Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
81828384858687888990
specifies the transforms acceptable for packets using the policy. The HP-UX IPSec IKE daemon
proposes the transform list when negotiating the transform for IPsec Security Associations (SAs)
with a remote system.
The transform_list in a tunnel policy are tunnel transports applied to packets encapsulated
between the tunnel endpoints.
If you are using dynamic keys, the transform list can contain:
A list that contains up to 2 AH transforms
A list that contains up to 6 ESP transforms
Use a comma to separate multiple transform specifications.
The order of transforms in the transform list is significant. The first transform is the most preferable
and the last transform is the least preferable. At least one transform must match a transform
configured on the remote system.
The format for each transform is:
transform_name[/lifetime_seconds[/lifetime_kbytes ]]
Where:
transform_name
A transform_name is a valid AH (Authentication Header) or ESP (Encapsulation Security
Payload) transform name, as specified in Table 4-2: “ipsec_config Transforms” (page 77).
Default: The transform defined for the action parameter in the TunnelPolicy-Defaults section of
the profile file used. The default action is ESP_AES128_HMAC_SHA1 in /var/adm/ipsec/
.ipsec_profile.
TIP: AES128 is the most secure form of encryption, with performance comparable to or better
than 3DES.
lifetime_seconds
The lifetime_seconds is the maximum lifetime for the IPsec SA, in seconds. A transform
lifetime can be specified by time (seconds), and by kilobytes transmitted or received. HP-UX
IPSec considers the lifetime to be exceeded if either value is exceeded.
Range: 0 (infinite) or 600 - 4294967294 seconds (approximately 497102 days).
Default: 28,800 (8 hours).
lifetime_kbytes
The lifetime_kbytes is the maximum lifetime for the IPsec SA, measured by kilobytes
transmitted or received. A transform lifetime can be specified by time (seconds), and by kilobytes
transmitted or received. HP-UX IPSec considers the lifetime to be exceeded if either value is
exceeded.
Range: 0 (infinite), or 5120 - 4294967294 kilobytes.
Default: 0 (infinite).
CAUTION: HP recommends that you do not specify an infinite value for lifetime_seconds
(0) with a finite value for lifetime_kbytes.
Tunnel IPsec Policy Configuration Example
This example corresponds to the example host policy that specifies a tunnel policy in “Host IPsec
Policy Configuration Examples” (page 78). The local system (10.1.1.1) is using a end-to-end
tunnel (host-to-host tunnel) with system 10.2.2.2. The following batch file entry configures the
tunnel to use ESP with AES128 encryption and HMAC SHA-1 authentication.
Step 2: Configuring Tunnel IPsec Policies 83