HP-UX IPSec version A.02.00 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg(1M) ipsec_conﬁg(1M)

HP-UX IPSec compares the source address ﬁlter with the end-to-end source address ﬁelds in

the packet, and the destination address ﬁlter with the end-to-end destination address ﬁelds in

the packet. You must conﬁgure two gateway IPSec policies for each end-to-end source and des-

tination address pair; you conﬁgure one gateway IPSec policy for the data path between the

gateway and each endpoint.

Default: If you do not specify

-source

-destination

, ipsec_config

uses the value

of the

source or

destination parameter in the

GWPolicy-Defaults

section of the

proﬁle ﬁle used. The default value for source and destination is

0.0.0.0/0/0 (match any

IPv4 address, any port) in

/var/adm/ipsec/.ipsec_profile

ip_addr

Source or destination IP address.

Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6 address in

colon-hexadecimal notation. The IP address type (

IPv4

IPv6) must be the same for

the source and destination address. HP-UX IPSec does not support unspeciﬁed IPv6

addresses. However, you can use the double-colon (::) notation within a speciﬁed IPv6

address to denote a number of zeros (0) within an address. The address cannot be a

broadcast, subnet broadcast, multicast, or anycast address. If you are using manual

keys, ip_addr must be a unicast address.

prefix

Preﬁx length, or the number of leading bits that must match when comparing the IP

address in a packet with ip_addr .

For IPv4 addresses, a preﬁx length of 32 bits indicates that all the bits in both addresses

must match. Use a value less than 32 to specify a subnet address ﬁlter.

For IPv6 addresses, a preﬁx length of 128 bits indicates that all the bits in both addresses

must match. Use a value less than 128 to specify a subnet address ﬁlter.

You must specify pre ﬁx if you specify port_number or service_name .

If you are using manual keys, preﬁx must be 32 if ip_addr is an IPv4 address or 128 if

ip_addr is an IPv6 address.

The following table shows the range and default for IPv4 and IPv6 addresses. The

defaults apply to non-zero addresses.

Type Range Defaul t

IPv4 0 - 32 32 (0 for all-zero addresses)

IPv6 0 - 128 128 (0 for all-zero addresses)

The default is 0 (match any address) if ip_addr is an all-zeros address (

0.0.0.0 or

0::0

port The upper-layer protocol (TCP or UDP) port number. Specify the upper-layer protocol

with the

-protocol

argument described below.

Acceptable values: 0 - 65535. 0 indicates all ports. The value of the

-protocol

argument must be TCP

or UDP if port is not zero.

Default: 0 (all ports).

service_name

A character string that speciﬁes a network service. The

ipsec_config utility will add

a policy to the conﬁguration database with the appropriate port number and protocol, as

listed below. You cannot specify service_name and the -protocol argument in the

same policy.

service_name Port Protocol

DNS-TCP 53 TCP

DNS-UDP 53 UDP

HP-UX IPSec A.02.00 − 7 − Hewlett-Packard Company 11