Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
81828384858687888990
-tsource and -tdestination tunnel_address
The tunnel_address is the IP address for the tunnel endpoint. The -tsource tunnel_address
is the local tunnel endpoint; the -tdestination tunnel_address is the remote tunnel endpoint.
Valid Values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal
notation. The IP address type (IPv4 or IPv6) must be the same for all the addresses in the policy.
HP-UX IPSec does not support unspecified IPv6 addresses. However, you can use the double-colon
(::) notation within a specified IPv6 address to denote a number of zeros (0) within an address.
The address must be a unicast address.
Default: If you do not specify a tsource or tdestination option, the field will be null and
HP-UX IPSec will use the end source or end destination address of the packet as the tunnel
endpoint when creating the tunnel.
You must specify the tsource and tdestination options if you are using manual keying.
-source and -destination ip_addr [/prefix]
You can repeat the -source and -destination arguments up to 20 times each if you are not
using manual keys. HP-UX IPSec uses the -source and -destination arguments with the
protocol argument to form traffic selectors for IKEv2, or as the proxy IDs for IKEv1. For more
information about how HP-UX IPSec uses the address and port specifications when negotiating
IPsec SAs, see “IPsec SA Packet Descriptors” (page 183).
Default: If you do not specify -source or -destination arguments, ipsec_config uses
the value of the source or destination parameter in the TunnelPolicy-Defaults section of
the profile file used. The default value for source and destination is 0.0.0.0/0 (match
any IPv4 address) in /var/adm/ipsec/.ipsec_profile.
Where:
ip_addr
The ip_addr is the source or destination IP address. If you are not using manual keys, you can
also specify an address range with two addresses separated by a dash and no spaces
(ip_addr-ip_addr). The second address in a range must be higher number than the first. For
example, 10.1.1.1-10.1.1.3 matches any of the following addresses: 10.1.1.1, 10.1.1.2, 10.1.1.3.
Valid Values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal
notation. The IP address type (IPv4 or IPv6) must be the same for the source and destination
address. HP-UX IPSec does not support unspecified IPv6 addresses. However, you can use the
double-colon (::) notation within a specified IPv6 address to denote a number of zeros (0) within
an address. The address must be a unicast address.
prefix
The prefix is the prefix length, or the number of leading bits that must match when comparing
the IP address in a packet with the source or destination IP address (ip_addr) in the policy. If
the ip_addr is an address range, the prefix applies to all addresses in the range.
For IPv4 addresses, a prefix length of 32 bits specifies that the all bits in the policy address must
match the packet address.
For IPv6 addresses, a prefix length of 128 bits specifies that the all bits in the policy address must
match the packet address.
A prefix length of 0 bits matches all addresses.
Range: 0 - 32 for an IPv4 address; 0 - 128 for an IPv6 address. If you are using manual keys, prefix
must be 32 if ip_addr is an IPv4 address or 128 if ip_addr is an IPv6 address.
Step 2: Configuring Tunnel IPsec Policies 81