HP-UX IPSec version A.02.01 Administrator's Guide
Configuring HP-UX IPSec
Step 2: Configuring Tunnel IPsec Policies
Chapter 4120
CAUTION Discarding or requiring ICMP messages for IPv4 (protocol value 1) to be
encrypted or authenticated may cause connectivity problems. See
Appendix A, “IPv4 ICMP Messages” on page 234 for more information.
-action
transform_list
A transform specifies the IPsec authentication and encryption applied to
packets using AH (Authentication Header) and ESP (Encapsulation
Security Payload) headers. A transform list specifies the transforms
acceptable for packets using the policy. The HP-UX IPSec IKE daemon
proposes the transform list when negotiating the transform for IPsec
Security Associations (SAs) with a remote system.
The
transform_list
in a tunnel policy are tunnel transports applied to
packets encapsulated between the tunnel endpoints.
If you are using dynamic keys, the transform list can contain:
• A list that contains up to 2 AH transforms
• A list that contains up to 8 ESP transforms
• A list that contains one nested transform (ESP nested inside of AH)
transform
Use a comma to separate multiple transform specifications.
The order of transforms in the transform list is significant. The first
transform is the most preferable and the last transform is the least
preferable. At least one transform must match a transform configured on
the remote system.
The format for each transform is:
transform_name[/
lifetime_seconds
[/
lifetime_kbytes
]]
Where:
transform_name
A
transform_name
is a valid AH (Authentication Header) or ESP
(Encapsulation Security Payload) transform name, as specified in
Table 4-2, “ipsec_config Transforms,” on page 109, or a nested AH and