Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
71727374757677787980
To ensure proper operation of IPv6 networks, the default HP-UX IPSec behavior allows all other
ICMPv6 message types to pass in clear text. To discard or secure other ICMPv6 message types,
you must specify -protocol ICMPV6 and explicitly specify the message type value using the
-dst_icmpv6_type and -src_icmpv6_type arguments.
For more information, see “ICMPv6 Message Processing” (page 185).
-priority priority_number
The priority_number is the priority value HP-UX IPSec uses when selecting a host IPsec
policy (a lower priority value has a higher priority). The priority must be unique for each host
IPsec policy.
Range: 1 - 2147483647.
Default: If you do not specify a priority, ipsec_config assigns a priority value that is set to
the current highest priority value (lowest priority) for host IPsec policies in the configuration
database, incremented by the automatic priority increment value (priority parameter) for host
IPsec policies specified in the HostPolicy-Defaults section of the profile file (this policy will
be the last policy evaluated before the default policy). The default automatic priority increment
value (priority) is 10.
If this is the first host IPsec policy created, ipsec_config uses the automatic priority increment
value as the priority.
-tunnel tunnel_policy_name
If packets using this host IPsec policy will be tunneled and the local system is one of the tunnel
endpoints, use the tunnel argument to specify the tunnel_policy_name, the name of the tunnel
IPsec policy to use with this host IPsec policy.
-action
The action argument specifies the action HP-UX IPSec will perform on packets using this
policy. The action must be PASS (pass in clear text) if this is an end system in an end-to-end
tunnel (host-to-host tunnel) topology.
Valid actions are:
PASS
Allow packets using this host IPsec policy to pass in clear text with no alteration. The default
host IPsec policy shipped with the product specifies -action PASS.
DISCARD
Discard packets using this host IPsec policy.
transform_list
A list of IPsec AH (Authentication Header) or ESP (Encapsulation Security Payload)
transforms. See “transform_list .”
Default: The value of the action parameter in the HostPolicy-Defaults section of the
profile file used. The default action is DISCARD in /var/adm/ipsec/.ipsec_profile.
transform_list
A transform specifies the IPsec authentication and encryption applied to packets using AH
(Authentication Header) and ESP (Encapsulation Security Payload) headers. A transform list
specifies the transforms acceptable for packets using the policy. The HP-UX IPSec IKE daemon
proposes the transform list when negotiating the transform for IPsec Security Associations (SAs)
with a remote system.
The transform list in a host policy are transport transforms and are applicable to the host-to-host
SA (end-to-end or transport SA) between the source and destination addresses.
76 Configuring HP-UX IPSec