HP-UX IPSec version A.02.01 Administrator's Guide
Configuring HP-UX IPSec
Step 3: Configuring IKE Policies
Chapter 4 123
Step 3: Configuring IKE Policies
Complete this step only if you are using dynamic keys for IPsec. You do
not need to configure IKE policies if you are using only manual keys for
IPsec, or if you are only using HP-UX IPSec to discard packets. If you are
not using dynamic keys, go to “Step 6: Configuring the Bypass List (Local
IP Addresses)” on page 140
HP-UX IPSec uses the parameters in an IKE policy when using the IKE
protocol to establish IKE Security Associations (SAs) with remote
systems. IPsec uses IKE SAs to negotiate IPsec SAs; an IKE SA must
exist with a remote system before IPsec can negotiate IPsec SAs.
You must have at least one IKE policy if you are using dynamic keys for
IPsec. If HP-UX IPSec cannot find an IKE policy with a remote address
specification that matches the remote system, the IKE SA negotiation
will fail.
HP recommends that you use an ipsec_config batch file to configure IKE
policies.
IKE Policy Order and Selection
When HP-UX IPSec searches for an IKE policy, it searches the IKE
policies according to the value of the priority parameter for each policy
and selects the first policy with the IP address and prefix specifications
that match the remote system’s address.
Automatic Priority Increment
There are two ways to set the priority of an IKE policy:
•Specify the priority argument to explicitly set the priority.
•Omit the priority argument and have ipsec_config assign a
priority using the automatic priority increment value so that the new
policy is the last policy evaluated before the default policy.
If you omit the priority argument, ipsec_config assigns a priority
value that is set to the current highest priority value for IKE policies
(lowest priority) in the configuration data base, incremented by the
automatic priority increment value for host policies. The result is that
the new policy will be the last IKE policy evaluated before the default