HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

101

102

103

104

105

106

107

108

109

110

in descending order of preference. At least one encryption algorithm must match an encryption

algorithm configured on the remote system.

Valid Values:

AES128-CBC (128–bit Advanced Encryption Standard CBC)

3DES (triple-DES CBC, three encryption iterations, each with a different 56-bit key, 3DES-CBC)

NULL (null encryption)

Default: The value of the encryption parameter in the IKEV2Policy-Defaults section of the

profile file used. The default encryption parameter value is 3DES in /var/adm/ipsec/

.ipsec_profile.

-prf pseudo-random_function

The pseudo-random_function is the pseudo-random function (PRF) algorithm IKEv2 uses

when generating keying material. You can specify multiple pseudo-random_function values,

delimited by commas and no spaces, in descending order of preference. At least one PRF algorithm

must match a PRF algorithm configured on the remote system.

Valid Values:

HMAC-SHA1 (96-bit HMAC value using Secure Hash Algorithm-1, HMAC-SHA1)

AES-XCBC (128-bit value using Advanced Encryption Standard Extended Cipher Block Chaining

mode Message Authentication Code, AES128-XCBC)

Default: The value of the prf parameter in the IKEV2Policy-Defaults section of the profile file

used. The default prf parameter value is HMAC-SHA1 in /var/adm/ipsec/.ipsec_profile.

-life lifetime_seconds

The lifetime_seconds is the maximum lifetime for the IKEv2 SA, in seconds.

Range: 0 (infinite) or 600 - 4294967294 seconds (approximately 497102 days).

Default: The value of the life parameter in the IKEV2Policy-Defaults section of the profile file

used. The default life parameter value is 28,800 (8 hours) in /var/adm/ipsec/

.ipsec_profile.

-pfs ON|OFF

The -pfs argument specifies if Perfect Forward Secrecy (PFS) is enabled (ON) or disabled (OFF).

With PFS, the exposure of one key permits access only to data protected by that key. When PFS

is enabled, the IKE daemon performs a Diffie-Hellman exchange for all IKE and IPsec SA

negotiations after the initial IPsec SA pair is created, and a new Diffie-Hellman exchange for any

SA re-keying.

Default: The value of the pfs parameter in the IKEV2Policy-Defaults section of the profile file

used. The default pfs parameter value is OFF in /var/adm/ipsec/.ipsec_profile.

-priority priority_number

The priority_number is the priority value HP-UX IPSec uses when selecting an IKEv2 policy

(a lower priority value has a higher priority). The priority must be unique for each IKEv2 policy.

Range: 1 - 2147483647.

Default: If you do not specify a priority, ipsec_config assigns a priority value that is set to

the current highest priority value (lowest priority) for IKEv2 policies in the configuration database,

incremented by the automatic priority increment value (priority) for IKEv2 policies specified in

the IKEV2Policy-Defaults section of the profile file (this policy will be the last policy evaluated

before the default policy). The default automatic priority increment value (priority) is 10.

If this is the first IKEv2 policy created, ipsec_config uses the automatic priority increment

value as the priority.

Step 4: Configuring IKEv1 and IKEv2 Policies 101