Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
201202203204205206207208209210
-protocol ICMP -priority 30 -action pass
add host aes_lan -destination 192.1.1.0/24 \
-priority 40 -action ESP_AES128_HMAC_SHA1
add host default -action DISCARD
Policy Priority
Note the priority of the pass_icmp policy (30) and aes_lan policy (40). The pass_icmp policy
MUST have a lower order number (higher priority) than the aes_lan policy. This is because
internal ICMP packets will match both the pass_icmp and aes_lan policy, and assigning the
pass_icmp policy a lower order number causes IPsec to select the pass_icmp policy for the
ICMP packets instead of the aes_lan policy.
Authentication Records
The authentication record for Potato specifies the preshared key:
add auth potato -remote 193.3.3.3 \
-preshared carrot_potato_key
For the nodes in the 192.1.1.* network, you use certificates for authentication. You can configure
one authentication record using the IPv4 address as the remote ID and specifying the subnet
address for the remote ID value.
add auth 192.1.1_net -remote 192.1.1.0/24 \
-rtype IPV4 -rid 192.1.1.0/24 \
-ltype IPV4 -lid 192.1.1.1
IKEv1 Policy
You use the default IKEv1 policy without modifications.
Certificates
You must also get a certificate for the local system and load the certificate for the local system,
the certificate for the CA, and the CRL. See “Configuration Example” (page 129) in Chapter 5
(page 113) for an example of this procedure.
Subnet ESP with Exceptions 209