Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
261262263264265266267268269270
HP-UX IPSec Configuration Examples
Subnet ESP with Exceptions
Appendix D264
Carrot Configuration
The ipsec_config batch file on Carrot contains the following entries.
Host IPsec Policies
You configure four host IPsec policies on Carrot.
1. potato: accepts all packets to and from system Potato using
ESP-AES-HMAC-SHA1.
add host potato -destination 193.3.3.3 -priority 20 \
-action ESP_AES128_HMAC_SHA1
2. pass_icmp: allows all ICMP packets within the 192.1.1.* network to
pass in clear text. Notice how the 192.1.1.* network is specified in
the filter: the remote IP address is 192.1.1.0 and the prefix length is
24.The prefix length specifies the number of bits in the packet
address that must match the configured remote IP address,
beginning with the most significant bit.
add host pass_icmp -destination 192.1.1.0/24 \
-protocol ICMP -priority 30 -action pass
3. aes_lan: applies ESP-AES-HMAC-SHA1 authenticated ESP to all
packets in the 192.1.1.* network.
add host aes_lan -destination 192.1.1.0/24 \
-priority 40 -action ESP_AES128_HMAC_SHA1
4. default: You modify the default host IPsec policy to discard all
other packets. To modify the default host IPsec policy, use the
following batch file entry:
add host default -action DISCARD
Policy Priority Note the priority of the pass_icmp policy (30) and
aes_lan policy (40). The pass_icmp policy MUST have a lower order
number (higher priority) than the aes_lan policy. This is because
internal ICMP packets will match both the pass_icmp and aes_lan
policy, and assigning the pass_icmp policy a lower order number causes
IPsec to select the pass_icmp policy for the ICMP packets instead of the
aes_lan policy.
ipsec_config Batch File
The entire contents of the batch file on Carrot are as follows: