HP-UX IPSec version A.02.01 manpages
i
ipsec_config_add(1M) ipsec_config_add(1M)
(HP-UX IPSec Software Required)
IPsec policy for a packet. Specify a local IP address in the source address filter. For an out-
bound packet, HP-UX IPSec compares the source address filter with the source address fields
in the packet, and the destination address filter with the destination address fields in the
packet. For an inbound packet, HP-UX IPSec compares the source address filter specification
with the destination address fields in the packet, and the destination address filter with the
source address fields in the packet.
Default: If you do not specify ip_addr , prefix, port_number, or service_name ,
ipsec_config
uses the value of the source or destination parameter in the
HostPolicy-
Defaults
section of the profile file used. The default value for source and destination is
0.0.0.0/0/0 (match any IPv4 address, any port) in
/var/adm/ipsec/.ipsec_profile
.
The address filter is defined with the following values:
ip_addr
The source or destination IP address.
Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6
address in colon-hexadecimal notation. The IP address type (
IPv4
or
IPv6) must
be the same for the source and destination address. HP-UX IPSec does not support
unspecified IPv6 addresses. However, you can use the double-colon (::) notation
within a specified IPv6 address to denote a number of zeros (0) within an address.
The address cannot be a broadcast, subnet broadcast, multicast, or anycast address.
If you are using manual keys, ip_addr cannot be a wildcard address (
0.0.0.0 or
0::0
).
prefix
The prefix length, or the number of leading bits that must match when comparing
the IP address in a packet with ip_addr. You must specify prefix if you specify
port_number or service_name .
For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in both
addresses must match. Use a value less than 32 to specify a subnet address filter.
For IPv6 addresses, a prefix length of 128 bits indicates that all the bits in both
addresses must match. Use a value less than 128 to specify a subnet address filter.
The following table shows the range and default for IPv4 and IPv6 addresses. The
defaults apply to non-zero addresses.
Type Range Default
IPv4 0 - 32 32 (0 for all-zero addresses)
IPv6 0 - 128 128 (0 for all-zero addresses)
The default prefix is zero (0) if the address is all zeros.
If you are using manual keys, prefix must be 32 if ip_addr is an IPv4 address or 128
if ip_addr is an IPv6 address.
port The upper-layer protocol (TCP or UDP) port number Specify the upper-layer proto-
col with the
-protocol argument described below.
Acceptable values: 0 - 65535. 0 indicates all ports. The value of the
-proto-
col
argument must be
TCP or UDP if port is not zero.
Default: 0 (all ports).
service_name
A character string that specifies a network service. The
ipsec_config utility
will add a policy to the configuration database with the appropriate port number
and protocol, as listed below. You cannot specify service_name and the -protocol
argument in the same policy.
HP-UX IPSec A.02.01 − 16 − Hewlett-Packard Company 23