HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ip_addr

The ip_addr is the source or destination IP address. You can specify a single IP address, or an

address range with two addresses separated by a dash and no spaces (ip_addr-ip_addr). The

second address in a range must be higher number than the first. For example,

10.1.1.1-10.1.1.3 matches any of the following addresses: 10.1.1.1, 10.1.1.2, 10.1.1.3.

Valid Values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal

notation. The IP address type (IPv4 or IPv6) must be the same for the source and destination

address. HP-UX IPSec does not support unspecified IPv6 addresses. However, you can use the

double-colon (::) notation within a specified IPv6 address to denote a number of zeros (0) within

an address. The address cannot be a broadcast, subnet broadcast, multicast, or anycast address.

prefix

The prefix is the prefix length, or the number of leading bits that must match when comparing

the IP address in a packet with the source or destination IP address (ip_addr) in the policy. If

the ip_addr is an address range, the prefix applies to all addresses in the range.

You must specify prefix if you specify port_number or service_range.

For IPv4 addresses, a prefix length of 32 bits specifies that the all bits in the policy address must

match the packet address.

For IPv6 addresses, a prefix length of 128 bits specifies that the all bits in the policy address must

match the packet address.

A prefix length of 0 bits matches all addresses.

Range: 0 - 32 for an IPv4 address; 0 - 128 for an IPv6 address. If you are using manual keys, prefix

must be 32 if ip_addr is an IPv4 address or 128 if ip_addr is an IPv6 address.

Default: 32 if ip_addr is a non-zero IPv4 address, 128 if ip_addr is a non-zero IPv6 address,

or 0 (match any address) if ip_addr is an all-zeros address (0.0.0.0 or 0::0). You must specify a

prefix value if you specify a port or service name as part of the address filter.

port

The port is the upper-layer protocol (TCP or UDP) port number. You can specify a single port

number, or a range of port numbers with two port numbers separated by a dash and no spaces

(port-port). The second port number in a range must be higher than the first. For example,

22-24 matches any of the following port numbers: 22, 23, 24.

Specify the upper-layer protocol with the protocol argument described below. The upper-layer

protocol must be TCP or UDP if you specify a non-zero port number.

Valid Values: 0 - 65535. 0 indicates all ports.

Default: 0 (all ports).

service_name

The service_name is a character string that specifies a network service. The ipsec_config

utility will add a policy to the configuration database with the appropriate port number and

protocol, as listed below. You cannot specify service_name and protocol in the same policy.

Table 4-1 ipsec_config Service Names

ProtocolPortService Name

TCP53

DNS-TCP

UDP53

DNS-UDP

TCP20

FTP-DATA

TCP21

FTP-CONTROL

74 Configuring HP-UX IPSec