HP-UX IPSec version A.02.00 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg(1M) ipsec_conﬁg(1M)

IPSEC_CONFIG COMMAND

Name

add ike

- conﬁgure Internet Key Exchange (IKE) policies

Synopsis

ipsec_config add ike

ike_policy_name [

-nocommit

nc][

-prof

[

ile] proﬁle_name ]

[

-rem

[ote

] ip_addr [/preﬁx]] [

-pri

[

ority] prior ity_number][

-auth

[entication

]

PSK|

RSASIG

][

-group 1

2][

-hash MD5

|SHA1

][

-enc

[

ryption

] DES |3DES]

[

-life lifetime_seconds

][

-maxqm

mq max_quick_modes

]

Description

Use the

ipsec_config add ike

command to conﬁgure Internet Key Exchange (IKE) policies. HP-

UX IPSec uses the parameters in an IKE policy when using the IKE protocol to establish ISAKMP/Main

Mode (MM) Security Associations (SAs) with remote systems. IPSec uses ISAKMP/MM SAs to negotiate

IPSec SAs; an ISAKMP/MM SA must exist with a remote system before IPSec can negotiate IPSec SAs.

You must have at least one IKE policy if you are using dynamic keys for IPSec. If HP-UX IPSec cannot

ﬁnd an IKE policy with a remote address speciﬁcation that matches the remote system, the ISAKMP/MM

SA negotiation will fail.

You do not need any IKE policies if you are using only manual keys for IPSec.

Options and Operands

ike_policy_name

The user-deﬁned name for the IKE policy. This name must be unique for each IKE policy and

is case-sensitive.

Acceptable values: 1 - 63 characters. Each character must be an ASCII alphanumeric char-

acter, hyphen (

-), or underscore (

_).

-nocommit

|nc

The

ipsec_config utility veriﬁes the IKE policy, but does not add it to the conﬁguration

database. This argument is not valid if you specify an

add ike

operation in a batch ﬁle.

-prof

[ile

] profile_name

The name of the proﬁle ﬁle containing default argument values for this policy. The argument

values are evaluated once, when the policy is added to the conﬁguration database. Values used

from the proﬁle ﬁle become part of the conﬁguration record for the policy. This argument is

not valid if you specify an add ike

operation in a batch ﬁle.

Maximum length: 1023 characters.

Default:

/var/adm/ipsec/.ipsec_profile

-rem

[ote

] ip_addr[/prefix]

The IP address and network preﬁx length that speciﬁes the remote system or subnet for this

policy. HP recommends that you do not specify a wildcard address (0.0.0.0/0 or 0::0/0).

Wildcard addresses allow unauthorized systems to engage in IKE negotiations with the local

system.

ip_addr

The remote IP address.

Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6

address in colon-hexadecimal notation. HP-UX IPSec does not support unspeciﬁed

IPv6 addresses. However, you can use the double-colon (::) notation within a

speciﬁed IPv6 address to denote a number of zeros (0) within an address. The

address cannot be a broadcast, subnet broadcast, multicast, or anycast address.

Default: None.

prefix

The preﬁx length, or the number of leading bits that must match when comparing

an IP address of the remote system with ip_addr .

For IPv4 addresses, a preﬁx length of 32 bits indicates that all the bits in both

addresses must match. Use a value less than 32 to specify a subnet address ﬁlter.

HP-UX IPSec A.02.00 − 17 − Hewlett-Packard Company 21