Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
241242243244245246247248249250
Interoperability
Linux
Appendix B 241
Linux
HP-UX IPSec can interoperate with Linux IPsec implementations that
are based on Linux FreeSWAN version 1.96 or later.
The following are limitations of Linux FreeSWAN that affect
interoperability with HP-UX IPSec:
Linux FreeSWAN does not support DES encryption. If you are
configuring an HP-UX IPSec system to interoperate with a Linux
FreeSWAN system, you can use 3DES encryption or AES encryption
with the appropriate FreeSWAN cryptographic algorithm patch.
Linux FreeSWAN does not support port and protocol specified IPsec
rules. You must configure the HP-UX IPSec policies with wildcard
port and protocol values (port 0 and protocol ANY). See “Step 1:
Configuring Host IPsec Policies” on page 102 for details on
configuring HP-UX IPSec rules.
Linux FreeSWAN does not delete Security Associations (SAs) when it
receives ISAKMP INITIAL-CONTACT notify messages. The
administrator must manually delete any SAs established with the
HP-UX system that sent the INITIAL-CONTACT notify message.
The following is a limitation of HP-UX IPSec that affects interoperability
with Linux FreeSWAN:
HP-UX IPSec does not support Perfect Forward Secrecy (PFS) for
keys only. By default, Linux FreeSWAN is configured to use PFS for
keys only. You must explicitly turn off PFS (pfs=no) when
configuring the Linux FreeSWAN system to interoperate with
HP-UX.
Configuration Example
The following is an example of a Linux FreeSWAN configuration in
/etc/ipsec.conf. The file is properly configured to interoperate with
HP-UX IPSec using preshared key authentication:
conn_hp_sample
type=transport
left=192.12.12.23
leftnexthop=192.12.12.1