HP-UX IPSec version A.02.00 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg(1M) ipsec_conﬁg(1M)

ESP_3DES_HMAC_SHA1

(ESP 3DES, authenticated with HMAC-SHA1.)

ESP_AES128

(ESP with 128-bit Advanced Encryption Standard CBC.)

ESP_AES128_HMAC_MD5

(ESP AES128, authenticated with HMAC-MD5.)

ESP_AES128_HMAC_SHA1

(ESP AES128, authenticated with HMAC-SHA1.)

ESP_NULL_HMAC_MD5

(ESP, with null encryption and authenticated with HMAC-MD5.)

ESP_NULL_HMAC_SHA1

(ESP, with null encryption and authenticated with HMAC-SHA1.)

AES128

is the most secure form of encryption, with performance comparable

to or better than

DES and

3DES. For added security, use

AES128

in an

authenticated ESP transform, such as

ESP_AES128_HMAC_SHA1

lifetime_seconds

The maximum lifetime for the IPSec SA, in seconds. A transform lifetime can

be speciﬁed by time (seconds), and by kilobytes transmitted or received. HP-

UX IPSec considers the lifetime to be exceeded if either value is exceeded. HP

recommends that you do not specify an inﬁnite value for lifet ime_seconds (0)

with a ﬁnite value for lifet ime_kbytes.

This parameter is not valid for manual keys.

Acceptable values: 0 (inﬁnite), or 300 - 4294967294 seconds (approximately

497102 days).

Default: 28,800 (8 hours).

lifetime_kbytes

The maximum lifetime for the IPSec SA, measured by kilobytes transmitted or

received. A transform lifetime can be speciﬁed by time (seconds), and by kilo-

bytes transmitted or received. HP-UX IPSec considers the lifetime to be

exceeded if either value is exceeded.

This parameter is not valid for manual keys.

Acceptable values: 0 (inﬁnite), or 5120 - 4294967294 kilobytes.

Default: 0 (inﬁnite).

Note: HP recommends that you do not specify an inﬁnite value for

lifetime_seconds (0) with a ﬁnite value for lifetime_kbytes.

-flags flags

Additional options for this policy. Join multiple ﬂags with a plus sign (

+).

MIPV6 Speciﬁes that this IPSec policy is used for Mobile IPv6 packets. HP-UX IPSec

checks the Mobile IPv6 binding cache for routing information. (This ﬂag does not

specify or affect any protocol speciﬁcations used when selecting the IPSec policy for

apacket.)

You must use manual keys (

-in and

-out arguments) with the MIPV6 ﬂag. You

cannot specify the

MIPV6 ﬂag with IPv4 addresses in the source and destination

arguments.

EXCLUSIVE

Speciﬁes session-based keying. Session-based keying uses a different pair of

IPSec/QM SAs per connection or session. Only packets with the same source IP

address, destination IP address, network protocol, source port, and destination port

will use the same IPSec/QM SA. Session-based keying incurs more overhead but

provides more security and privacy. If you do not specify session-based keying, all

packets using the same IPSec policy to the same remote system will share the same

IPSec/QM SA pair and cryptography keys.

18 Hewlett-Packard Company − 14 − HP-UX IPSec A.02.00