HP-UX IPSec version A.02.00 manpages
ipsec_config(1M) ipsec_config(1M)
IPSEC_CONFIG COMMAND
Name
add host
- configure host IPSec policies
Synopsis
ipsec_config add host
host_pol i cy_na me [
-nocommit
|nc
][
-prof
[ile
] profile_name ]
[-source
|src
ip_address [/prefix[/port_number|service_name]]] [
-destination
|
dst
ip_address [/prefix[/port_number|service_name]]] [
-prot
[ocol
] protocol_id ][
-pri
[
ority]
prior ity_number][
-tunnel
tunnel_pol icy_name
][
-act
[
ion] PASS
|DISCARD
| t ransform_list]
[
-flags flags
][
-in
manual_ key_sa_sp ecification
[
-in
manual_ key_sa_sp ecification
]] [
-out
manual_ key_sa_sp ecification
[
-out
manual_ key_sa_sp ecification
]]
Description
Use the
ipsec_config add host
command to configure host IPSec policies. Host IPSec policies
specify HP-UX IPSec behavior for IP packets sent or received by the local system as an end host.
To specify behavior for IP packets processed by the local system as a gateway (packets the local system
forwards), use the
ipsec_config add gateway
command.
When an IPSec system sends a packet or receives a packet for an address on the local system, HP-UX
IPSec searches the host IPSec policies in priority order and selects the first policy with address, protocol,
and port specifications that match the packet. HP-UX IPSec then takes the action specified in the
selected host IPSec policy.
The HP-UX IPSec configuration database includes a host IPSec policy named
default. HP-UX IPSec
uses the default host IPSec policy for a packet if no other host IPSec policies match the packet. The
default host IPSec policy shipped with HP-UX IPSec allows packets to pass in clear text. (the
-action
argument value is
PASS). You cannot delete the
default host IPSec policy, or modify any argument
values except the argument for its behavior (the value for the
-action
argument). Use the following
command to change the default host IPSec policy so it discards packets:
ipsec_config add host default -action DISCARD
To change back the default host IPSec policy so it passes packet in clear text, use the following command:
ipsec_config add host default -action PASS
Options and Operands
The
ipsec_config add host command recognizes the following options and operands:
host_pol i cy_na me
The user-defined name for the host IPSec policy. This name must be unique for each host
IPSec policy and is case-sensitive.
The name
default is reserved.
Acceptable values: 1 - 63 characters. Each character must be an ASCII alphanumeric char-
acter, hyphen (
-
), or underscore (_
).
-nocommit|
nc
The ipsec_config utility verifies the host IPSec policy, but does not add it to the
configuration database. This argument is not valid if you are specifying an
add host opera-
tion in a batch file.
-pro[file
] profile_name
The name of the profile file containing default argument values for this policy. The argument
values are evaluated once, when the policy is added to the configuration database. Values used
from the profile file become part of the configuration record for the policy. This argument is
not valid if you are specifying an
add host operation in a batch file.
Maximum length: 1023 characters.
Default:
/var/adm/ipsec/.ipsec_profile.
-source|src ip_addr[/prefix[/port_number|service_name]]
-destination|dst ip_addr[/prefix[/port_number|service_name]]
HP-UX IPSec uses the ip_addr , prefix, and port_number with the -protocol argument, or
the service_name , to form an address filter. HP-UX IPSec uses the address filter to select an
IPSec policy for a packet. Specify a local IP address in the source address filter. For an out-
bound packet, HP-UX IPSec compares the source address filter with the source address fields
14 Hewlett-Packard Company − 10 − HP-UX IPSec A.02.00