HP-UX IPSec version A.02.00 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg(1M) ipsec_conﬁg(1M)

in the packet, and the destination address ﬁlter with the destination address ﬁelds in the

packet. For an inbound packet, HP-UX IPSec compares the source address ﬁlter speciﬁcation

with the destination address ﬁelds in the packet, and the destination address ﬁlter with the

source address ﬁelds in the packet.

Default: If you do not specify

-source

-destination,

ipsec_config uses the value

of the

source

or destination

parameter in the

HostPolicy-Defaults

section of the

proﬁle ﬁle used. The default value for source and destination is

0.0.0.0/0/0

(match any

IPv4 address, any port) in

/var/adm/ipsec/.ipsec_profile

The address ﬁlter is deﬁned with the following values:

ip_addr

The source or destination IP address.

Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6

address in colon-hexadecimal notation. The IP address type (

IPv4 or IPv6

) must

be the same for the source and destination address. HP-UX IPSec does not support

unspeciﬁed IPv6 addresses. However, you can use the double-colon (::) notation

within a speciﬁed IPv6 address to denote a number of zeros (0) within an address.

The address cannot be a broadcast, subnet broadcast, multicast, or anycast address.

If you are using manual keys, ip_addr must be a unicast address.

prefix

The preﬁx length, or the number of leading bits that must match when comparing

the IP address in a packet with i p_addr.

For IPv4 addresses, a preﬁx length of 32 bits indicates that all the bits in both

addresses must match. Use a value less than 32 to specify a subnet address ﬁlter.

For IPv6 addresses, a preﬁx length of 128 bits indicates that all the bits in both

addresses must match. Use a value less than 128 to specify a subnet address ﬁlter.

The following table shows the range and default for IPv4 and IPv6 addresses. The

defaults apply to non-zero addresses.

Type Range Defaul t

IPv4 0 - 32 32 (0 for all-zero addresses)

IPv6 0 - 128 128 (0 for all-zero addresses)

The default preﬁx is zero (0) if the address is all zeros.

If you are using manual keys, preﬁx must be 32 if ip_addr is an IPv4 address or 128

if ip_addr is an IPv6 address.

You must specify pre ﬁx if you specify port_number or service_name .

port The upper-layer protocol (TCP or UDP) port number Specify the upper-layer proto-

col with the

-protocol argument described below.

Acceptable values: 0 - 65535. 0 indicates all ports. The value of the

-proto-

col

argument must be

TCP or UDP if port is not zero.

Default: 0 (all ports).

service_name

A character string that speciﬁes a network service. The

ipsec_config utility

will add a policy to the conﬁguration database with the appropriate port number

and protocol, as listed below. You cannot specify service_name and the -protocol

argument in the same policy.

service_name Port Protocol

DNS-TCP 53 TCP

DNS-UDP 53 UDP

FTP-DATA 20 TCP

HP-UX IPSec A.02.00 − 11 − Hewlett-Packard Company 15