Manualshelf

HP-UX IPSec version A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
21222324252627282930
xxii
The default Oakley group (Diffie-Hellman group) is now 2.
Preshared keys are configured in authentication records.
Administrators can now configure preshared keys for remote subnets.
IKE ID parameters can now be configured for IKE negotiations when using
preshared keys.
Certificate IDs are configured as IKE ID information in authentication records. The
authentication records are indexed and searched by remote IP address. There is no
longer a certificate ID record for the local system (127.0.0.0).
•The ipsec_report utility supports the following new options:
-entity (used with the -audit option): The -entity option allows you to specify
one or more entities when displaying an audit file (-audit). This allows you to
selectively display audit records logged by specify entities.
-host: The -host option displays IPSec policies loaded by the policy daemon.
-ike: The -ike option displays IKE policies loaded by the policy daemon.
-gateway: The -gateway option displays gateway IPSec policies loaded by the
policy daemon.
-tunnel: The -tunnel option displays tunnel IPSec policies loaded by the policy
daemon.
The ipsec_report options -ipsec and -isakmp are still supported, but only for
backwards compatibility and are not documented. The ipsec_report option
-ipsec reports host IPSec policies (it is now equivalent to the -host option). The
ipsec_report option -isakmp reports IKE policies (it is now equivalent to the
-ike option).
•The ipsec_policy utility now allows you to specify a direction for the packet
parameters.
•The ipsec_admin utility supports the following new options to set general operating
parameters:
-spd_soft: The -spd_soft option allows you to specify the “soft” limit for the
size of the Security Policy Database (SPD). The SPD is the HP-UX IPSec
runtime policy database, with cached policy decisions for packet descriptors
(five-tuples consisting of exact, non-wildcard source IP address, destination IP
address, protocol, source port, and destination port).
-spd_hard: The -spd_hard option allows you to specify the “hard” limit for the
size of the SPD.
-spi_min: The -spi_min option allows you to specify the lower bound for
inbound, dynamic key Security Parameters Index (SPI) numbers.
-spi_max: The -spi_max option allows you to specify the upper bound for
inbound, dynamic key Security Parameters Index (SPI) numbers.
IPv6 IKE functionality, formerly provided by the daemon ikmpdv6, is now provided
by ikmpd. The ikmpdv6 daemon is no longer shipped with the product.