Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
919293949596979899100
Step 4: Configuring IKEv1 and IKEv2 Policies
The IKEv1 and IKEv1 policies specify parameters for negotiating IKEv1 and IKEv2 SAs. An IKE
SA is required to negotiate an IPsec SA pair with dynamic keys. You do not need to configure
or modify IKE policies if you are using manual keys or are using HP-UX IPSec only to discard
packets.
default IKE Policies
The configuration database contains a preloaded default IKEv1 policy and a preloaded default
IKEv2 policy. Each default policy is the last policy in the search order for the IKE policy type.
You cannot delete the default IKE policies, but you can modify the parameters using the
ipsec_config add ikev1 default or ipsec_config add ikev2 default command.
The default IKEv1 policy has the following parameters:
Remote address: None. This argument is not supported for the default policy and the default
policy matches all remote IP addresses.
Diffie-Hellman Group: 2.
IKEv1 hash algorithm: MD5.
IKEv1 encryption algorithm: 3DES.
IKEv2 SA lifetime: 28,800 seconds (8 hours).
PFS: OFF.
The default IKEv2 policy has the following parameters:
Remote address: None. This argument is not supported for the default policy and the default
policy matches all remote IP addresses.
Diffie-Hellman Group: 2.
IKEv2 hash algorithm: HMAC-SHA1.
IKEv2 encryption algorithm: 3DES.
Pseudo-random function (PRF): HMAC-SHA1.
IKEv2 SA lifetime: 28,800 seconds (8 hours).
PFS: OFF.
You do not need to modify the default IKE policies if these parameters meet your requirements.
IKE Policy Order and Selection
Before searching for an IKE policy, HP-UX IPSec determines the authentication record for the
peer node. HP-UX IPSec uses the kmp (key management protocol) value in the authentication
record to determine if it will search the IKEv2 or IKEv1 policies. If the local system is the responder
in an IKE negotiation, HP-UX IPSec also checks if the IKE version for the IKE request matches a
version specified in the kmp value.
HP-UX IPSec searches the IKEv2 or IKEv1 policies according to the value of the priority
parameter for each policy and selects the first policy with the IP address and prefix specifications
that match the remote system’s address. If no match is found, HP-UX IPSec uses the default
IKEv2 or IKEv1 policy.
Automatic Priority Increment
There are two ways to set the priority of an IKE policy:
Specify the priority argument to explicitly set the priority.
Omit the priority argument and have ipsec_config assign a priority using the automatic
priority increment value so that the new policy is the last policy evaluated before the default
policy.
Step 4: Configuring IKEv1 and IKEv2 Policies 95