HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

211

212

213

214

215

216

217

218

219

220

Configuring Manual Key SAs

You specify information for manual key SAs with -in and -out statements in host and tunnel

policies:

-in manual_key_sa_specification

-out manual_key_sa_specification

The format for manual_key_sa_specification is:

ESP/spi /auth_key /enc_key [/iv]

ESP indicates the transform is an ESP transform.

spi is the decimal or hexadecimal (prefixed by 0x) Security Parameters Index (SPI) number,

used to identify the Security Association (SA). The inbound SPI must be unique on the local

system for all ESP SAs, outside the range of dynamic SPI numbers, and match the outbound SPI

on the remote system. The outbound SPI must match the inbound SPI on the remote system.

In installations using the HP-UX IPSec default range for dynamic key SPI numbers (300 - 2500000),

the ranges for inbound manual key SPI numbers are 1 - 299 and 2500001 - 4294967295.

auth_key is the hexadecimal authentication key, prefixed by 0x. For MD5, auth_key is 32

hexadecimal digits. For SHA-1, auth_key is 40 hexadecimal digits. The key must match what

is configured on the remote system.

enc_key is the hexadecimal encryption key, prefixed by 0x. For 3DES, enc_key is 48

hexadecimal digits (192 bits). For AES128, enc_key is 32 hexadecimal digits (128 bits). The key

must match what is configured on the remote system.

iv is the Initialization Vector (IV). Hexadecimal (prefixed by 0x), 64-bit initial block used for

cipher block chaining encryption. The IV must match what is configured on the remote system.

The default value for iv is 0x0000000000000000.

Manual Key Policy Restrictions

A host or tunnel policy for manual keys specifies one IPsec SA pair between two specific systems.

Because of this characteristic, follow these restrictions when configuring host policies for manual

keys:

• Do not specify multiple instances of the -source or -destination arguments.

• Do not specify wildcard IP addresses or IP address ranges in the -source or -destination

arguments.

Follow these restrictions when configuring tunnel policies for manual keys:

• Do not specify multiple instances of the -tsource or -tdestination arguments.

• Do not specify wildcard IP addresses or IP address ranges in the -tsource or

-tdestination arguments.

Selecting Encryption Keys

You should configure strong, random, encryption keys for manual key SAs. If you are using

3DES encryption, and the key is not sufficiently strong, ipsec_config reports an error messages

similar to the following:

Weak 3DES encryption key: 0xhhhh

...

Using the HP-UX Strong Random Number Generator

One way to generate strong encryption keys is using the HP-UX Strong Random Number

Generator product, available at no cost from the HP Software Depot (http://software.hp.com ).

After you have installed the HP-UX Strong Random Number Generator, you can generate a

random number and use the od utility to display an ASCII string of the hexadecimal digits by

executing the following command sequence:

216 Using Manual Keys