Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
21222324252627282930
This feature is useful when configuring host policies for remote subnets where not all nodes in
the subnet support IPsec.
WARNING! Using the FALLBACK_TO_CLEAR flag is a security risk. It can allow packets from
non-secure nodes to communicate with the local system.
Support for Multiple Source and Destination Arguments in Host and Tunnel Policies
You can specify up to 20 instances of the -source and -destination arguments in the
ipsec_config add host and ipsec_config add tunnel commands. For more
information, see “IPsec SA Packet Descriptors” (page 183).
This feature is not supported with manual keys. For more information, see “Manual Key Policy
Restrictions” (page 216).
Support for IP Address and Port Number Ranges in Host Policies
You can specify IP address or port number ranges in source and destination arguments (-source
and -destination) for IPsec host policies. For more information, see “Step 1: Configuring
Host IPsec Policies” (page 72).
This feature is not supported with manual keys. For more information, see “Manual Key Policy
Restrictions” (page 216).
Support for IP Address Ranges in Tunnel Policies
You can specify IP address ranges in the end-to-end source and destination arguments (-source
and -destination) for IPsec tunnel policies. For more information, see “Step 2: Configuring
Tunnel IPsec Policies” (page 80).
Port Numbers and Services Are Ignored in Tunnel Policies
Port numbers and service names are ignored in end-to-end source and destination arguments
for IPsec tunnel policies. They are no longer documented. For more information, see “IPsec SA
Packet Descriptors” (page 183).
Support for ICMPv4 and ICMPv6 Type Codes in Host Policies
The ipsec_config add host command supports the following options to specify ICMPv4
and ICMPv6 message type codes in packet filters:
dst_icmp_type and src_icmp_type (source and destination ICMPv4 type values)
dst_icmpv6_type and src_icmpv6_type (source and destination ICMPv6 type values)
Certificate Changes
The following sections describe product changes related to certificate configuration and processing.
The ipsec_config add cert Command is Deprecated
The ipsec_config add cert command and related commands (ipsec_config show cert,
ipsec_config delete cert) are deprecated. These commands are still supported, but not
documented. The ipsec_config add cert command will be obsolete in future releases and
HP recommends that you use the following commands instead:
ipsec_config add mycert
ipsec_config add cacert
The ipsec_config delete mycert command deletes the local system certificate and the
associated private key. It does not delete any CA certificate or CRL files. For more information
about managing certificates, see “Managing Certificate Data” (page 129).
New and Changed Documentation in This Edition 23