policies” (page 12)

◦ “Support for IP Address and port number ranges in host policies” (page 12)

◦ “Port numbers and services are ignored in tunnel policies” (page 12)

◦ “Support for ICMPv4 and ICMPv6 type codes in host policies” (page 12)

◦ “Support for IPv6 mobility header type codes in host policies” (page 12)

• “Certificate changes” (page 12)

“The ipsec_config add cert command is deprecated” (page 12)◦

◦ “Support for 4096 bit key pairs for certificates” (page 12)

◦ “Support for PKCS#12 certificates” (page 12)

◦ “Certificate retrieval from LDAP directories” (page 13)

◦ “Support for multiple level Public Key Infrastructures” (page 13)

◦ “Certificate revocation list cron file change” (page 13)

• “Support for RFC 4301 security processing for ICMP errors” (page 13)

• “Profile file changes” (page 13)

8 New and changed features