HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

Default: 0 (infinite).

CAUTION: HP recommends that you do not specify an infinite value for lifetime_seconds

(0) with a finite value for lifetime_kbytes.

-flags flags

The flags are additional options for this policy. Join multiple flags with a plus sign (+ ).

Table 4-3 Host Policy Flags

DescriptionFlag

Specifies session-based keying. Session-based keying uses a different pair of IPsec SAs

per connection or session. Only packets with the same source IP address, destination IP

address, network protocol, source port, and destination port will use the same IPsec SA.

Session-based keying incurs more overhead but provides more security and privacy. If

you do not specify session-based keying, all packets using the same IPsec policy to the

same remote node will share the same IPsec SA pair and cryptography keys.

You cannot specify the EXCLUSIVE flag if you are using manual keys, or the action is

PASS or DISCARD.

EXCLUSIVE

Specifies that IPsec packets can pass in clear text if:

• the local system is the initiator in an IKE negotiation and the negotiation fails

• the system receives a packet in clear text and there is no existing IPsec SA or kernel

policy cache entry for an IPsec SA

In both cases, HP-UX IPSec adds an entry to the kernel policy cache to allow subsequent

inbound and outbound packets for the five-tuple (defined by source and destination IP

addresses, protocol, and source and destination port numbers) to pass in clear text.

This feature is useful when configuring host policies for remote subnets where not all

nodes in the subnet support IPsec.

The FALLBACK_TO_CLEAR flag is not valid if the action is PASS or DISCARD, or if the

policy specifies a tunnel.

WARNING! Using the FALLBACK_TO_CLEAR flag is a security risk. It can allow packets

from non-secure nodes to communicate with the local system.

FALLBACK_TO_CLEAR

No flags.

NONE

Default: The value of the flags parameter in the HostPolicy-Defaults section of the profile file

used. The default flags value is NONE in /var/adm/ipsec/.ipsec_profile.

Host IPsec Policy Configuration Examples

The following batch file entry configures a host IPsec policy that requires all traffic between

10.1.1.1 (the local system) and 10.5.5.5 to use ESP with AES128 encryption and HMAC SHA-1

authentication:

add host apple_banana -source 10.1.1.1 \

-destination 10.5.5.5 -pri 20 \

-action ESP_AES128_HMAC_SHA1

The following batch file entry configures a host IPsec policy that requires all outbound IPv4

rlogin sessions (where the local system is an rlogin client) to use ESP with AES128 encryption

and HMAC SHA-1 authentication. The user does not specify the source argument, and the

ipsec_config program uses the default source argument value from the /var/adm/ipsec/

.ipsec_profile file (0.0.0.0/0/0 - the wildcard IPv4 address and any port). The destination

argument specifies the wildcard IPv4 address (0.0.0.0/0 ) and service name RLOGIN (port

513, protocol TCP).

add host rlogin_out -destination 0.0.0.0/0/RLOGIN \

-pri 100 -action ESP_AES128_HMAC_SHA1

78 Configuring HP-UX IPSec