HP-UX IPSec version A.02.00 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg(1M) ipsec_conﬁg(1M)

Conﬁgure authentication records preshared key authentication for a remote multihomed HP-UX IPSec

system, with addresses

10.8.8.8 and

11.8.8.8.

ipsec_config add auth -remote 10.8.8.8 \

-preshared my_hostA_hostX_key

ipsec_config add auth -remote 11.8.8.8 \

-preshared my_hostA_hostX_key

Conﬁgure an authentication record for RSA signature (security certiﬁcate) authentication with remote

system 192.1.1.1

, which uses X.500 Distinguished Names (X500-DN) for ID types.

ipsec_config add auth -remote 192.1.1.1 -rtype X500-DN \

-rid CN=hostn,O=myco,c=US

IPSEC_CONFIG COMMAND

Name

add bypass

- conﬁgures entries in the HP-UX IPSec bypass list

Synopsis

ipsec_config add bypass | bp

ip_address

Description

Use the ipsec_config add bypass

command to conﬁgure entries in the HP-UX IPSec bypass list.

The bypass list speciﬁes local IPv4 addresses that IPSec will bypass or ignore. The system does not

attempt to ﬁnd an IPSec policy for packets sent or received using an IP address in the bypass list, and the

system processes these packets as if HP-UX IPSec was not enabled.

The bypass list improves transmission rates for addresses in the bypass list. The bypass list is useful in

topologies where most of the network trafﬁc passes in clear text and you only need to secure selected

trafﬁc on speciﬁc interfaces.

HP recommends that you do not conﬁgure entries in the bypass list on systems that have public interfaces

(an interface connected to a public network), or on systems on which you are using HP-UX IPSec as a

ﬁlter or ﬁrewall to protect your network.

The bypass list is not supported for IPv6 addresses.

Options and Operands

The

ipsec_config add bypass

command recognizes the following operand:

ip_address

The IPv4 address to bypass. This can be a virtual IP address (a secondary IP address

conﬁgured for an interface, such as an address conﬁgured for lan0:1).

An entry in the bypass interface list affects only the logical interface for the IP address, not all

logical interfaces on the physical interface (network card). If you have secondary IP interfaces

conﬁgured for a physical interface (for example,

lan0:0,

lan0:1, and lan0:2) and you

want IPSec to bypass all IP addresses for that physical interface, you must conﬁgure all the IP

addresses for the physical interface in the bypass list.

Examples

The system has two physical interfaces, both connected to secure, internal networks. You want to use

HP-UX IPSec to encrypt trafﬁc on one interface, but disable HP-UX IPSec on the second interface,

12.1.1.1.

ipsec_config -add bypass 12.1.1.1

IPSEC CONFIG COMMAND

Name

add gateway - conﬁgure gateway IPSec policies for HP-UX Mobile IPv6 Home Agents

Synopsis

ipsec_config add gateway|gw gw_policy_name [-nocommit|nc][-prof[ile] proﬁle_name ]

[-source|src ip_address [/preﬁx[port_number|service_name]]] [-destination|dst

ip_address [/preﬁx[/port_number|service_name]]] [-prot[ocol] protocol_id ][-pri[ority]

prior ity_number][-tunnel tunnel_pol icy_name] [-act[ion] FORWARD|FWD|DISC[ARD]]

[-flags ﬂags][-homeclear|hc interface_name]

HP-UX IPSec A.02.00 − 5 − Hewlett-Packard Company 9