HP-UX IPSec version A.02.01 manpages
i
ipsec_config_add(1M) ipsec_config_add(1M)
(HP-UX IPSec Software Required)
Synopsis
ipsec_config add host
host_policy_name
[
-nocommit
|
nc]
[
-prof
[ile
] profile_name]
[
-source
|src ip_address [/prefix[/port_number|service_name]]]
[
-destination
|dst
ip_address [/prefix[/port_number|service_name]]]
[
-prot
[ocol
] protocol_id ]
[
-pri
[
ority
] priority_number]
[
-tun
[nel
] tunnel_policy_name
]
[
-act
[ion
]
PASS|
DISCARD | transform_list]
[
-flags flags
]
[
-in
manual_key_sa_specification
[
-in
manual_key_sa_specification
]]
[
-out
manual_key_sa_specification
[
-out
manual_key_sa_specification
]]
Description
Use the
ipsec_config add host
command to configure host IPsec policies. Host IPsec policies
specify HP-UX IPSec behavior for IP packets sent or received by the local system as an end host.
To specify behavior for IP packets processed by the local system as a gateway (packets the local system
forwards), use the
ipsec_config add gateway
command.
When an IPsec system sends a packet or receives a packet for an address on the local system, HP-UX
IPSec searches the host IPsec policies in priority order and selects the first policy with address, protocol,
and port specifications that match the packet. HP-UX IPSec then takes the action specified in the
selected host IPsec policy.
The HP-UX IPSec configuration database includes a host IPsec policy named
default
. HP-UX IPSec
uses the default host IPsec policy for a packet if no other host IPsec policies match the packet. The
default host IPsec policy shipped with HP-UX IPSec allows packets to pass in clear text. (the
-action
argument value is
PASS
). You cannot delete the
default host IPsec policy, or modify any argument
values except the argument for its behavior (the value for the -action argument). You can use the fol-
lowing command to change the default host IPsec policy so it discards packets:
ipsec_config add host default -action DISCARD
To change back the default host IPsec policy so it passes packet in clear text, use the following command:
ipsec_config add host default -action PASS
Options and Operands
The ipsec_config add host
command recognizes the following options and operands:
host_policy_name
The user-defined name for the host IPsec policy. This name must be unique for each host IPsec
policy and is case-sensitive.
The name
default is reserved.
Acceptable values: 1 - 63 characters. Each character must be an ASCII alphanumeric char-
acter, hyphen (
-), or underscore (_
).
-nocommit
|nc
The ipsec_config
utility verifies the host IPsec policy, but does not add it to the
configuration database. This argument is not valid if you are specifying an
add host
opera-
tion in a batch file.
-pro[
file] profile_name
The name of the profile file containing default argument values for this policy. The argument
values are evaluated once, when the policy is added to the configuration database. Values used
from the profile file become part of the configuration record for the policy. This argument is
not valid if you are specifying an
add host operation in a batch file.
Maximum length: 1023 characters.
Default:
/var/adm/ipsec/.ipsec_profile.
-source|src ip_addr[/prefix[/port_number|service_name]]
-destination|dst ip_addr[/prefix[/port_number|service_name]]
HP-UX IPSec uses the ip_addr , prefix, and port_number or service_name with the -proto-
col argument to form an address filter. HP-UX IPSec uses the address filter to select an
22 Hewlett-Packard Company − 15 − HP-UX IPSec A.02.01