Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
191192193194195196197198199200
Router (config)# crypto ipsec transform-set aes-sha1 esp-aes 128 esp-sha-hmac
Router (cfg-crypto-trans)# mode tunnel
Router (cfg-crypto-trans)# exit
Define an IPsec policy map:
Router(config)# access-list 100 permit ip host 192.1.1.2 host 192.0.0.2
Router(config)# crypto map hpux-1 1 ipsec-isakmp
Router (config-crypto-map)# set peer 192.0.0.2
Router (config-crypto-map)# set transform-set aes-sha1
Router (config-crypto-map)# match address 100
Router (config-crypto-map)# exit
Apply IPSec to the specific interface gi0/1:
Router (config-if)# interface gi0/1
Router (config-if)# crypto map hpux-1
Router (config-if)# exit
Router (config)# exit
Tips
The following tips might help you configure HP-UX IPSec and Cisco IPsec implementations:
The Cisco configuration documentation and utilities use the term ISAKMP (or isakmp) to
refer to IKE components.
The Cisco configuration includes default ISAKMP policies, which are enabled using the
crypto isakmp default policy command. In this example, the crypto isakmp
policy command is used to add a specific ISAKMP policy with the priority 40 (a lower
priority value has a higher priority).
The default IKEv1 parameters for the IOS crypto isakmp policy command are as
follows:
Hash: SHA-1. On HP-UX systems, the default IKEv1 hash algorithm is MD5.
Group: 1. On HP-UX systems, the default Diffie-Hellman group is 2. HP-UX IPSec does
not support group 1.
Encryption: DES. On HP-UX systems, the default IKEv1 encryption algorithm is 3DES.
HP-UX IPSec does not support DES.
Authentication: RSA. On HP-UX systems, the authentication method is specified using
the -local_method and -remote_method arguments. The default method is RSA
signatures if no preshared key (-psk) argument is specified.
Under certain conditions, Cisco IOS IPsec negotiates two unidirectional IKE SAs with a peer
instead of one bidirectional IKE SA. If this occurs with an HP-UX peer and you stop HP-UX
IPSec, HP-UX IPSec sends an IKE DELETE message to the Cisco device for the IKE SA that
HP-UX IPSec initiated. The Cisco device deletes this IKE SA, but retains the second IKE SA.
If you restart HP-UX IPSec, the Cisco device may attempt to use its existing IKE SA to
negotiate IPsec SAs with HP-UX IPSec. This causes a negotiation failure. As a workaround,
login to the Cisco device and manually delete any IKE SAs to an HP-UX system that remain
after you stop HP-UX IPSec.
Cisco 199