HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

If you are using dynamic keys, the transform list can contain:

• A list that contains up to 2 AH transforms

• A list that contains up to 6 ESP transforms.

Use a comma to separate multiple transform specifications.

The order of transforms in the transform list is significant. The first transform is the most preferable

and the last transform is the least preferable. At least one transform must match a transform

configured on the remote system.

The format for each transform is:

transform_name[/lifetime_seconds[/lifetime_kbytes ]]

Where:

transform_name

The transform_name is one of the following AH (Authentication Header) or ESP (Encapsulation

Security Payload) transform specifications.

TIP: AES128 is the most secure form of encryption, with performance comparable to or better

than 3DES.

Table 4-2 ipsec_config Transforms

DescriptionTransform Name

AH, with 128-bit key Hashed Message Authentication Code using RSA

Message Digest-5, HMAC-MD5.

AH_MD5

AH, with 160-bit key HMAC using Secure Hash Algorithm-1,

HMAC-SHA1.

AH_SHA1

ESP with 128-bit Advanced Encryption Standard (AES128) CBC,

authenticated with HMAC-MD5.

ESP_AES128_HMAC_MD5

ESP with 128-bit Advanced Encryption Standard (AES128) CBC,

authenticated with HMAC-SHA1.

ESP_AES128_HMAC_SHA1

ESP with triple-DES CBC, three encryption iterations, each with a

different 56-bit key (3DES), authenticated with HMAC-MD5.

ESP_3DES_HMAC_MD5

ESP with triple-DES CBC, three encryption iterations, each with a

different 56-bit key (3DES), authenticated with HMAC-SHA1.

ESP_3DES_HMAC_SHA1

ESP with null encryption and authenticated with HMAC-MD5.

ESP_NULL_HMAC_MD5

ESP with null encryption and authenticated with HMAC-SHA1.

ESP_NULL_HMAC_SHA1

lifetime_seconds

The lifetime_seconds is the maximum lifetime for the IPsec SA, in seconds. A transform

lifetime can be specified by time (seconds), and by kilobytes transmitted or received. HP-UX

IPSec considers the lifetime to be exceeded if either value is exceeded.

Range: 0 (infinite) or 600 - 4294967294 seconds (approximately 497102 days).

Default: 28,800 (8 hours).

lifetime_kbytes

The lifetime_kbytes is the maximum lifetime for the IPsec SA, measured by kilobytes

transmitted or received. A transform lifetime can be specified by time (seconds), and by kilobytes

transmitted or received. HP-UX IPSec considers the lifetime to be exceeded if either value is

exceeded.

Range: 0 (infinite), or 5120 - 4294967294 kilobytes.

Step 1: Configuring Host IPsec Policies 77