Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
61626364656667686970
Configuration Tips and Reminders
This section contains configuration tips.
Minimum Configuration Requirements
If you are using preshared keys for IKE authentication, your configuration must contain at
least the following objects:
Host policy
Authentication record (this contains the preshared key)
HP-UX IPSec also requires an IKEv2 policy or an IKEv1 policy. The configuration database
includes default IKEv2 and IKEv1 policies that can be used without modification.
Policy Order and Selection
HP-UX IPSec searches host policies, IKE policies, and authentication records in priority
order (within each type of policy or record). Lower priority values have higher priority
(priority value 1 is the highest priority).
See “Host Policy Order and Selection” (page 72), “IKE Policy Order and Selection” (page 95),
and Authentication Record Order and Selection” (page 85)for more information.
Mirror Host IPsec policies for client-server applications
Host IPsec policies are bidirectional, but most client-server applications require two host
IPsec policies. Client-server network services typically use dynamically assigned port
numbers for clients and static, well-known port numbers for a daemon on the server. If you
want to secure both inbound service requests (the local system is the server) and outbound
requests from your system (the local system is the client). you must configure two host IPsec
policies: one for inbound requests to the static server port on the local system and one for
outbound requests to the static server port on the remote system or systems.
For example, the following host IPsec policy secures only rlogin sessions initiated from the
local system, 10.10.10.10, to the system 10.20.20.20:
ipsec_config add rlogin_to_10.20.20.20 \
-source 10.10.10.10 -destination 10.20.20.20/32/RLOGIN \
-action ESP_AES128_HMAC_SHA1
To secure rlogin sessions from 10.20.20.20 to the local system, you must also configure the
following policy:
ipsec_config add rlogin_from_10.20.20.20 \
-source 10.10.10.10/32/RLOGIN -destination 10.20.20.20 \
-action ESP_AES128_HMAC_SHA1
Multihomed Systems
If a remote system is multihomed (has more than one IP address), you must configure an
IKE policy and an authentication record for each IP address.
Configuration Tips and Reminders 63