HP-UX IPSec version A.02.00 manpages
ipsec_config(1M) ipsec_config(1M)
Remarks
Use this option only when the local system is an HP-UX Mobile IPv6 Home Agent.
Description
Use the
ipsec_config add gateway
command to configure gateway IPSec policies. Do not use this
command unless the local system is an HP-UX Mobile IPv6 Home Agent.
Gateway IPSec policies specify HP-UX IPSec behavior when the local system is acting as a gateway (for-
warding packets that the local system receives with a non-local destination IP address). An HP-UX sys-
tem can act as a gateway only when it is an HP-UX Mobile IPv6 Home Agent, and forwarding packets
between a Mobile IPv6 client and its Correspondent Node.
To specify behavior for IP packets sent or received by the local system as an end host, use the
ipsec_config add host
command to configure host IPSec policies.
When an IPSec system receives a packet for an address that is not on the local system, HP-UX IPSec
searches the gateway IPSec policies in priority order and selects the first policy with address, protocol,
and port specifications that match the packet. HP-UX IPSec then takes the action specified in the
selected gateway IPSec policy.
The HP-UX IPSec configuration database includes a gateway IPSec policy named default. HP-UX
IPSec uses the
default
gateway IPSec policy when it receives a packet for an address that is not on the
local system and no other gateway IPSec policies match the packet. The
default gateway IPSec policy
shipped with HP-UX IPSec forwards packets in clear text. (the
-action
argument value is
FORWARD).
You cannot delete the
default gateway IPSec policy, or modify any argument values except the argu-
ment for its behavior (the value for the
-action argument). You can change the action argument value
so it discards packets using the following command:
ipsec_config add gateway default -action DISCARD
To change back the
default gateway IPSec policy so it forwards packet in clear text, use the following
command:
ipsec_config add gateway default -action FORWARD
You must configure two gateway IPSec policies for each end-to-end source and destination address pair;
you configure one gateway IPSec policy for the data path between the gateway and each endpoint.
Options and Operands
gateway_poli c y_na me
The user-defined name for the gateway IPSec policy. This name must be unique for each gate-
way IPSec policy and is case-sensitive.
The name
default is reserved.
Acceptable values: 1 - 63 characters. Each character must be an ASCII alphanumeric char-
acter, hyphen (
-), or underscore (
_).
-nocommit|nc
The ipsec_config utility verifies the gateway IPSec policy, but does not add it to the
configuration database. This argument is not valid if you are specifying an
add gateway
operation from a batch file.
-prof[ile
] profile_name
The name of the profile file containing default argument values for this policy. The argument
values are evaluated once, when the policy is added to the configuration database. Values used
from the profile file become part of the configuration record for the policy. This argument is
not valid if you are specifying an add gateway operation from a batch file.
Maximum length: 1023 characters.
Default:
/var/adm/ipsec/.ipsec_profile
-source|src ip_address[/prefix[/port_number|service_name]]
-destination|dst ip_address[/prefix[/port_number|service_name]]
HP-UX IPSec uses the ip_addr , prefix, and port_number with the -protocol argument, or
the service_name , to form an address filter. HP-UX IPSec uses the address filter to select an
IPSec policy for a packet.
10 Hewlett-Packard Company − 6 − HP-UX IPSec A.02.00