HP-UX IPSec version A.02.00 Administrator's Guide

Configuring HP-UX IPSec

Step 1: Configuring Host IPSec Policies

Chapter 378

CAUTION HP recommends that you do not specify an infinite value for

lifetime_seconds

(0) with a finite value for

lifetime_kbytes

-flags

flags

The

flags

are additional options for this policy. Join multiple flags with

a plus sign (+).

Table 3-3 ipsec_config add host Flags

Flag Description

EXCLUSIVE Specifies session-based keying. Session-based

keying uses a different pair of IPSec/QM SAs per

connection or session. Only packets with the same

source IP address, destination IP address, network

protocol, source port, and destination port will use

the same IPSec/QM SA. Session-based keying

incurs more overhead but provides more security

and privacy. If you do not specify session-based

keying, all packets using the same IPSec policy to

the same remote node will share the same

IPSec/QM SA pair and cryptography keys.

You cannot specify the EXCLUSIVE flag if you are

using manual keys, or the action is PASS or

DISCARD.

MIPV6 Specifies that this IPSec policy is used for Mobile

IPv6 packets. HP-UX IPSec checks the Mobile IPv6

binding cache for routing information. (This flag

does not specify or affect any protocol specification

for the source or destination address filter used

when selecting the IPSec policy for a packet.)

If you specify the MIPV6 flag, you must use manual

keys (use -in and -out arguments).

You cannot specify the MIPV6 flag with IPv4

addresses in the source and destination arguments.

NONE No flags.