HP-UX IPSec version A.02.00 Administrator's Guide
Configuring HP-UX IPSec
Step 1: Configuring Host IPSec Policies
Chapter 3 75
-action
The action argument specifies the action HP-UX IPSec will perform on
packets using this policy. The action must be PASS (pass in clear text) if
this is an end system in a host-to-host tunnel topology.
Default: The action defined for the action parameter in the
HostPolicy-Defaults section of the profile file used. The default definition
for action is DISCARD.
PASS Allow packets using this host IPSec policy to pass in clear text with
no alteration. The default host IPSec policy shipped with the product
specifies -action PASS.
DISCARD Discard packets using this host IPSec policy.
transform_list
A transform specifies the IPSec authentication and
encryption applied to packets using AH (Authentication Header) and
ESP (Encapsulation Security Payload) headers. A transform list specifies
the transforms acceptable for packets using the policy. The HP-UX IPSec
IKE daemon proposes the transform list when negotiating the transform
for IPSec Security Associations (SAs) with a remote system.
The transform list in a host policy are transport transforms and are
applicable to the host-to-host SA (end-to-end or transport SA) between
the source and destination addresses.
If you are using dynamic keys, the transform list can contain:
• A list that contains up to 2 AH transforms
• A list that contains up to 8 ESP transforms, including Authenticated
ESP transforms
• A list that contains one nested AH and ESP transform (ESP nested
inside of AH)
Use a comma to separate multiple transform specifications.
The order of transforms in the transform list is significant. The first
transform is the most preferable and the last transform is the least
preferable. At least one transform must match a transform configured on
the remote system.
The format for each transform is:
transform_name
[/
lifetime_seconds
[/
lifetime_kbytes
]]