Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
201202203204205206207208209210
Subnet ESP with Exceptions
You have a system, Carrot, on a LAN with the network address 192.1.1.*. You want to limit access
to this LAN from outside nodes.
There is one system outside the LAN with IPsec, Potato, that you will allow to communicate
with the nodes in your network using AES with SHA1. All other packets from external nodes
will be discarded.
All nodes within the LAN have HP-UX IPSec installed, except for internal routers. You want to
use ESP (AES with SHA1) for all IP packets between the nodes on this LAN, except ICMP packets
to and from the routers, which you will allow to pass in clear text.
Except for the above specifications, you will use the default values for most parameters (such as
Security Association Lifetimes).
Figure D-3 Example 2: Network IPsec Policy with Exceptions
193.3.3.3
Potato
Router
192.1.1.2
192.1.1.3 192.1.1.4
IPsec ESP-AES
HMAC-SHAI
No IPsec
Pass in clear text
=
=
192.1.1.1
Carrot
IPsec
IPsec
No IPsec
IPsec IPsec IPsec
Carrot Configuration
The ipsec_config batch file on Carrot contains the following entries.
Host IPsec Policies
You configure four host IPsec policies on Carrot.
1. potato : accepts all packets to and from system Potato using ESP-AES-HMAC-SHA1.
add host potato -destination 193.3.3.3 -priority 20 \
-action ESP_AES128_HMAC_SHA1
2. pass_icmp : allows all ICMP packets within the 192.1.1.* network to pass in clear text,
including ICMP packets to and from the router on that network. Notice how the 192.1.1.*
network is specified in the filter: the remote IP address is 192.1.1.0 and the prefix length is
24. The prefix length specifies the number of bits in the packet address that must match the
configured remote IP address, beginning with the most significant bit.
add host pass_icmp -destination 192.1.1.0/24 \
-protocol ICMP -priority 30 -action pass
3. aes_lan : applies ESP-AES-HMAC-SHA1 authenticated ESP to all packets in the 192.1.1.*
network.
add host aes_lan -destination 192.1.1.0/24 \
-priority 40 -action ESP_AES128_HMAC_SHA1
4. default : You modify the default host IPsec policy to discard all other packets. To modify
the default host IPsec policy, use the following batch file entry:
add host default -action DISCARD
The host policy entries in the batch file on Carrot are as follows:
add host potato -destination 193.3.3.3 -priority 20 \
-action ESP_AES128_HMAC_SHA1
add host pass_icmp -destination 192.1.1.0/24 \
208 HP-UX IPSec Configuration Examples