HP-UX IPSec version A.02.00 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg(1M) ipsec_conﬁg(1M)

When the size of the SPD exceeds the soft limit, HP-UX IPSec logs a warning message to the

system console, and logs an additional warning message to the system console for each 1000

SPD entries added.

The spd_soft_limit is measured in units of 1000 entries.

Range: 1 - 1000000 units of 1000 entries (1000 - 1000000000 entries).

Default: If you do not specify spd_soft_limit, the default is the value speciﬁed for the spd_soft

parameter in the

StartUp-Defaults

section of the proﬁle ﬁle used. The default spd_soft

value is 25 (25000 entries; approximately 58000 Kbytes of memory) in

/var/adm/ipsec/.ipsec_profile

-spd_hard

spd_hard_limit

Speciﬁes the "hard" limit for the size of the Security Policy Database (SPD).

When the size of the SPD exceeds the hard limit, HP-UX IPSec stops adding new cache

entries, and discards any packets that do not match existing entries.

The spd_hard_limit is measured in units of 1000 entries.

Range: 1 - 1000000 units of 1000 entries (1000 - 1000000000 entries).

Default: If you do not specify spd_hard_limit, the default is the value speciﬁed for the

spd_hard parameter in the

StartUp-Defaults

section of the proﬁle ﬁle. The default

spd_hard value is 50 (50000 entries; approximately 116000 Kbytes of memory) in

/var/adm/ipsec/.ipsec_profile

Examples

Conﬁgure HP-UX IPSec to automatically start at system boot-up time, and to create audit ﬁles in the

/tmp/ipsec

directory. All other startup parameters will be set to the default values.

ipsec_config add startup -autoboot ON -dir /tmp/ipsec

Conﬁgure HP-UX IPSec to create audit ﬁles in the

/tmp/ipsec directory. All other startup parameters

will be set to the default values; autoboot will be set to OFF.

ipsec_config add startup -dir /tmp/ipsec

IPSEC_CONFIG COMMAND

Name

add tunnel

- conﬁgure tunnel IPSec policies.

Synopsis

ipsec_config add tunnel

tunnel_pol icy_name [

-nocommit|

nc][

-prof[ile

] proﬁle_name ]

-tsource

|tsrc tunnel _a ddress

-tdestination|tdst

tunnel_a ddress [

-source

|src

ip_address [/preﬁx[/port_number|service_name ]]] [

-destination

|dst

ip_address [/preﬁx[/port_number|service_name ]]] [

-prot

[ocol] protocol_id ][

-act[ion

]

transform_list][

-in

manual_ key_sa_sp eciﬁcation [

-in manual_ key_sa_speciﬁcation ]] [

-out

manual_ key_sa_sp eciﬁcation [

-out

manual_ key_sa_sp eciﬁcation ]]

DESCRIPTION

Use the

ipsec_config add tunnel

command to conﬁgure tunnel IPSec policies. Tunnel IPSec poli-

cies specify HP-UX IPSec behavior for IP packets tunneled by the local system. In an IPSec tunnel, a

tunnel endpoint system encapsulates the original packet in a new IPSec packet with an AH or ESP

header. The other tunnel endpoint system processes the AH or ESP header, decapsulates the packet, and

sends the packet to the destination address in the original packet header.

An HP-UX system can be the end host in an host-to-host tunnel topology, or the end host in a host-to-

gateway tunnel topology. If the system is an HP-UX Mobile IPv6 Home Agent, it can also act as a gate-

way, but only when forwarding packets between a Mobile IPv6 client and its Correspondent Node.

Tunnel IPSec policies are referenced in host or gateway IPSec policies. HP-UX IPSec ﬁrst selects a host

or gateway IPSec policy to use for a packet. If the IPSec policy speciﬁes a tunnel policy, HP-UX IPSec

uses the information in the tunnel IPSec policy to establish an IPSec tunnel with the tunnel_destination.

Options and Operands

The

ipsec_config add tunnel command recognizes the following options and operands:

HP-UX IPSec A.02.00 − 21 − Hewlett-Packard Company 25