HP-UX IPSec version A.02.01 Administrator's Guide
2
Aggressive Mode is quicker and requires the peers to exchange fewer
packets, but is less secure because the peers exchange identity
information in clear text.
The IKE protocol specification requires Main Mode support;
Aggressive Mode support is optional.
You configure Aggressive Mode in authentication records using the
option -exchange AM in the ipsec_config add auth command.
• HP-UX IPSec now supports autoconfiguration clients (clients with
dynamically assigned IP addresses, such as IPv6 stateless
autoconfiguration clients, and DHCP and DHCPv6 clients). To
specify an autoconfiguration client, use the AUTOCONF flag in the
ipsec_config add host or add gateway command. See Chapter 4,
“Configuring HP-UX IPSec,” on page 89 for more information.
You must use IKE Aggressive Mode with autoconfiguration clients
because these clients do not have fixed IP addresses.
• HP-UX IPSec now supports IKE (dynamic keys) with Mobile IPv6
clients. You must use Aggressive Mode if you are using IKE with
Mobile IPv6 clients because these clients send packets using Mobile
IPv6 Care-of Addresses, which are not fixed.
• The bypass list can now contain IPv6 addresses.
• HP-UX IPSec now supports generic utilities and methods for
configuring and using security certificates instead of providing
vendor-specific methods. The following changes are related to the
change to generic certificate support:
—The ipsec_mgr GUI is no longer supported. The ipsec_config
command supports the following new commands to configure
certificate-related information:
— ipsec_config add csr: Creates a Certificate Signing
Request (CSR) that the administrator submits to the
Certificate Authority (CA) to get a signed certificate for the
local system.
— ipsec_config add certificate: Adds certificates for the
local system and the CA to the HP-UX IPSec storage scheme.