HP-UX IPSec version A.02.01 Administrator's Guide
Quick Configuration Procedure and Tips
Configuration Tips and Reminders
Chapter 386
Configuration Tips and Reminders
This section contains configuration tips.
• Minimum Configuration Requirements
If you are using preshared keys for IKE authentication, your
configuration must contain at least the following three objects:
— Host policy
— IKE policy
— Authentication record (this contains the preshared key)
• Policy Order and Selection
HP-UX IPSec searches host IPsec and IKE policies in priority order
(within each type of policy). Lower priority values have higher
priority (priority value 1 is the highest priority).
See “Host Policy Order and Selection” on page 102 and “IKE Policy
Order and Selection” on page 123 for more information.
• Mirror Host IPsec policies for client-server applications
Host IPsec policies are bi-directional, but most client-server
applications require two host IPsec policies. Client-server network
services typically use dynamically assigned port numbers for clients
and static, well-known port numbers for a daemon on the server. If
you want to secure both inbound service requests (the local system is
the server) and outbound requests from your system (the local
system is the client). you must configure two host IPsec policies: one
for inbound requests to the static server port on the local system and
one for outbound requests to the static server port on the remote
system or systems.
For example, the following host IPsec policy secures only rlogin
sessions initiated from the local system, 10.10.10.10, to the system
10.20.20.20:
ipsec_config add rlogin_to_10.20.20.20 \
-source 10.10.10.10 -destination 10.20.20.20/RLOGIN \
-action ESP_AES128_HMAC_SHA1