HP-UX IPSec version A.02.00 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg(1M) ipsec_conﬁg(1M)

type Type of IPSec transform.

Acceptable values:

(Authentication Header) or

ESP (Encapsulating Security

Payload).

spi Security Parameters Index (SPI) number, used to identify the SA. You can specify

the SPI in hexadecimal, preﬁxed by 0x (

0xhhhhhhhh

), or decimal. For an inbound

SA, the SPI must be unique on the local system within the SPIs assigned for each

SA type (AH or ESP), must be outside the range for dynamic key SPI numbers, and

must match the SPI conﬁgured on the remote system for the outbound SA.

For an outbound SA, the SPI must match what is conﬁgured on the remote system

for the inbound SA, and must be unique on the remote system.

Range: Manual key SPI numbers must be outside the range for dynamic key SPI

numbers. In installations using the default range for dynamic key SPI numbers

(300 - 2500000), the ranges for inbound manual key SPI numbers are 1 - 299 and

2500001 - 4294967295.

Refer to the spi_min and spi_max parameters for the

ipsec_config add

startup

command for more information on the range for dynamic key SPI

numbers.

auth_key

The hexadecimal authentication key (preﬁxed by 0x). This is required only for AH

or authenticated ESP. The auth_key value must match what is conﬁgured on the

remote system.

Acceptable values: Hexadecimal digits, preﬁxed by 0x.

Type De faul t

MD5 32 hexadecimal digits (128 bits)

SHA-1 40 hexadecimal digits (160 bits)

enc_key

The hexadecimal encryption key (preﬁxed by 0x). This is required only for ESP.

The enc_key value must match what is conﬁgured on the remote system.

Acceptable values: Hexadecimal digits, preﬁxed by 0x.

Type Default

DES 16 hexadecimal digits (64 bits)

3DES 48 hexadecimal digits (192 bits)

AES128 32 hexadecimal digits (128 bits)

iv Initialization Vector (IV) deﬁnition. Required only for SAs using

DES

, 3DES,or

AES128. Hexadecimal (preﬁxed by 0x), 64-bit initial block used for cipher block

chaining encryption. This must match what is conﬁgured on the remote system.

Range: 64 bits (16 hexadecimal digits), 0x0000000000000000 -

0xFFFFFFFFFFFFFFFF.

Default: 0x0000000000000000.

Examples

The local system (

10.1.1.1) is using a host-to-host tunnel with system

10.2.2.2. Conﬁgure the tun-

nel to use authenticated ESP, with AES128 encryption and HMAC SHA-1 authentication.

ipsec_config add tunnel my_host_host_tunnel \

-tsource 10.1.1.1 -tdestination 10.2.2.2 \

-source 10.1.1.1 -destination 10.2.2.2 \

-action ESP_AES128_HMAC_SHA1

The local system (3ffe::83ff:fef7:1111) is a Mobile IPv6 Home Agent for the Mobile Node

3ffe::83ff:fef7:2222. Conﬁgure the tunnel between the local system (Home Agent) and the

Mobile Node. This tunnel is used when forwarding Mobile IPv6 protocol packets (protocol MH) between

the Mobile Node and Correspondent Nodes. The tunnel uses manual keys for authenticated ESP, with

AES128 encryption and HMAC SHA-1 authentication

30 Hewlett-Packard Company − 26 − HP-UX IPSec A.02.00