HP-UX IPSec version A.02.01 Administrator's Guide
HP-UX IPSec and HP-UX Mobile IPv6
Configuration Overview
Appendix F 287
In installations using the HP-UX IPSec default range for dynamic key
SPI numbers (300 - 2500000), the ranges for inbound manual key SPI
numbers are 1 - 299 and 2500001 - 4294967295.
auth_key
is the hexadecimal authentication key, prefixed by 0x. For
MD5,
auth_key
is 32 hexadecimal digits. For SHA-1,
auth_key
is 40
hexadecimal digits. The key must match what is configured on the
remote system.
enc_key
is the hexadecimal encryption key, prefixed by 0x. For DES,
enc_key
is 16 hexadecimal digits (64 bits). For 3DES,
enc_key
is 48
hexadecimal digits (192 bits). For AES128,
enc_key
is 32 hexadecimal
digits (128 bits). The key must match what is configured on the remote
system.
iv
is the Initialization Vector (IV). Hexadecimal (prefixed by 0x), 64-bit
initial block used for cipher block chaining encryption. The IV must
match what is configured on the remote system. The default value for
iv
is 0x0000000000000000.
Selecting Encryption Keys
You should configure strong, random, encryption keys for manual key
SAs. If you are using DES or 3DES encryption, and the key is not
sufficiently strong, ipsec_config reports an error messages similar to
one of the following:
Weak DES encryption key: 0x
hhhh
...
Weak 3DES encryption key: 0x
hhhh
...
Using the HP-UX Strong Random Number Generator
One way to generate strong encryption keys is using the HP-UX Strong
Random Number Generator product, available at no cost from the HP
Software Depot (http://software.hp.com). After you have installed the
HP-UX Strong Random Number Generator, you can generate a random
number and use the od utility to display an ASCII string of the
hexadecimal digits by executing the following command sequence:
od -Ax -N
nn
/dev/random
nn
is the number of bytes to extract from the random number generator.
For example, the following command extracts and displays a 24-byte
random number for a 3DES encryption key:
od -Ax -N24 /dev/random