HP-UX IPSec version A.02.01 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg_add(1M) ipsec_conﬁg_add(1M)

(HP-UX IPSec Software Required)

ESP_DES_HMAC_MD5

(ESP with 56-bit Data Encryption Standard, Cipher Block Chaining

Mode, authenticated with HMAC-MD5.)

ESP_DES_HMAC_SHA1

(ESP with 56-bit Data Encryption Standard, Cipher Block Chaining

Mode, authenticated with HMAC-SHA1.)

ESP_NULL_HMAC_MD5

(ESP, with null encryption and authenticated with HMAC-MD5.)

ESP_NULL_HMAC_SHA1

(ESP, with null encryption and authenticated with HMAC-SHA1.)

AES128 is the most secure form of encryption, with performance comparable

to or better than

DES

and 3DES

lifetime_seconds

The maximum lifetime for the IPsec SA, in seconds. A transform lifetime can

be speciﬁed by time (seconds), and by kilobytes transmitted or received. HP-

UX IPSec considers the lifetime to be exceeded if either value is exceeded. HP

recommends that you do not specify an inﬁnite lifetime_seconds

(0) with a

ﬁnite value for lifetime_kbytes.

This parameter is not valid for manual keys.

Acceptable values: 0 (inﬁnite) - 4294967295 seconds (approximately 497102

days).

Default: 28,800 (8 hours).

lifetime_kbytes

The maximum lifetime for the IPsec SA, measured by kilobytes transmitted or

received. A transform lifetime can be speciﬁed by time (seconds), and by kilo-

bytes transmitted or received. HP-UX IPSec considers the lifetime to be

exceeded if either value is exceeded.

This parameter is not valid for manual keys.

Acceptable values: 0 (inﬁnite), or 5120 - 2147483647 kilobytes.

Default: 0 (inﬁnite).

Note: HP recommends that you do not specify an inﬁnite value for

lifetime_seconds (0) with a ﬁnite value for lifetime_kbytes.

-flags

flags

Additional options for this policy. Join multiple ﬂags with a plus sign (

+).

AUTOCONF

Speciﬁes that this IPsec policy is used for clients that use stateless or stateful

address autoconﬁguration. To use HP-UX IPSec with autoconﬁguration clients, you

must also conﬁgure the following items:

• An IKE policy with a remote address and preﬁx that matches the

autoconﬁguration address pool. The authentication method can be RSA signa-

tures (

-auth RSASIG) or preshared keys (

-auth PKEY).

• An authentication record that speciﬁes Aggressive Mode for the exchange mode

(

-exchange AM

) and speciﬁes remote ID information (

-rtype and -rid

arguments). You can conﬁgure one authentication record for multiple

autoconﬁguration clients that use a common preshared key. However, HP

strongly recommends that you conﬁgure an individual authentication record for

each remote system with a unique preshared key.

In addition, the local system cannot be the initiator in IKE Phase 1 negotiations

with autoconﬁguration clients.

EXCLUSIVE

Speciﬁes session-based keying. Session-based keying uses a different pair of IPsec

SAs per connection or session. Only packets with the same source IP address, desti-

nation IP address, network protocol, source port, and destination port will use the

26 Hewlett-Packard Company − 19 − HP-UX IPSec A.02.01