HP-UX IPSec version A.02.00 manpages
ipsec_config(1M) ipsec_config(1M)
You cannot specify the
EXCLUSIVE
flag with manual keys, or if the action is
PASS
or DISCARD
.
NONE
no additional options.
Default: The value of the flags parameter in the
HostPolicy-Defaults
section of the
profile file used. The default flags value is
NONE in
/var/adm/ipsec/.ipsec_profile
.
-in
manual_key_SA_specification
[
-in
manual_key_SA_specification
]
-out
manual_key_SA_specification
[
-out
manual_key_SA_specification
]
Specify the -in
manual_ key_SA_specification
and
-out
manual_ key_SA_specification
arguments
to use static, manual keys for the IPSec SAs. If the transform_list contains a nested AH and ESP
transform, you must specify two
-in
manual_ key_SA_specification
arguments and two
-out
manual_ key_SA_specification
arguments.
The format of the manua l_key _SA_specification
is:
type/spi [/auth_key] [/enc_key ][/iv]
where the values are defined as follows:
type Type of IPSec transform.
Acceptable values:
AH
(Authentication Header) or
ESP
(Encapsulating Security Pay-
load).
spi Security Parameters Index (SPI) number, used to identify the SA. You can specify the
SPI in hexadecimal, prefixed by 0x, or decimal. For an inbound SA, the SPI must be
unique on the local system within the SPIs assigned for each SA type (AH or ESP), must
be outside the range for dynamic key SPI numbers, and must match the SPI configured
on the remote system for the outbound SA.
For an outbound SA, the SPI must match what is configured on the remote system for the
inbound SA, and must be unique on the remote system.
Range: Manual key SPI numbers must be outside the range for dynamic key SPI
numbers. In installations using the default range for dynamic key SPI numbers (300 -
2500000), the ranges for inbound manual key SPI numbers are 1 - 299 and 2500001 -
4294967295.
Refer to the spi_min and spi_max parameters for the
ipsec_config add startup
command for more information on the range for dynamic key SPI numbers.
auth_key
The hexadecimal authentication key (prefixed by 0x). This is required only for AH or
authenticated ESP. The auth_key value must match what is configured on the remote
system.
Acceptable values : Hexadecimal digits, prefixed by
0x.
Type De faul t
MD5 32 hexadecimal digits (128 bits)
SHA-1 40 hexadecimal digits (160 bits)
enc_key
The hexadecimal encryption key (prefixed by
0x). This is required only for ESP. The
enc_key value must match what is configured on the remote system.
Acceptable values: Hexadecimal digits, prefixed by
0x
.
Type Default
DES 16 hexadecimal digits (64 bits)
3DES 48 hexadecimal digits (192 bits)
AES128 32 hexadecimal digits (128 bits)
iv Initialization Vector (IV) definition. Required only for SAs using
DES, 3DES,orAES128.
Hexadecimal (prefixed by 0x), 64-bit initial block used for cipher block chaining encryp-
tion. This must match what is configured on the remote system.
Range: 64 bits (16 hexadecimal digits),
0x0000000000000000 -
0xFFFFFFFFFFFFFFFF.
HP-UX IPSec A.02.00 − 15 − Hewlett-Packard Company 19