HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

101

102

103

104

105

106

107

108

109

110

Step 6: Configuring the Bypass List (Local IP Addresses)

The bypass list specifies local IP addresses that IPsec bypasses or ignores. The system does not

attempt to find an IPsec policy for packets sent or received using an IP address in the bypass list,

and the system processes these packets as if HP-UX IPSec was not enabled.

The bypass list improves transmission rates for addresses in the bypass list. The bypass list is

useful in topologies where most of the network traffic passes in clear text and you only need to

secure selected traffic on specific interfaces.

If you do not need to configure bypass interfaces, go to “Step 7: Verifying the Batch File Syntax”

(page 106).

Logical Interfaces

An entry in the bypass interface list affects only the logical interface for the IP address, not the

physical interface (network card). If you have multiple IP interfaces configured for a physical

interface (for example, lan0:0 , lan0:1, and lan0:2 ) and you want IPsec to bypass all IP

addresses for that physical interface, you must enter all the IP addresses for the physical interface

in the bypass list.

Example

You have a critical application and must encrypt and authenticate its network packets. All other

IP traffic in the network can pass in clear text. You configure additional logical interfaces (lan0:1)

for the critical application (16.1.1.1 and 16.2.2.2), and configure the critical application to use only

the specific logical interfaces. You can then configure the remaining logical interfaces in the

bypass list (15.1.1.1 and 15.2.2.2).

Figure 4-1 Bypass List Example

bypass

secure

Node1 Node2

15.1.1.1(lan0:0)

16.1.1.1(lan0:1)

15.2.2.2(lan0:0)

16.2.2.2(lan0:1)

Maximizing Security

An IP address in the bypass list has the same effect as an open IPsec policy, with the bypass

interface address as the local address, a wildcard (*) remote address, wildcard protocol and ports,

and a Pass transform.

If you configure entries in the bypass list, intruders may be able to access services or ports bound

to addresses in the bypass list from other interfaces on the system, even if the other interface IP

addresses are secured by IPsec policies. Intruders may access services or ports bound to addresses

in the bypass list even if the intruders are not directly connected to interfaces in the bypass list.

HP recommends that you do not use the bypass list on systems where you are using HP-UX

IPSec as a filter or firewall to protect your network.

See “Maximizing Security” (page 66) for more information.

104 Configuring HP-UX IPSec