Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
201202203204205206207208209210
Host to Host telnet
You have two systems, Apple (15.1.1.1 ) and Banana (15.2.2.2 ) on a private, isolated LAN.
You want to use authenticated ESP with AES encryption and SHA-1 authentication for all telnet
traffic from Apple to Banana, and for all telnet traffic from Banana to Apple. By default, all other
network traffic will pass in clear text.You do not have a Public Key Infrastructure, so you can
use only preshared keys for IKE primary authentication.
CAUTION: If you do not have a private network, do not configure HP-UX IPSec to pass packets
in clear text by default. Do not configure HP-UX IPSec to pass packets in clear text by default on
systems where you are using HP-UX IPSec as a filter or firewall to protect your network.
For more information, see “Maximizing Security” (page 66).
You will use the default values for most parameters, such as the Security Association Lifetimes.
Apple Configuration
Host IPsec Policies
On Apple, you configure two host IPsec policies. The first host IPsec policy (telnetAB ) is for
outbound telnet requests from Apple to Banana (users on Apple using the telnet service to
Banana). Note that since the telnet clients on Apple may use any non-reserved TCP port
number, you do not specify a port number in the source address.
Figure D-1 Example 1: telnet AB
telnet banana
apple
telnet client
(port varies)
banana
telnetd
(always port 23)
The second host IPsec policy (telnetBA ) is for inbound telnet requests from Banana to Apple
(users on Banana using the telnet service to Apple). Since the telnet clients on Banana may
use any non-reserved TCP port number, do not specify a port number in the destination address.
Figure D-2 Example 1: telnet BA
telnet apple
apple
telnetd
(port 23)
banana
telnet client
(port varies)
The default host IPsec policy installed with HP-UX IPSec allows all other traffic to pass in clear
text. Apple and Banana are on an isolated LAN, so this “open” policy is not a security risk. The
ipsec_config batch file entries are listed below:
add host telnetAB \
-source 15.1.1.1 \
206 HP-UX IPSec Configuration Examples