HP-UX IPSec version A.02.00 manpages
ipsec_config(1M) ipsec_config(1M)
tunnel_pol icy_name
The user-defined name for the tunnel IPSec policy. This name must be unique for each tunnel
IPSec policy and is case-sensitive.
Acceptable values: 1 - 63 characters. Each character must be an ASCII alphanumeric char-
acter, hyphen (
-
), or underscore (
_).
-nocommit
|
nc
The ipsec_config
utility verifies the tunnel IPSec policy, but does not add it to the
configuration database. This argument is not valid if you are specifying an
add tunnel
operation in a batch file.
-pro
[file
] profile_name
Specifies the name of the profile file containing default argument values for this policy. The
argument values are evaluated once, when the policy is added to the configuration database.
Values used from the profile file become part of the configuration record for the policy. This
argument is not valid if you are specifying an
add tunnel
operation in a batch file.
Maximum length: 1023 characters.
Default:
/var/adm/ipsec/.ipsec_profile
.
-tsource
|tsrc tunnel_address
-tdestination
|tdst tunnel_address
The IP address for the tunnel endpoint. The
-tsource tunnel_address is the local tunnel
endpoint; the
-tdestination
tunnel_address is the remote tunnel endpoint.
Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-
hexadecimal notation. The IP address type (IPv4 or IPv6) must be the same for the tunnel
source and destination address. HP-UX IPSec does not support unspecified IPv6 addresses.
However, you can use the double-colon (::) notation within a specified IPv6 address to denote a
number of zeros (0) within an address. The address must be a unicast address.
Default: None.
-source
|src ip_address[/prefix
[/port_number
|service_name]]
-destination
|dst ip_address[/prefix
[/port_number
|service_name]]
HP-UX IPSec uses the ip_addr , prefix, and port_number with the -protocol
argument, or
the service_name , to form an address identifier. When negotiating an outbound IPSec tunnel
SA, HP-UX IPSec uses the source address identifier as the proxy source ID, and uses the desti-
nation address identifier as the proxy destination ID. When negotiating an inbound IPSec tun-
nel SA, HP-UX IPSec uses the destination address identifier as the proxy source ID and the
source address identifier as the proxy destination ID. The proxy ID values must exactly match
the proxy ID values on the remote system.
If you are using manual keys with an IPv6 ESP transform, HP-UX IPSec also uses the address
identifier to verify the address fields in the original (host-to-host) packet. For an outbound
tunneled packet (the local address is the source address in the tunnel packet header), HP-UX
IPSec verifies the source address identifier with the source address fields in the original
packet, and the destination address identifier with the destination address fields in the origi-
nal packet. For an inbound tunneled packet (the local address is the destination address in
the tunnel packet header), HP-UX IPSec verifies the source address identifier with the desti-
nation address fields in the original packet, and the destination address identifier with the
source address fields in the original packet.
Default: If you do not specify
-source or
-destination, ipsec_config uses the value
of the
source
or destination parameter in the TunnelPolicy-Defaults
section of
the profile file used. The default value for source and destination is is 0.0.0.0/0/0 (match any
IPv4 address, any port) in
/var/adm/ipsec/.ipsec_profile.
Where the values are defined as follows:
ip_addr
The proxy (end system) source or destination IP address.
Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6
address in colon-hexadecimal notation. The IP address type (
IPv4 or IPv6) must
be the same for the proxy source and destination address. HP-UX IPSec does not
support unspecified IPv6 addresses. However, you can use the double-colon (::)
26 Hewlett-Packard Company − 22 − HP-UX IPSec A.02.00