Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
51525354555657585960
Step 2: Modifying the Configuration Batch File Template
HP-UX IPSec provides the following configuration batch file templates in the directory /var/
adm/ipsec/templates :
end-to-gateway
end-to-end-tunnel
host-to-host
manual-keys
For a simple host-to-host topology, edit the batch file template /var/adm/ipsec/templates/
host-to-host as follows:
Uncomment the appropriate configuration statements. At a minimum, you must uncomment
and configure the following items:
Host IPsec policies. At a minimum, you must configure one host IPsec policy. However,
most client-server applications require two host IPsec policies: one policy for service
requests initiated from the local system (the remote system is the server), and a second
policy for service requests initiate from the remote system (the local system is the server).
Authentication records. Configure an authentication record for each remote system.
The authentication record specifies the IKE version, IKE authentication methods, and
IKE ID information. If the authentication method is preshared key, the record also
contains the preshared key value.
IKEv2 or IKEv1 policy. The configuration database contains a default IKEv2 policy and
a default IKEv1 policy. If the default parameters do not meet your requirements, you
can modify this policy.
Replace the addresses and other parameters in angle brackets (<> ) with values that match
your topology.
Save the edited file under a different file name, such as host1_batch.
NOTE: If you are using HP-UX IPSec on a system with an interface attached to a public network
and an interface on a private network, HP recommends that you take additional precautions to
isolate potential attacks from the public network. See “Maximizing Security” (page 66) for more
information.
Policy Priority Order and Selection
HP-UX IPSec searches host IPsec and IKE policies in priority order (within each type of policy).
Lower priority values have higher priority (priority value 1 is the highest priority).
If you have policies with overlapping address specifications, configure the more specific policies
with higher priorities (lower priority values) so HP-UX IPSec will search them before policies
with less specific addresses.
Automatic Priority Assignment
If you do not specify a priority when creating a policy with the ipsec_config add command,
ipsec_config automatically assigns the policy a priority so that the new policy is the last
policy searched before the default policy within its policy type. The example in this section does
not specify priority values and uses the values assigned by ipsec_config.
See “Host Policy Order and Selection” (page 72) , “IKE Policy Order and Selection” (page 95),
and Authentication Record Order and Selection” (page 85) for more information.
host-to-host Template File
The /var/adm/ipsec/templates/host-to-host template file is reproduced below.
Step 2: Modifying the Configuration Batch File Template 55