HP-UX IPSec version A.02.00 Administrator's Guide
HP-UX IPSec Configuration Examples
Example 2: Authenticated ESP with Exceptions
Appendix C300
Carrot Configuration
The ipsec_config batch file on Carrot contains the following entries.
Host IPSec Policies
You configure four host IPSec policies on Carrot.
1. potato: accepts all packets to and from system Potato using
ESP-AES-HMAC-SHA1.
add host potato -destination 193.3.3.3 -priority 20 \
-action ESP_AES128_HMAC_SHA1
2. pass_icmp: allows all ICMP packets within the 192.1.1.* network to
pass in clear text. Notice how the 192.1.1.* network is specified in
the filter: the remote IP address is 192.1.1.0 and the prefix length is
24.The prefix length specifies the number of bits in the packet
address that must match the configured remote IP address,
beginning with the most significant bit.
add host pass_icmp -destination 192.1.1.0/24 \
-protocol ICMP -priority 30 -action pass
3. aes_lan: applies ESP-AES-HMAC-SHA1 authenticated ESP to all
packets in the 192.1.1.* network.
add host aes_lan -destination 192.1.1.0/24 \
-priority 40 -action ESP_AES128_HMAC_SHA1
4. default: You modify the default host IPSec policy to discard all
other packets. To modify the default host IPSec policy, you must
delete the existing policy, then re-add it.
# to modify the default host policy, you must delete
# the existing default policy, then re-add it
add host default -action DISCARD
add host default -action DISCARD
Policy Priority Note the priority of the pass_icmp policy (30) and
aes_lan policy (40). The pass_icmp policy MUST have a lower order
number (higher priority) than the aes_lan policy. This is because
internal ICMP packets will match both the pass_icmp and aes_lan
policy, and assigning the pass_icmp policy a lower order number causes
IPSec to select the pass_icmp policy for the ICMP packets instead of the
aes_lan policy.