HP-UX IPSec version A.02.01 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg_add(1M) ipsec_conﬁg_add(1M)

(HP-UX IPSec Software Required)

country

The two-character ISO 3166-1 code for the country in the DN, for exam-

ple US

for United States of America.

organization

The organization of the DN, for example Hewlett-Packard

. The

maximum length is 64 characters.

organizationalUnit

organizationalUnit for the DN, for example

Marketing. The maximum

length is 64 characters.

Default:Ifremote_id_type and remote_id are not speciﬁed, HP-UX IPSec uses the

IPv4 or IPv6 source address of the IKE negotiation packets received from the

remote system.

-preshared|psk preshared_key

Speciﬁes the preshared key used for IKE authentication. You must conﬁgure a

preshared key if you speciﬁed preshared key as the authentication method (

authentication PSK

) in the IKE policy for the remote system. This must

match the preshared key conﬁgured on the remote system.

Acceptable values: A text string, containing 1 - 128 ASCII characters. (Whi-

tespace is not allowed.) If you include shell special characters, you must quote them

if you are running

ipsec_config from the command line. For example,

"Hello*".

Examples

Conﬁgure an authentication record for preshared key authentication for remote system

10.2.2.2,

which is an HP-UX IPSec system with only one address (a non-multihomed system).

ipsec_config add auth -remote 10.2.2.2 \

-preshared my_hostA_hostB_key

Conﬁgure authentication records preshared key authentication for a remote multihomed HP-UX IPSec

system, with addresses

10.8.8.8

and 11.8.8.8.

ipsec_config add auth -remote 10.8.8.8 \

-preshared my_hostA_hostX_key

ipsec_config add auth -remote 11.8.8.8 \

-preshared my_hostA_hostX_key

Conﬁgure an authentication record for RSA signature (security certiﬁcate) authentication with remote

system

192.1.1.1, which uses X.500 Distinguished Names (X500-DN) for ID types.

ipsec_config add auth -remote 192.1.1.1 -rtype X500-DN \

-rid "CN=hostn,C=US,O=My Co,OU=Home"

IPSEC_CONFIG ADD BYPASS COMMAND

Name

add bypass - conﬁgures entries in the HP-UX IPSec bypass list

Synopsis

ipsec_config add bypass | bp

ip_address

Description

Use the

ipsec_config add bypass command to conﬁgure entries in the HP-UX IPSec bypass list.

The bypass list speciﬁes local addresses that IPSec will bypass or ignore. The system does not attempt to

ﬁnd an IPsec policy for packets sent or received using an IP address in the bypass list, and the system

processes these packets as if HP-UX IPSec was not enabled.

The bypass list improves transmission rates for addresses in the bypass list. The bypass list is useful in

topologies where most of the network trafﬁc passes in clear text and you only need to secure selected

trafﬁc on speciﬁc interfaces.

HP recommends that you do not conﬁgure entries in the bypass list on systems that have public interfaces

(an interface connected to a public network), or on systems on which you are using HP-UX IPSec as a

ﬁlter or ﬁrewall to protect your network.

HP-UX IPSec A.02.01 − 6 − Hewlett-Packard Company 13