HP-UX IPSec version A.02.01 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg_add(1M) ipsec_conﬁg_add(1M)

(HP-UX IPSec Software Required)

same IPsec SA. Session-based keying incurs more overhead but provides more secu-

rity and privacy. If you do not specify session-based keying, all packets using the

same IPsec policy to the same remote system will share the same IPsec SA pair and

cryptography keys.

You cannot specify the EXCLUSIVE

ﬂag with manual keys, or if the action is

PASS

DISCARD.

MIPV6 Speciﬁes that this IPsec policy is used for Mobile IPv6 packets. HP-UX IPSec

checks the Mobile IPv6 binding cache for routing information. (This ﬂag does not

specify or affect any protocol speciﬁcations used when selecting the IPsec policy for

apacket.)

To use IKE (dynamic keying) with a MIPv6 client, you must omit the

-in

and -out

arguments. You must conﬁgure an IKE policy for the MIPv6 client. You can

conﬁgure one IKE policy that is used by multiple MIPv6 clients by specifying the

appropriate address preﬁx length. You must also conﬁgure an authentication

record for each MIPv6 client. The authentication record must meet the following

criteria:

• The remote address (-remote argument) must specify the MIPv6 client’s home

address.

• It must specify remote ID information (include

-rtype and

-rid arguments).

• The remote ID type (

-rtype

) can not be

IPV6. HP recommends that you

specify

USER-FQDN or FQDN

for the remote ID type.

• The exchange mode must be Aggressive Mode (

-exchange AM

In addition, the local system cannot be the initiator in IKE Phase 1 negotiations

with Mobile IPv6 clients.

You cannot specify the

MIPV6 ﬂag with IPv4 addresses in the source and destina-

tion arguments.

NONE

No additional options.

Default: The value of the ﬂags parameter in the HostPolicy-Defaults

section of the

proﬁle ﬁle used. The default ﬂags value is

NONE in

/var/adm/ipsec/.ipsec_profile

-in manual_key_SA_specification [

-in

manual_key_SA_specification]

-out

manual_key_SA_specification [

-out

manual_key_SA_specification]

Specify the

-in

manual_key_SA_speciﬁcation and

-out

manual_key_SA_speciﬁcation arguments

to use static, manual keys for the IPsec SAs. If the transform_list contains a nested AH and ESP

transform, you must specify two

-in manual_key_SA_speciﬁcation arguments and two

-out

manual_key_SA_speciﬁcation arguments.

The format of the manual_key_SA_speciﬁcation is:

type/spi/auth_key[/enc_key[/iv]]

where the values are deﬁned as follows:

type Type of IPsec transform.

Acceptable values:

AH (Authentication Header) or

ESP (Encapsulating Security Pay-

load).

spi Security Parameters Index (SPI) number, used to identify the SA. You can specify the

SPI in hexadecimal, preﬁxed by 0x, or decimal. For an inbound SA, the SPI must be

unique on the local system within the SPIs assigned for each SA type (AH or ESP), must

be outside the range for dynamic key SPI numbers, and must match the SPI conﬁgured

on the remote system for the outbound SA.

For an outbound SA, the SPI must match what is conﬁgured on the remote system for the

inbound SA, and must be unique on the remote system.

Range: Manual key SPI numbers must be outside the range for dynamic key SPI

numbers. In installations using the default range for dynamic key SPI numbers (300 -

2500000), the ranges for inbound manual key SPI numbers are 1 - 299 and 2500001 -

4294967295.

HP-UX IPSec A.02.01 − 20 − Hewlett-Packard Company 27