Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
71727374757677787980
Step 1: Configuring Host IPsec Policies
Host IPsec policies specify HP-UX IPSec behavior for IP packets sent or received by the local
system as an end host. Each host IPsec policy includes address specifications used to select the
host IPsec policy for a packet, and the action for packets using the policy: pass the packets in
clear text, discard the packets, or apply an IPsec transform (AH or ESP) to the packets.
If the host policy is for an end host in a end-to-end tunnel (host-to-host tunnel) topology or an
end host in a host-to-gateway topology, the host policy includes a reference to a tunnel policy.
HP recommends that you use an ipsec_config batch file to configure host IPsec policies.
Host Policy Order and Selection
When an IPsec system sends a packet or receives a packet for an address on the local system,
HP-UX IPSec searches the host IPsec policies according to the value of the priority parameter
for each policy and selects the first policy with address, protocol and port specifications that
match the packet. HP-UX IPSec then takes the action specified in the selected host IPsec policy.
default Host IPsec Policy
The HP-UX IPSec configuration database includes a host IPsec policy named default. HP-UX
IPSec uses the default host IPsec policy for a packet if no other host IPsec policies match the
packet. The default host IPsec policy allows packets to pass in clear text. You cannot delete
the default host IPsec policy, or modify any argument values except the value for its behavior
(the action argument). Use the following command to change the default host IPsec policy
so it discards packets:
ipsec_config add host default -action DISCARD
To change back the behavior of the default host IPsec policy to pass packets in clear text, use
the following command:
ipsec_config add host default -action PASS
Automatic Priority Increment
There are two ways to set the priority of an host policy:
Specify the priority argument to explicitly set the priority.
Omit the priority argument and have ipsec_config assign a priority using the automatic
priority increment value so that the new policy is the last policy evaluated before the default
policy.
If you omit the priority argument, ipsec_config assigns a priority value that is set to the
current highest priority value for host policies (lowest priority) in the configuration database,
incremented by the automatic priority increment value for host policies. The result is that the
new policy will be the last host policy evaluated before the default policy. The automatic
priority increment value for host policies is the priority parameter value in the
HostPolicy-Defaults section of the profile file, and the default value is 10.
If you are configuring the first host IPsec policy and do not specify a priority argument,
ipsec_config assigns the automatic priority increment value as the priority.
ipsec_config add host Syntax
If you are not using manual keys, you can use the following ipsec_config add host syntax
in most installations :
ipsec_config add host host_policy_name
[-source ip_addr[/prefix[/port_number|service_name]]]
[-destination ip_addr[/[prefix[/port_number|service_name]]]
72 Configuring HP-UX IPSec