HP-UX IPSec version A.02.01 Administrator's Guide
Configuring HP-UX IPSec
Step 6: Configuring the Bypass List (Local IP Addresses)
Chapter 4140
Step 6: Configuring the Bypass List (Local IP
Addresses)
The bypass list specifies local IP addresses that IPsec will bypass or
ignore. The system will not attempt to find an IPsec policy for packets
sent or received using an IP address in the bypass list, and the system
will process these packets as if HP-UX IPSec was not enabled.
The bypass list improves transmission rates for addresses in the bypass
list. The bypass list is useful in topologies where most of the network
traffic passes in clear text and you only need to secure selected traffic on
specific interfaces.
If you do not need to configure bypass interfaces, go to “Step 7: Verifying
the Batch File Syntax” on page 143.
Logical Interfaces
An entry in the bypass interface list affects only the logical interface for
the IP address, not the physical interface (network card). If you have
multiple IP interfaces configured for a physical interface (for example,
lan0:0, lan0:1, and lan0:2) and you want IPsec to bypass all IP
addresses for that physical interface, you must enter all the IP addresses
for the physical interface in the bypass list.
Example
You have a critical application and must encrypt and authenticate its
network packets. All other IP traffic in the network can pass in clear
text. You configure additional logical interfaces (lan0:1) for the critical
application (16.1.1.1 and 16.2.2.2), and configure the critical application
to use only the specific logical interfaces. You can then configure the
remaining logical interfaces in the bypass list (15.1.1.1 and 15.2.2.2).