HP-UX IPSec version A.02.01 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg_add(1M) ipsec_conﬁg_add(1M)

(HP-UX IPSec Software Required)

To use IKE (dynamic keying) with a MIPv6 client, you must omit the

-in

and

-out

arguments. You must conﬁgure an IKE policy for the MIPv6 client. You can

conﬁgure one IKE policy that is used by multiple MIPv6 clients by specifying the

appropriate address preﬁx length. You must also conﬁgure an authentication

record for each MIPv6 client. The authentication record must meet the following

criteria:

• The remote address (-remote

argument) must specify the MIPv6 client’s home

address.

• It must specify remote ID information (include

-rtype

and -rid

arguments).

• The remote ID type (

-rtype

) can not be

IPV6

. HP recommends that you

specify

USER-FQDN or FQDN

for the remote ID type.

• The exchange mode must be Aggressive Mode (

-exchange AM

In addition, the local system cannot be the initiator in IKE Phase 1 negotiations

with Mobile IPv6 clients.

You cannot specify the

MIPV6 ﬂag with IPv4 addresses in the source and destina-

tion arguments.

NONE

No additional options.

Default: The value of the

-flags

parameter in the GWPolicy-Defaults

section of the

proﬁle ﬁle used. The default

flags value is

NONE in

/var/adm/ipsec/.ipsec_profile

-homeclear|hc

interface_name

Only valid if the ﬂag MIPV6

is conﬁgured. Speciﬁes the name of the physical interface that is the

home link for the Mobile IPv6 system(s). Use the

-homeclear

option for gateway IPsec policies

conﬁgured on a Mobile IPv6 Home Agent that specify a tunnel between the Mobile Node and the

Home Agent (local system) when forwarding packets between the Mobile Node and the Correspon-

dent Node. The

-homeclear

option speciﬁes that the local system will not use a tunnel if it is

sending or receiving packets using interface_name (the home link). This provides better perfor-

mance when the Mobile Node is attached to the home link.

Acceptable values: Physical interface name, 1 - 15 characters, in the format

lanppa

where ppa

is the physical point of attachment or card instance; for example,

lan0. Logical interface names

(such as

lan0:1) are not allowed.

Examples

The local system (

3ffe::83ff:fef7:1111

) is a Mobile IPv6 Home Agent for the Mobile Node

3ffe::83ff:fef7:2222

. Conﬁgure the local system to forward all Mobile IPv6 protocol packets

(protocol MH) between the Mobile Node and any Correspondent Node through the IPsec tunnel

my_mipv6_tunnel

. You must conﬁgure two gateway IPsec polices for this topology: one for the

data path between the Home Agent and the Mobile Node, and one for the data path between the

Home Agent and the Correspondent Node.

The

my_mipv6_tunnel

endpoints are the Mobile Node and the local system (Home Agent). The

command for conﬁguring

my_mipv6_tunnel

is listed in the examples for the

ipsec_config

add tunnel

command.

ipsec_config -add gateway to_mobile_node -source 0::0 \

-destination 3ffe::83ff:fef7:2222 \

-protocol MH -pri 200 -tunnel my_mipv6_tunnel -flags MIPV6

ipsec_config -add gateway to_cn -source 3ffe::83ff:fef7:2222 \

-destination 0::0 \

-protocol MH -pri 210 -action FORWARD -flags MIPV6

IPSEC_CONFIG ADD HOST COMMAND

Name

add host - conﬁgure host IPsec policies

HP-UX IPSec A.02.01 − 14 − Hewlett-Packard Company 21