HP-UX IPSec version A.02.01 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg_add(1M) ipsec_conﬁg_add(1M)

(HP-UX IPSec Software Required)

-pri

[

ority] priority_number

Speciﬁes the priority value HP-UX IPSec will use when selecting a gateway IPsec policy. (A

lower priority value has a higher priority). The priority must be unique for each gateway

IPsec policy.

Range: 1 - 2147483647.

Default: If you do not specify a priority,

ipsec_config

assigns a priority value that is set

to the current highest priority value (lowest priority) for gateway IPsec policies in the

conﬁguration data base, incremented by the automatic priority increment value (priority ) for

gateway IPsec policies speciﬁed in the

GWPolicy-Defaults

section of the proﬁle ﬁle used.

(This policy will be the last policy evaluated before the default policy). The default automatic

priority increment value (priority )is10in

/var/adm/ipsec/.ipsec_profile

If this is the ﬁrst gateway IPsec policy created,

ipsec_config

uses the automatic priority

increment value as the priority .

-tunnel

tunnel_policy_name

The name of the tunnel IPsec policy that deﬁnes the IPsec tunnel that the local system will use

when forwarding packets that use this policy (the tunnel between the local system and the des-

tination address).

You cannot specify the

-tunnel

option and the

-action in the same policy.

-act[ion] FORWARD|FW|DISCARD

Speciﬁes the action HP-UX IPSec will perform on outbound packets (packets between the local

system to the destination address) using this policy.

You cannot specify the

-tunnel

option and the

-action in the same policy.

You can specify the following actions:

FORWARD

|FW

Forward packets in clear text using this gateway IPsec policy.

DISCARD

Discard packets using this gateway IPsec policy. This is the default action.

Default: The action deﬁned for the action parameter in the

GWPolicy-Defaults

sec-

tion of the proﬁle ﬁle used. The default deﬁnition for action is

FORWARD in

/var/adm/ipsec/.ipsec_profile

-flags

flags

Additional options for this policy. Join multiple ﬂags with a plus sign (

+). You can set the fol-

lowing ﬂags:

AUTOCONF

Speciﬁes that this IPsec policy is used for clients that use stateless or stateful

address autoconﬁguration. To use HP-UX IPSec with autoconﬁguration clients, you

must also conﬁgure the following items:

• An IKE policy with a remote address and preﬁx that matches the

autoconﬁguration address pool. The authentication method can be RSA signa-

tures (

-auth RSASIG) or preshared keys (

-auth PKEY).

• An authentication record that speciﬁes Aggressive Mode for the exchange mode

(

-exchange AM

) and speciﬁes remote ID information (

-rtype and -rid

arguments). You can conﬁgure one authentication record for multiple

autoconﬁguration clients that use a common preshared key. However, HP

strongly recommends that you conﬁgure an individual authentication record for

each remote system with a unique preshared key.

In addition, the local system cannot be the initiator in IKE Phase 1 negotiations

with autoconﬁguration clients.

MIPV6 Speciﬁes that this IPsec policy is used for Mobile IPv6 (MIPv6) packets. HP-UX

IPSec checks the Mobile IPv6 binding cache for routing information. (This ﬂag does

not specify or affect any protocol speciﬁcations for the source_address or

destination_address used when selecting the IPsec policy for a packet.)

20 Hewlett-Packard Company − 13 − HP-UX IPSec A.02.01