HP-UX IPSec version A.02.01 manpages
i
ipsec_config_add(1M) ipsec_config_add(1M)
(HP-UX IPSec Software Required)
-tsource
|
tsrc tunnel_address
-tdestination
|
tdst tunnel_address
The IP address for the tunnel endpoint. The
-tsource
tunnel_address is the local tunnel
endpoint; the
-tdestination
tunnel_address is the remote tunnel endpoint.
Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-
hexadecimal notation. The IP address type (IPv4 or IPv6) must be the same for the tunnel
source and destination address. HP-UX IPSec does not support unspecified IPv6 addresses.
However, you can use the double-colon (::) notation within a specified IPv6 address to denote a
number of zeros (0) within an address. The address must be a unicast address.
Default: If you are using manual keys, the
-tsource
and -tdestination
arguments are
required. If you are not using manual keys and you omit the
-tsource
option,
ipsec_config uses the IP address and prefix from the
-source
option for the
-tsource
address; if you omit the
-tdestination
option, ipsec_config
uses the IP address and
prefix from the
-destination
option for the
-tdestination
address.
-source
|
src ip_address[/prefix
[/port_number
|
service_name]]
-destination
|
dst ip_address[/prefix
[/port_number
|
service_name]]
HP-UX IPSec uses the ip_addr , prefix, and port_number or service_name with the
-proto-
col
argument to form an address identifier. When negotiating IPsec tunnel SAs, HP-UX
IPSec uses the source address identifier as the proxy ID parameters for outbound SAs, and
uses the destination address identifier as the proxy ID parameters for inbound SAs. The proxy
ID parameters must exactly match the proxy ID parameters on the remote system.
If you are using manual keys with an IPv6 ESP transform, HP-UX IPSec also uses the address
identifier to verify the address fields in the original (host-to-host) packet. For an outbound
tunneled packet (the local address is the source address in the tunnel packet header), HP-UX
IPSec verifies the source address identifier with the source address fields in the original
packet, and the destination address identifier with the destination address fields in the origi-
nal packet. For an inbound tunneled packet (the local address is the destination address in
the tunnel packet header), HP-UX IPSec verifies the source address identifier with the desti-
nation address fields in the original packet, and the destination address identifier with the
source address fields in the original packet.
Default: If you do not specify ip_addr, prefix, port_number, or service_name,
ipsec_config
uses the value of the source or destination parameter in the
TunnelPolicy-Defaults
section of the profile file used. The default value for source and
destination is is 0.0.0.0/0/0 (match any IPv4 address, any port) in
/var/adm/ipsec/.ipsec_profile
.
Where the values are defined as follows:
ip_addr
The proxy (end system) source or destination IP address.
Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6
address in colon-hexadecimal notation. The IP address type (
IPv4 or IPv6) must
be the same for the proxy source and destination address. HP-UX IPSec does not
support unspecified IPv6 addresses. However, you can use the double-colon (::)
notation within a specified IPv6 address to denote a number of zeros (0) within an
address. The address cannot be a broadcast, subnet broadcast, multicast, or any-
cast address.
prefix
Specifies the prefix length, or the number of leading bits that must match when
comparing the IP address of a packet with ip_addr.
For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in both
addresses must match. Use a value less than 32 to specify a subnet address filter.
For IPv6 addresses, a prefix length of 128 bits indicates that all the bits in both
addresses must match. Use a value less than 128 to specify a subnet address filter.
HP-UX IPSec A.02.01 − 28 − Hewlett-Packard Company 35