Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
21222324252627282930
Identity authentication
The IKE protocol authenticates the identity of the remote system. HP-UX IPSec supports
the following forms of IKE authentication:
Preshared keys.
Digital signatures (RSA signatures), using X.509 version 3 security certificates.
Because IKE verifies the identity of the remote system, AH and ESP also provide data origin
authentication.
Host-based IPsec topologies
HP-UX IPSec is supported on host systems in host-to-host and in host-to-gateway topologies.
You can use HP-UX IPSec to provide security in internal networks and to provide Virtual
Public Network (VPN) solutions across public Internet communication.
You can also use HP-UX IPSec with application servers (proxy application servers) and IPsec
VPN gateways from other vendors.
Interoperability
HP-UX IPSec interoperates with numerous other IPsec implementations, including those of
Cisco, Microsoft, Linux, and FreeBSD.
Powerful and flexible management utilities
The HP-UX IPSec product includes the configuration and management features listed below.
Easy-to-use configuration utilities
You configure HP-UX IPSec using the ipsec_config command-line utility, which
also supports batch mode operation.
Flexible, packet-based configuration
You control IPsec behavior by defining packet filters in IPsec policies. An IPsec policy
contains a packet filter definition and list of actions or transforms (pass, discard, use
ESP or AH) to apply to the packets. The packet filter definition contains the following
fields:
local IP address
local address prefix length (for subnet addresses)
remote IP address
remote address prefix length (for subnet addresses)
upper-layer protocol (such as TCP, UDP. or ICMP)
local TCP or UDP port number
remote TCP or UDP port number
You can specify wildcards (match any value) for field values. You can also select a
network service for the filter, such as telnet, instead of the upper-layer protocol and
port numbers.
Bypass address configuration
You can configure HP-UX IPSec to bypass, or ignore, local IP interfaces that you do not
need to secure. This feature is useful for internal networks where most traffic passes in
clear text and only specific applications need to be secured.
Configuration test utility
The ipsec_policy utility takes a packet definition (local and remote IP addresses,
upper-layer protocol, local and remote port numbers) as input and reports the IPsec
policy that HP-UX IPSec would apply to packets matching the definition.
30 HP-UX IPSec Overview