HP-UX IPSec version A.02.01 manpages
i
ipsec_config_add(1M) ipsec_config_add(1M)
(HP-UX IPSec Software Required)
When HP-UX IPSec is the initiator in an IKE Phase 1 negotiation, or the responder in an IKE Phase 1
negotiation using Main Mode, it searches for an authentication record by comparing the remote IP
address in the IP packet header with the remote address field in the authentication record. If a remote
system is multihomed, you must configure an authentication record for each of the remote system’s IP
addresses.
When HP-UX IPSec is the responder in an IKE Phase 1 negotiation using Aggressive Mode, it searches
for an authentication record by comparing the IKE ID payload sent by the peer with the remote ID in the
authentication record.
If HP-UX IPSec cannot find an authentication record, or if the authentication record does not specify a
local ID, the IKE daemon sets the local ID to the local IP address. If the local system is multihomed, sets
the local ID to the IP address of the interface the IKE daemon uses to communicate with the peer.
Options and Operands
The
ipsec_config add auth
command recognizes the following options and operands.
auth_name
Specifies the user-defined name for the authentication record. This name must be unique for
each authentication record and is case-sensitive.
Acceptable values: 1 - 63 characters. Each character must be an ASCII alphanumeric char-
acter, hyphen (-
), or underscore (
_).
-nocommit
|nc
The ipsec_config utility verifies the authentication record, but does not add it to the
configuration database. This option is not valid if you are specifying an
add auth
operation
in a batch file.
-rem[ote] ip_addr[/prefix]
Specifies the IP address and network prefix length that specifies the remote system or subnet
for this authentication record. The values for ip_addr and prefix are defined as follows:
ip_addr
Specifies the IP address of the remote system.
Each ip_addr and prefix combination (the significant bits of the ip_addr ,as
specified by prefix) must be unique. If the remote system’s IP address matches mul-
tiple IP address and prefix combinations, HP-UX IPSec uses the authentication
record with the most specific address (longest prefix length).
If the remote system is a Mobile IPv6 client, specify the client’s authorized Home
Address for ip_addr .
Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6
address in colon-hexadecimal notation. HP-UX IPSec does not support unspecified
IPv6 addresses. However, you can use the double-colon (::) notation within a
specified IPv6 address to denote a number of zeros (0) within an address. The
address cannot be a broadcast, subnet broadcast, multicast, or anycast address.
Default: None.
prefix
Specifies the prefix length, or the number of leading bits, that must match when
comparing an IP address of the remote system with ip_addr.
For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in both
addresses must match. Use a value less than 32 to specify a subnet address filter.
For IPv6 addresses, a prefix length of 128 bits indicates that all the bits in both
addresses must match. Use a value less than 128 to specify a subnet address filter.
The following table shows the range and default for IPv4 and IPv6 addresses. The
defaults apply to non-zero addresses.
Type Range Default
HP-UX IPSec A.02.01 − 2 − Hewlett-Packard Company 9