HP-UX IPSec version A.02.00 Administrator's Guide
Configuring HP-UX IPSec
Step 1: Configuring Host IPSec Policies
Chapter 3 69
Step 1: Configuring Host IPSec Policies
Host IPSec policies specify HP-UX IPSec behavior for IP packets sent or
received by the local system as an end host. Each host IPSec policy
includes address specifications used to select the host IPSec policy for a
packet, and the action for packets using the policy: pass the packets in
clear text, discard the packets, or apply an IPSec transform (AH or ESP)
to the packets.
If the host policy is for an end host in a host-to-host tunnel topology or an
end host in a host-to-gateway topology, the host policy includes a
reference to a tunnel policy.
HP recommends that you use an ipsec_config batch file to configure
host IPSec policies.
Policy Order and Selection
When an IPSec system sends a packet or receives a packet for an address
on the local system, HP-UX IPSec searches the host IPSec policies
according to the value of the priority parameter for each policy and
selects the first policy with address, protocol and port specifications that
match the packet. HP-UX IPSec then takes the action specified in the
selected host IPSec policy.
default Host IPSec Policy
The HP-UX IPSec configuration database includes a host IPSec policy
named default. HP-UX IPSec uses the default host IPSec policy for a
packet if no other host IPSec policies match the packet. The default
host IPSec policy allows packets to pass in clear text. You cannot delete
the default host IPSec policy, or modify any argument values except the
value for the its behavior (the action argument). Use the following
command to change the default host IPSec policy so it discards packets:
ipsec_config add host default -action DISCARD
To change back the behavior of the default host IPSec policy to pass
packets in clear text, use the following command:
ipsec_config add host default -action PASS