HP-UX IPSec version A.02.00 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg(1M) ipsec_conﬁg(1M)

FORWARD|

Forward packets in clear text using this gateway IPSec policy.

DISCARD

Discard packets using this gateway IPSec policy. This is the default action.

The action must be

FORWARD

if you specify the

-tunnel

argument.

Default: The action deﬁned for the

action

parameter in the

GWPolicy-Defaults

sec-

tion of the proﬁle ﬁle used. The default deﬁnition for action is

DISCARD in

/var/adm/ipsec/.ipsec_profile

-flags

flags

Additional options for this policy. Join multiple ﬂags with a plus sign (

+). You can set the fol-

lowing ﬂags:

MIPV6

Speciﬁes that this IPSec policy is used for Mobile IPv6 packets. HP-UX IPSec checks the

Mobile IPv6 binding cache for routing information. (This ﬂag does not specify or affect

any protocol speciﬁcations for the source_address or destination_address

used when

selecting the IPSec policy for a packet.)

You must use manual keys (

-in

and -out

arguments) with the

MIPV6 ﬂag. You cannot

specify the MIPV6 ﬂag with IPv4 addresses in the source and destination arguments.

NONE

No additional options.

Default: The value of the

-flags

parameter in the

GWPolicy-Defaults

section of the

proﬁle ﬁle used. The default

flags

value is NONE

/var/adm/ipsec/.ipsec_profile

-homeclear|hc

interface_name

Only valid if the ﬂag MIPV6 is conﬁgured. Speciﬁes the name of the physical interface that is

the home link for the Mobile IPv6 system(s). Use the

-homeclear

option for gateway IPSec

policies conﬁgured on a Mobile IPv6 Home Agent that specify a tunnel between the Mobile

Node and the Home Agent (local system) when forwarding packets between the Mobile Node

and the Correspondent Node. The -homeclear

option speciﬁes that the local system will not

use a tunnel if it is sending or receiving packets using interface_name (the home link). This

provides better performance when the Mobile Node is attached to the home link.

Acceptable values: Physical interface name, 1 - 15 characters, in the format

lanppa

where

ppa is the physical point of attachment or card instance; for example,

lan0. Logical interface

names (such as

lan0:1

) are not allowed.

Examples

The local system (

3ffe::83ff:fef7:1111

) is a Mobile IPv6 Home Agent for the Mobile Node

3ffe::83ff:fef7:2222

. Conﬁgure the local system to forward all Mobile IPv6 protocol packets

(protocol MH) between the Mobile Node and any Correspondent Node through the IPSec tunnel

my_mipv6_tunnel

. You must conﬁgure two gateway IPSec polices for this topology: one for the

data path between the Home Agent and the Mobile Node, and one for the data path between the

Home Agent and the Correspondent Node.

The

my_mipv6_tunnel

endpoints are the Mobile Node and the local system (Home Agent). The

command for conﬁguring

my_mipv6_tunnel

is listed in the examples for the

ipsec_config

add tunnel

command.

ipsec_config -add gateway to_mobile_node -source 0::0 \

-destination 3ffe::83ff:fef7:2222 \

-protocol MH -pri 200 -tunnel my_mipv6_tunnel

-action FORWARD -flags MIPV6

ipsec_config -add gateway to_cn -source 3ffe::83ff:fef7:2222 \

-destination 0::0 \

-protocol MH -pri 210 -action FORWARD -flags MIPV6

HP-UX IPSec A.02.00 − 9 − Hewlett-Packard Company 13