Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
61626364656667686970
Configuration Overview
There are eight main configuration components:
Host IPsec Policies
Host IPsec policies specify HP-UX IPSec behavior for IP packets sent or received by the local
system as an end host. A host IPsec policy contains address specifications used to select the
host IPsec policy for a packet. A host IPsec policy also specifies the HP-UX IPSec behavior
(action) for packets using the policy: pass the packets in clear text, discard the packets, or
apply an IPsec transform (AH or ESP) to the packets.
Tunnel IPsec Policies
Tunnel IPsec policies specify the behavior for tunnel endpoints. If the local system is an end
host in a end-to-end tunnel (host-to-host tunnel) topology, or the end host in a
host-to-gateway tunnel topology, you must configure tunnel IPsec policies. If the local system
is only an end host with no IPsec tunneling, do not configure tunnel IPsec policies.
IKE Authentication Records
IKE Authentication records contain information that IKE uses to authenticate identities with
the remote system, including local and remote ID values, authentication method (preshared
key or RSA signature with certificates), and preshared keys, if preshared key authentication
is used. IKE authentication records also specify the IKE version (IKEv1 or IKEv2) to use with
the remote system. If IKEv1 is used, the authentication record also specifies the exchange
mode (Main Mode or Aggressive Mode).
IKEv1 Policies
IKEv1 policies define the parameters used when negotiating an IKEv1 Security Association
(SA). IPsec uses IKE SAs to negotiate IPsec SAs; an IKE SA must exist with a remote system
before IPsec can negotiate IPsec SAs.
IKEv2 Policies
IKEv2 policies define the parameters used when negotiating an IKEv2 Security Association
(SA).
Security Certificates
You can use security certificates with RSA signatures for IKE authentication (also referred
to as primary authentication) instead of preshared keys.
Bypass List
The bypass list specifies the local IP addresses that IPsec will bypass or ignore. The system
will not attempt to find an IPsec policy for packets sent or received using an IP address in
the bypass list, and will process these packets as if HP-UX IPSec was not enabled.
The bypass list improves transmission rates for addresses in the bypass list and is useful in
topologies where most of the network traffic passes in clear text and only specific traffic
must be secured by IPsec.
Start-up options
The start-up options allow you to configure HP-UX IPSec to start automatically at system
boot-up time and to specify general operating parameters.
Although you can configure the above components in any order, HP recommends that you use
the following procedure to configure IPsec:
1. Configure host IPsec policies.
See “Step 1: Configuring Host IPsec Policies” (page 72) for a description of this step.
70 Configuring HP-UX IPSec