HP-UX IPSec version A.02.01 manpages

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_conﬁg_add(1M) ipsec_conﬁg_add(1M)

(HP-UX IPSec Software Required)

Mode, authenticated with HMAC-SHA1.)

ESP_NULL_HMAC_MD5

(ESP, with null encryption and authenticated with HMAC-MD5.)

ESP_NULL_HMAC_SHA1

(ESP, with null encryption and authenticated with HMAC-SHA1.)

AES128

is the most secure form of encryption, with performance comparable to or

better than DES

and 3DES

lifetime_seconds

The maximum lifetime for the IPsec SA, in seconds. A transform lifetime can be

speciﬁed by time (seconds), and by kilobytes transmitted or received. HP-UX IPSec

considers the lifetime to be exceeded if either value is exceeded. HP recommends

that you do not specify an inﬁnite lifetime_seconds (0) with a ﬁnite value for

lifetime_kbytes.

This parameter is not valid for manual keys.

Acceptable values: 0 (inﬁnite) - 4294967295 seconds (approximately 497102

days).

Default: 28,800 (8 hours).

lifetime_kbytes

The maximum lifetime for the IPsec SA, measured by kilobytes transmitted or

received. A transform lifetime can be speciﬁed by time (seconds), and by kilobytes

transmitted or received. HP-UX IPSec considers the lifetime to be exceeded if

either value is exceeded.

This parameter is not valid for manual keys.

Acceptable values: 0 (inﬁnite), or 5120 - 2147483647 kilobytes.

Default: 0 (inﬁnite).

Note: HP recommends that you do not specify an inﬁnite value for lifetime_seconds

(0) with a ﬁnite value for lifetime_kbytes.

-in

manual_key_SA_specification [

-in

manual_key_SA_specification]

-out

manual_key_SA_specification [

-out

manual_key_SA_specification]

Specify the

-in manual_key_SA_speciﬁcation and

-out manual_key_SA_speciﬁcation argu-

ments to use static, manual keys for the IPsec SAs. If the transform_list contains a nested AH

and ESP transform, you must specify two

-in manual_key_SA_speciﬁcation arguments and

two

-out manual_key_SA_speciﬁcation arguments.

The format of the manual_key_SA_speciﬁcation is:

type/spi/auth_key[/enc_key[/vi]]

where the values are deﬁned as follows:

type Type of IPsec transform.

Acceptable values:

AH (Authentication Header) or

ESP (Encapsulating Security

Payload).

spi Security Parameters Index (SPI) number, used to identify the SA. You can specify

the SPI in hexadecimal (

0xhhhhhhhh) or decimal. For an inbound SA, the SPI

must be unique on the local system within the SPIs assigned for each SA type (AH

or ESP), must be outside the range for dynamic key SPI numbers, and must match

the SPI conﬁgured on the remote system for the outbound SA.

For an outbound SA, the SPI must match what is conﬁgured on the remote system

for the inbound SA, and must be unique on the remote system.

Range: Manual key SPI numbers must be outside the range for dynamic key SPI

numbers. In installations using the default range for dynamic key SPI numbers

(300 - 2500000), the ranges for inbound manual key SPI numbers are 1 - 299 and

2500001 - 4294967295.

Refer to the spi_min and spi_max parameters for the

ipsec_config add

startup command for more information on the range for dynamic key SPI

38 Hewlett-Packard Company − 31 − HP-UX IPSec A.02.01