HP-UX IPSec version A.02.00 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg(1M) ipsec_conﬁg(1M)

The values are deﬁned as follows:

PASS|

DISCARD

PASS

Allow packets using this host IPSec policy to pass in clear text with no alteration.

The

default host IPSec policy shipped with the product speciﬁes

-action

PASS

DISCARD

Discard packets using this host IPSec policy.

transform_list

A transform speciﬁes the IPSec authentication and encryption applied to packets using

AH (Authentication Header) and ESP (Encapsulation Security Payload) headers. A

transform_list speciﬁes the transforms acceptable for packets using the policy. The HP-

UX IPSec IKE daemon proposes the t ransform_list when negotiating the transform for

IPSec Security Associations (SAs) with a remote system.

The transform_list in a host policy are transport transforms and are applicable to the

host-to-host SA (transport SA) between the source and destination addresses.

If you are using manual keys, the transform list can contain only one transform.

If you are using dynamic keys, the transform list can contain:

• up to 8 ESP transforms (including Authenticated ESP transforms)

• up to 2 AH transforms

• 1 nested AH and ESP transform (ESP nested inside AH)

Use a comma to separate multiple transform speciﬁcations.

The order of transforms in the transform list is signiﬁcant. The ﬁrst transform is the

most preferable and the last transform is the least preferable. At least one transform

must match a transform conﬁgured on the remote system.

The format for each transform is:

transform_name [/lifeti me_seconds[/lifetime_kbytes]]

where the variables are deﬁned as follows:

transform_name

One of the following AH (Authentication Header) or ESP (Encapsulation Secu-

rity Payload) transform speciﬁcations, or a nested AH and ESP transform

formed by joining an AH transform and an ESP transform with a plus sign

(

+), for example,

AH_MD5+ESP_3DES

AH_MD5

(AH, with 128-bit key Hashed Message Authentication Code using RSA

Message Digest-5, HMAC-MD5.)

AH_SHA1

(AH, with 160-bit key HMAC using Secure Hash Algorithm-1, HMAC-

SHA1.)

ESP_DES

(ESP with 56-bit Data Encryption Standard, Cipher Block Chaining

Mode, DES-CBC.)

ESP_DES_HMAC_MD5

(ESP DES, authenticated with HMAC-MD5.)

ESP_DES_HMAC_SHA1

(ESP DES, authenticated with HMAC-SHA1.)

ESP_3DES

(ESP with triple-DES CBC, three encryption iterations, each with a

different 56-bit key, 3DES-CBC.)

ESP_3DES_HMAC_MD5

(ESP 3DES, authenticated with HMAC-MD5.)

HP-UX IPSec A.02.00 − 13 − Hewlett-Packard Company 17