HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

111

112

113

114

115

116

117

118

119

120

Configuring HP-UX IPSec

Step 1: Configuring Host IPsec Policies

Chapter 4 113

add host apple_banana -source 10.1.1.1 \

-destination 10.5.5.5 -pri 20 -action ESP_AES128_HMAC_SHA1

The following batch file entry configures a host IPsec policy that requires

all outbound IPv4 rlogin sessions (where the local system is an rlogin

client) to use ESP with AES128 encryption and HMAC SHA-1

authentication. The user does not specify the source argument, and the

ipsec_config program uses the default source argument value from the

/var/adm/ipsec/.ipsec_profile file (0.0.0.0/0/0 - the wildcard

IPv4 address and any port). The destination argument specifies the

wildcard IPv4 address (0.0.0.0/0), and service name RLOGIN (port 513,

protocol TCP).

add host rlogin_out -destination 0.0.0.0/0/RLOGIN \

-pri 100 -action ESP_AES128_HMAC_SHA1

The following batch file entry configures a host IPsec policy that requires

telnet requests (where the local system is the telnet server) from subnet

10.0.0.0 to use ESP with AES128 encryption and HMAC SHA-1

authentication.

add host telnet_in -source 0.0.0.0/0/TELNET \

-destination 10.0.0.0/8 -pri 120 \

-action ESP_AES128_HMAC_SHA1

The following batch file entry configures a host IPsec policy for an

application that listens for requests on local TCP port 50000. The policy

requires all packets connecting to the application to use AH with HMAC

SHA-1 authentication.

add host my_app -source 0.0.0.0.0/0/50000 -protocol TCP \

-pri 140 -action AH_SHA1

The local system (10.1.1.1) is using a end-to-end tunnel (host-to-host

tunnel) with system 10.2.2.2. The following batch file entry configures a

host IPsec policy that references the tunnel policy

my_host_host_tunnel and specifies clear text (no transform) for the

transport. See “Tunnel IPsec Policy Configuration Example” on page 122

for the batch file entry used to configure the tunnel IPsec policy

my_host_host_tunnel.

The priority is 30 to ensure that HP-UX IPSec selects this policy instead

of the policies for telnet and the TCP port 50000 application when the

local system is communicating with 10.2.2.2.