HP-UX IPSec version A.02.01 Administrator's Guide
Configuring HP-UX IPSec
Step 2: Configuring Tunnel IPsec Policies
Chapter 4 115
Step 2: Configuring Tunnel IPsec Policies
Complete this step only if you are using IPsec tunnels. If you are not
using IPsec tunnels, continue to “Step 3: Configuring IKE Policies” on
page 123.
Tunnel IPsec policies specify HP-UX IPSec behavior for IP packets
tunneled by the local system. In an IPsec tunnel, a tunnel endpoint
system encapsulates the original packet in a new IPsec packet with an
AH or ESP header. The other tunnel endpoint system processes the AH
or ESP header, decapsulates the packet, and sends the packet to the
destination address in the original packet header.
An HP-UX system can be the end host in a end-to-end tunnel
(host-to-host tunnel) topology, or the end host in a host-to-gateway
tunnel topology.
If the system is an HP-UX Mobile IPv6 Home Agent, it can also act as a
gateway, but only when forwarding packets between a Mobile IPv6 client
and its Correspondent Node. See “HP-UX IPSec and HP-UX Mobile
IPv6” on page 277 if you are configuring HP-UX IPSec for Mobile IPv6.
Tunnel IPsec policies are referenced in host or gateway IPsec policies.
HP-UX IPSec first selects a host or gateway IPsec policy to use for a
packet. If the host or gateway IPsec policy specifies a tunnel policy name,
HP-UX IPSec uses the information in the tunnel IPsec policy to establish
an IPsec tunnel with the tunnel destination.
If the local system is a tunnel endpoint, you must configure tunnel IPsec
policies. HP recommends that you use an ipsec_config batch file to
configure tunnel IPsec policies.
ipsec_config add tunnel Syntax
If you are not using manual keys, you can use the following
ipsec_config add tunnel syntax in most installations:
ipsec_config add tunnel
tunnel_policy_name
[-tsource
tunnel_address
] [-tdestination
tunnel_address
]
[-source
ip_addr
[/
prefix
[/
port_number
|
service_name
]]]
[-destination
ip_addr
[/
prefix
][/
port_number
|
service_name
]]]
[-protocol
protocol_id
] [-action
transform_list
]