HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

181

182

183

184

185

186

187

188

189

190

Microsoft

HP-UX IPSec can interoperate with Microsoft IPsec implementations.

Versions and Functionalities

HP-UX IPSec A.03.00 has been successfully tested with the following Microsoft products and

functionalities:

Windows XP SP2 IKEv1 using preshared key authentication for end-to-end transport

IPsec SAs for all ports and protocols

IKEv1 using RSA signatures (certificates) authentication for

end-to-end transport IPsec SAs for all ports and protocols

IKEv1 using RSA signatures with multiple-level CAs for

end-to-end transport IPsec SAs for all ports and protocols

Windows Vista IKEv1 using preshared key authentication for end-to-end transport

IPsec SAs for all ports and protocols

Windows 2008 Server IKEv1 using preshared key authentication for host-to-host

transport IPsec SAs for all ports and protocol

IKEv1 using preshared key authentication for host-to-host

transport IPsec SAs for only inbound telnet service on the

Windows server

Tips

The following tips might help you configure HP-UX IPSec and Microsoft IPsec implementations:

• The default IKEv1 authentication method on Microsoft systems is Kerberos. You must change

the IKE authentication method to Computer Certificate (RSA signatures) or preshared key.

• The default IKEv1 hash algorithm on Microsoft systems is SHA-1. On HP-UX systems, the

default IKEv1 hash algorithm is MD5. You must change the hash algorithm to match the

peer.

• When using RSA signatures for IKE authentication, Microsoft systems use X.500 Distinguished

Name as the ID type by default.

• If you are using the IPsec Policy Management Microsoft Management Control (MMC)

snap-in (used with Windows XP and Windows 2003, and provided for compatibility on

Windows 2008 and Vista) and configuring host-to-host IPsec security, configure one rule

and set the Mirror field to yes. Specify the HP-UX system address as the destination address.

Additional Tips for Vista and Windows 2008

This section contains additional information for Vista and Windows 2008 systems.

• The IKEv1 default parameters on Vista and Windows 2008 systems are the same as the

defaults on Windows XP systems, so you must modify the IKE authentication method and

hash algorithm as described in the previous section.

• There are two types of IPsec rules:

— IPsec Policyagent rules. These rules are functionally the same as the IPsec rules on

Windows XP and Windows 2003 systems. They can be configured using the IPsec

Policy Management Microsoft Management Control (MMC) snap-in as documented

in HP-UX IPSec: Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec

(J4256-90025). However, these rules do not support AES encryption for ESP.

— Connection security rules. These rules are supported on Vista and Windows 2008 system

and can be configured using the Windows Firewall with Advanced Security MMC

snap-in. However, this interface does not allow you to configure IPsec rules for specific

port numbers or protocols. To configure an IPsec rule for specific ports or protocols,

you must use the Microsoft netsh advfirewall command-line context. For example,

the following command configures a rule that applies IPsec security for the telnet

188 Interoperability