HP-UX IPSec version A.02.00 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg(1M) ipsec_conﬁg(1M)

-enc

[

ryption]

DES|3DES

Speciﬁes the encryption algorithm for encrypting IKE messages. This must match the encryp-

tion algorithm conﬁgured on the remote system.

Acceptable values:

DES

56-bit Data Encryption Standard, Cipher Block Chaining Mode, DES-CBC

3DES triple-DES CBC, three encryption iterations, each with a different 56-bit key,

3DES-CBC

Default: The value of the the encryption parameter in the

IKE-Defaults

section of the

proﬁle ﬁle used. The default encryption parameter value is

3DES in

/var/adm/ipsec/.ipsec_profile

-life

lifetime_seconds

Speciﬁes the maximum lifetime for the ISAKMP/MM SA, in seconds.

Range: 0 (inﬁnite), or 600 - 4294967294 seconds (approximately 497102 days).

Default: 28,800 (8 hours).

-maxqm

mq max_quick_modes

Speciﬁes the maximum number of IPSec or Quick Mode (QM) SA negotiations that IKE can

perform using an ISAKMP/MM SA. Each IPSec/QM SA negotiation establishes two IPSec SAs

(one in each direction).

If value of max_quick_modes is

l, IKE provides PFS for the IPSec SA keys and the identities

of the ISAKMP negotiating parties. With PFS, the exposure of one key permits access only to

data protected by that key. When PFS is conﬁgured, the IKE daemon creates a new ISAKMP

SA for each IPSec SA negotiation and performs a Difﬁe-Hellman exchange for each IPSec SA

negotiation.

Range: 1 - 255.

Default: 100.

Examples

Conﬁgure an IKE policy that speciﬁes RSA signature (security certiﬁcate) for IKE authentication and

Oakley Group 2 (1024-bit exponent).

ipsec_config add ike apple -remote 10.1.1.1 -pri 10 -auth RSASIG -group 2

Conﬁgure an IKE policy for all other system in the local network (

10.*.*.*) that speciﬁes preshared

keys for IKE authentication:

ipsec_config add ike all_others -remote 10.0.0.0/8 -pri 100 -auth PSK

IPSEC_CONFIG COMMAND

Name

add startup - specify general operating parameters used when starting HP-UX IPSec

Synopsis

ipsec_config add start

[up][-auto[

boot] ON|OFF][

-auditlvl|al audit_level ]

[

-auditdir

|ad audit_directory][

-maxsize

|ms max_size ][-spi_min

spi_min_value]

[

-spi_max

spi_max_val ue][

-spd_soft spd_soft_limit][

-spd_hard

spd_hard_limit]

Description

Use the

ipsec_config add startup

command to automatically start HP-UX IPSec at system boot-

up time and to specify general operating parameters. The general operating parameters will be used

when HP-UX IPSec is started at boot-up time and when the

ipsec_admin -start command is

entered. (If you change the general operating parameters, the changes do not take effect until the next

time HP-UX IPSec starts.) Administrators can override the conﬁgured general operating parameters

using arguments in the ipsec_admin -start command line.

Options and Operands

The

ipsec_config add startup command recognizes the following options and operands:

HP-UX IPSec A.02.00 − 19 − Hewlett-Packard Company 23