Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
919293949596979899100
NOTE: This argument is not valid for the default IKEv1 policy. The default IKEv1 policy matches
all remote addresses.
Where:
ip_addr
The ip_addr is the remote IP address.
Valid Values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal
notation. HP-UX IPSec does not support unspecified IPv6 addresses. However, you can use the
double-colon (::) notation within a specified IPv6 address to denote a number of zeros (0) within
an address. The address must be a unicast address.
Default: None.
prefix
The prefix is the prefix length, or the number of leading bits that must match when comparing
the remote address with ip_addr.
For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in the addresses must
match.
For IPv6 addresses, a prefix length of 128 bits indicates that all the bits in the addresses must
match.
A prefix length of 0 bits matches all addresses.
Range: 0 - 32 for an IPv4 address; 0 - 128 for an IPv6 address.
Default: 32 if ip_addr is a non-zero IPv4 address, 128 if ip_addr is a non-zero IPv6 address,
or 0 (match any address) if ip_addr is an all-zeros address (0.0.0.0 or 0::0).
-group group_number
The group argument specifies the Diffie-Hellman group (sometimes referred to as the Oakley
group) used to select initial Diffie-Hellman values. You can specify multiple group_number
values, delimited by commas and no spaces, and specified in descending order of preference.
At least one group number must match a group number configured on the remote system.
HP recommends that you do not use group 1 unless you are required to for compatibility reasons.
For efficiency when negotiating IKE SAs, HP recommends that you specify the group that is
most commonly used in your network first, other than group 1.
Valid Values:
1 (MODP, 768-bit exponent)
2 (MODP, 1024-bit exponent)
5 (MODP, 1536-bit exponent)
14 (MODP, 2048-bit exponent)
Default: The value of the group parameter in the IKEV1Policy-Defaults section of the profile
file used. The default group parameter value is 2 in /var/adm/ipsec/.ipsec_profile.
-hash hash_algorithm
The hash argument specifies the hash algorithm for authenticating IKE messages. You can
specify multiple hash_algorithm values, delimited by commas and no spaces, and specified
in descending order of preference. At least one hash algorithm must match a hash algorithm
configured on the remote system.
Valid Values:
MD5 (128-bit RSA Message Digest-5, MD5)
SHA1 (160-bit Secure Hash Algorithm-1, SHA1)
Step 4: Configuring IKEv1 and IKEv2 Policies 97