Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
81828384858687888990
A prefix length of 0 bits matches all addresses.
Range: 0 - 32 for an IPv4 address; 0 - 128 for an IPv6 address. If you are using manual keys, prefix
must be 32 if ip_addr is an IPv4 address or 128 if ip_addr is an IPv6 address.
Default: 32 if ip_addr is a non-zero IPv4 address, 128 if ip_addr is a non-zero IPv6 address,
or 0 (match any address) if ip_addr is an all-zeros address (0.0.0.0 or 0::0).
Subnet Addresses
You can use a subnet address in an authentication record with a specific remote ID or with a
subtree or address range remote ID. A subtree or address range remote ID matches multiple
remote IDs.
Specifying a subnet address with a specific remote ID is useful when configuring an authentication
record for a remote system that has a dynamically allocated IP addresses.
Specifying a subnet address with a subtree or address range remote ID enables you to configure
one authentication record for multiple remote systems. The remote systems may or may not use
dynamically allocated IP addresses.
HP recommends that you use subtree and address range remote IDs only when using
certificate-based authentication. Although it is possible to specify a subtree remote ID with a
preshared key to configure one preshared key for multiple remote systems, HP strongly
recommends that you do not do this.
For more information, see “Subtree and Address Range Remote ID Matching” (page 91).
-kmp ike_version
The -kmp argument specifies the IKE key management protocol (KMP) versions used by the IKE
daemon for negotiations.
Valid Values:
IKEV1
Use IKEv1.
IKEV2
Use IKEv2.
IKEV1,IKEV2
Use IKEv1 if the local system is the initiator in an IKE negotiation. Accept
IKEv1 or IKEv2 requests if the local system is the responder.
IKEV2,IKEV1
Use IKEv2 if the local system is the initiator in an IKE negotiation. Accept
IKEv2 or IKEv1 requests if the local system is the responder.
Default: The value for the kmp parameter in the AUTHPolicy-Defaults section of the profile file
used. The default kmp parameter value is IKEV1 in /var/adm/ipsec/.ipsec_profile.
-exchange AM|MM
Specifies the exchange mode for the IKEv1 Phase 1 negotiation. This must match what is
configured on the remote system.
This argument is valid only if the IKE version is IKEv1 (the -kmp argument value includes
IKEV1).
Valid Values: AM ( Aggressive Mode) or MM (Main Mode). Aggressive Mode does not provide
identity protection (the IKE peers exchange identity information before establishing a secure
channel), but it is more efficient.
If the remote system is an autoconfiguration client (the AUTOCONF flag is set) and the IKE version
is IKEv1, the exchange type must be AM.
Default: MM (Main Mode).
Step 3: Configuring Authentication Records and Preshared Keys 87