Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
81828384858687888990
Default: 32 if ip_addr is a non-zero IPv4 address, 128 if ip_addr is a non-zero IPv6 address,
or 0 (match any address) if ip_addr is an all-zeros address (0.0.0.0 or 0::0). You must specify a
prefix value if you specify a port or service name as part of the address filter.
-protocol protocol_id
The protocol is the value or name of the upper-layer protocol that HP-UX IPSec uses in the
address filter to select an IPsec policy for a packet.
Specifying ICMPV6 affects only the following ICMPv6 messages: Echo Request, Echo Reply,
Mobile Prefix Solicitation, Mobile Prefix Advertisement.
To ensure proper operation of IPv6 networks, HP-UX IPSec always allows all ICMPv6 messages
not listed above to pass in clear text
Valid Values: Integer value 0 (any protocol) - 255, or one of the following protocol names:
TCP
UDP
ICMP
ICMPV6
IGMP
ALL (any protocol)
The protocols ICMP and IGMP are valid with IPv4 addresses only. The protocols ICMPV6 are
valid with IPv6 addresses only.
Default: ALL.
NOTE: The protocol value must be ALL or 0 if the corresponding host policy (the host policy
that references this tunnel policy) uses a transform (the host policy action is not PASS ).
ICMPv4 Messages
If protocol_id is ICMP or ALL, the policy applies to all ICMPv4 message types by default. You can
specify ICMPv4 message type values for end-to-end packets using the -dst_icmp_type and
-src_icmp_type arguments.
CAUTION: Discarding or requiring ICMP messages for IPv4 (protocol value 1) to be encrypted
or authenticated may cause connectivity problems.
For more information, see“ICMPv4 Message Processing” (page 184).
ICMPv6 Messages
If protocol_id is ICMPV6 or ALL, the policy applies to only the following ICMPv6 message types:
Echo Request
Echo Reply
Mobile Prefix Solicitation
Mobile Prefix Advertisement
To ensure proper operation of IPv6 networks, the default HP-UX IPSec behavior allows all other
ICMPv6 message types to pass in clear text. To discard or secure other ICMPv6 message types
in end-to-end packets, you must explicitly specify the message type value using the
-dst_icmpv6_type and -src_icmpv6_type arguments.
For more information, see “ICMPv6 Message Processing” (page 185).
-action transform_list
A transform specifies the IPsec authentication and encryption applied to packets using AH
(Authentication Header) and ESP (Encapsulation Security Payload) headers. A transform list
82 Configuring HP-UX IPSec