HP-UX IPSec version A.02.01 Administrator's Guide
Configuring HP-UX IPSec
Step 4: Configuring Preshared Keys Using Authentication Records
Chapter 4 135
HP-UX IPSec does not support unspecified IPv6 addresses. However, you
can use the double-colon (::) notation within a specified IPv6 address to
denote a number of zeros (0) within an address. The address cannot be a
broadcast, subnet broadcast, multicast, or anycast address.
Default: None.
prefix
The
prefix
is the prefix length, or the number of leading bits
that must match when comparing the remote IP address with
ip_addr
.
For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in
both addresses must match. This prefix length is equivalent to an
address mask of 255.255.255.255. Use a value less than 32 to specify a
subnet address filter.
For IPv6 addresses, a prefix length of 128 bits indicates that all the bits
in both addresses must match. Use a value less than 128 to specify a
subnet address filter.
WARNING Specifying a subnet address filter and a preshared key allows
you to configure a single preshared key for an entire subnet.
However, HP strongly recommends that you configure an
individual authentication record for each remote system with a
unique preshared key.
Range: 0 - 32 for an IPv4 address; 0 - 128 for an IPv6 address. If you are
using manual keys, prefix must be 32 if
ip_addr
is an IPv4 address or
128 if
ip_addr
is an IPv6 address.
Default: 32 if
ip_addr
is a non-zero IPv4 address, 128 if
ip_addr
is a
non-zero IPv6 address, or 0 (match any address) if
ip_addr
is an
all-zeros address (0.0.0.0 or 0::0).
-exchange AM|MM
Specifies the exchange mode for the IKE Phase 1 negotiation. This must
match what is configured on the remote system.
Acceptable Values: AM (Aggressive Mode) or MM (Main Mode).
Aggressive Mode does not provide identity protection (the IKE peers
exchange identity information before establishing a secure channel), but
it is more efficient.