HP-UX IPSec version A.02.00 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg(1M) ipsec_conﬁg(1M)

protocol_id must be

TCP or

UDP if port_number is speciﬁed and is not zero. The prot ocol _i d

must be

ALL

or 0

if the corresponding host policy the host policy that references this tunnel

policy (uses a transform (the corresponding host policy action is not

PASS).

ICMPV6: Specifying

ICMPV6 affects only the following ICMPv6 messages:

Echo Request

Echo Reply

, Mobile Prefix Solicitation

Mobile Prefix Advertisement

To ensure proper operation of IPv6 networks, HP-UX IPSec always allows all ICMPv6 mes-

sages not listed above to pass in cleartext

CAUTION: Discarding or requiring ICMP messages (Internet Control Message Protocol mes-

sages for IPv4; protocol value 1) to be encrypted or authenticated may cause connectivity prob-

lems.

Default: If you do not specify protocol_id ,

ipsec_config uses the value of the

protocol

parameter in the

TunnelPolicy-Defaults

section of the proﬁle ﬁle used. The default

value for

protocol is

ALL

in /var/adm/ipsec/.ipsec_profile

-act[

ion

] transform_list

A transform speciﬁes the IPSec authentication and encryption applied to packets using AH

(Authentication Header) and ESP (Encapsulation Security Payload) headers. A

transform_list

speciﬁes the transforms acceptable for packets using the policy. The HP-UX IPSec IKE dae-

mon proposes the transform_list when negotiating the transform for IPSec Security Associa-

tions (SAs) with a remote system.

The transform_list in a tunnel policy are tunnel transports applied to packets encapsulated

between the tunnel endpoints.

If you are using manual keys, the transform list can contain only one transform.

If you are using dynamic keys, the transform_list can contain:

• up to 8 ESP transforms (including Authenticated ESP transforms)

• up to 2 AH transforms

• 1 nested AH and ESP transform (ESP nested inside AH)

Use a comma to separate multiple transform speciﬁcations.

The order of transforms in the transform list is signiﬁcant. The ﬁrst transform is the most

preferable and the last transform is the least preferable. At least one transform must match a

transform conﬁgured on the remote system.

Default: The transform deﬁned for the action parameter in the

TunnelPolicy-Defaults

section of the proﬁle ﬁle used. The default action is

ESP_AES128_HMAC_SHA1

/var/adm/ipsec/.ipsec_profile

The format for each transform is:

transform_name [/lifeti me_seconds[/lifetime_kbytes]]

where the following values are deﬁned:

transform_name

One of the following AH (Authentication Header) or ESP (Encapsulation Security

Payload) transform speciﬁcations, or a nested AH and ESP transform formed by

joining an AH transform and an ESP transform with a plus sign (

+), for example,

AH_MD5+ESP_3DES

AH_MD5

(AH, with 128-bit key Hashed Message Authentication Code using RSA

Message Digest-5, HMAC-MD5.)

AH_SHA1

(AH, with 160-bit key HMAC using Secure Hash Algorithm-1, HMAC-

SHA1.)

ESP_DES

(ESP with 56-bit Data Encryption Standard, Cipher Block Chaining

Mode, DES-CBC.)

ESP_DES_HMAC_MD5

(ESP DES, authenticated with HMAC-MD5.)

28 Hewlett-Packard Company − 24 − HP-UX IPSec A.02.00