HP-UX IPSec version A.02.01 manpages
i
ipsec_config_add(1M) ipsec_config_add(1M)
(HP-UX IPSec Software Required)
ipsec_config add gateway default -action PASS
You must configure two gateway IPsec policies for each end-to-end source and destination address pair;
you configure one gateway IPsec policy for the data path between the gateway and each endpoint.
Options and Operands
gateway_policy_name
The user-defined name for the gateway IPsec policy. This name must be unique for each gate-
way IPsec policy and is case-sensitive.
The name
default is reserved.
Acceptable values: 1 - 63 characters. Each character must be an ASCII alphanumeric char-
acter, hyphen (
-
), or underscore (
_
).
-nocommit
|
nc
The ipsec_config
utility verifies the gateway IPsec policy, but does not add it to the
configuration database. This argument is not valid if you are specifying an
add gateway
operation from a batch file.
-prof
[
ile] profile_name
The name of the profile file containing default argument values for this policy. The argument
values are evaluated once, when the policy is added to the configuration database. Values used
from the profile file become part of the configuration record for the policy. This argument is
not valid if you are specifying an add gateway operation from a batch file.
Maximum length: 1023 characters.
Default:
/var/adm/ipsec/.ipsec_profile
-source|src ip_address[/prefix
[/port_number|service_name]]
-destination
|dst ip_address[/prefix
[/port_number|service_name]]
HP-UX IPSec uses the ip_addr, prefix, and port_number or service_name with the protocol
argument to form an address filter. HP-UX IPSec uses the address filter to select an IPsec pol-
icy for a packet.
HP-UX IPSec compares the source address filter with the end-to-end source address fields in
the packet, and the destination address filter with the end-to-end destination address fields in
the packet. You must configure two gateway IPsec policies for each end-to-end source and des-
tination address pair; you configure one gateway IPsec policy for the data path between the
gateway and each endpoint.
Default: If you do not specify ip_addr , prefix, port_number or service_name ,
ipsec_config
uses the value of the
source
or destination parameter in the
GWPolicy-Defaults
section of the profile file used. The default value for source and desti-
nation is
0.0.0.0/0/0 (match any IPv4 address, any port) in
/var/adm/ipsec/.ipsec_profile
.
ip_addr
Source or destination IP address.
Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6 address in
colon-hexadecimal notation. The IP address type (
IPv4 or IPv6) must be the same for
the source and destination address. HP-UX IPSec does not support unspecified IPv6
addresses. However, you can use the double-colon (::) notation within a specified IPv6
address to denote a number of zeros (0) within an address. The address cannot be a
broadcast, subnet broadcast, multicast, or anycast address. If you are using manual
keys, ip_addr cannot be a wildcard address (
0.0.0.0
or 0::0).
prefix
Prefix length, or the number of leading bits that must match when comparing the IP
address in a packet with ip_addr. You must specify prefix if you specify port_number or
service_name .
For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in both addresses
must match. Use a value less than 32 to specify a subnet address filter.
For IPv6 addresses, a prefix length of 128 bits indicates that all the bits in both addresses
must match. Use a value less than 128 to specify a subnet address filter.
18 Hewlett-Packard Company − 11 − HP-UX IPSec A.02.01