Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
71727374757677787980
Step 2: Configuring Tunnel IPsec Policies
Complete this step only if you are using IPsec tunnels. If you are not using IPsec tunnels, skip
this step.
Tunnel IPsec policies specify HP-UX IPSec behavior for IP packets tunneled by the local system.
In an IPsec tunnel, a tunnel endpoint system encapsulates the original packet in a new IPsec
packet with an AH or ESP header. The other tunnel endpoint system processes the AH or ESP
header, decapsulates the packet, and sends the packet to the destination address in the original
packet header.
An HP-UX system can be the end host in a end-to-end tunnel (host-to-host tunnel) topology, or
the end host in a host-to-gateway tunnel topology.
Tunnel IPsec policies are referenced in host IPsec policies. HP-UX IPSec first selects a host IPsec
policy to use for a packet. If the host IPsec policy specifies a tunnel policy name, HP-UX IPSec
uses the information in the tunnel IPsec policy to establish an IPsec tunnel with the tunnel
destination.
If the local system is a tunnel endpoint, you must configure tunnel IPsec policies. HP recommends
that you use an ipsec_config batch file to configure tunnel IPsec policies.
ipsec_config add tunnel Syntax
If you are not using manual keys, you can use the following ipsec_config add tunnel
syntax in most installations:
ipsec_config add tunnel tunnel_policy_name
[-tsource tunnel_address]
[-tdestination tunnel_address]
[-source ip_addr[/prefix]]
[-destination ip_addr[/prefix]]
[-protocol protocol_id] [-action transform_list]
HP recommends that you use an ipsec_config batch file to configure HP-UX IPSec. To specify
an add tunnel operation for an ipsec_config batch file, use the above syntax without the
ipsec_config command name:
add tunnel tunnel_policy_name
[-tsource tunnel_address]
[-tdestination tunnel_address]
[-source ip_addr[/prefix]]
[-destination ip_addr[/prefix]]
[-protocol protocol_id] [-action transform_list]
The complete ipsec_config add tunnel syntax specification also allows you to specify the
following arguments:
nocommit (verify the syntax but do not commit the information to the database)
profile (alternate profile file)
in and out (inbound and outbound SA information for manual keys)
Refer to the ipsec_config_add(1M) manpage for complete syntax information.
tunnel_policy_name
The tunnel_policy_name is the user-defined name for the tunnel IPsec policy. This name
must be unique for each tunnel IPsec policy and is case-sensitive.
Valid Values: 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen
(-), or underscore (_).
80 Configuring HP-UX IPSec