Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
919293949596979899100
Default: The value of the hash parameter in the IKEV1Policy-Defaults section of the profile file
used. The default hash parameter value is MD5 in /var/adm/ipsec/.ipsec_profile.
-encryption encryption_algorithm
The encryption_algorithm is the encryption algorithm for encrypting IKE messages. You
can specify multiple encryption_algorithm values, delimited by commas and no spaces,
and specified in descending order of preference. At least one encryption algorithm must match
a encryption algorithm configured on the remote system.
Valid Values:
AES128-CBC (128–bit Advanced Encryption Standard CBC)
3DES (triple-DES CBC, three encryption iterations, each with a different 56-bit key, 3DES-CBC)
Default: The value of the encryption parameter in the IKEV1Policy-Defaults section of the
profile file used. The default encryption parameter value is 3DES in /var/adm/ipsec/
.ipsec_profile.
-life lifetime_seconds
The lifetime_seconds is the maximum lifetime for the IKE SA, in seconds.
Range: 0 (infinite) or 600 - 4294967294 seconds (approximately 497102 days).
Default: The value of the life parameter in the IKEV1Policy-Defaults section of the profile file
used. The default life parameter value is 28,800 (8 hours) in /var/adm/ipsec/
.ipsec_profile.
-pfs ON|OFF
The -pfs argument specifies if Perfect Forward Secrecy (PFS) is enabled (ON) or disabled (OFF).
With PFS, the exposure of one key permits access only to data protected by that key. When PFS
is enabled, HP-UX IPSec performs a Diffie-Hellman exchange for each IPsec SA negotiation.
This must match what is configured on the remote system. Do not enable PFS for negotiations
with systems using an HP-UX IPSec release prior to A.03.00.
Default: The value of the pfs parameter in the IKEV1Policy-Defaults section of the profile file
used. The default pfs parameter value is OFF in /var/adm/ipsec/.ipsec_profile.
-priority priority_number
The priority_number is the priority value HP-UX IPSec uses when selecting an IKEv1 policy
(a lower priority value has a higher priority). The priority must be unique for each IKEv1 policy.
Range: 1 - 2147483647.
Default: If you do not specify a priority, ipsec_config assigns a priority value that is set to
the current highest priority value (lowest priority) for IKEv1 policies in the configuration database,
incremented by the automatic priority increment value (priority) for IKEv1 policies specified in
the IKEV1Policy-Defaults section of the profile file (this policy will be the last policy evaluated
before the default policy). The default automatic priority increment value (priority) is 10.
If this is the first IKEv1 policy created, ipsec_config uses the automatic priority increment
value as the priority.
ipsec_config add ikev1 Command Examples
The following batch file entries configure two IKEv1 policies. The first policy (apple) is for a
remote system (10.1.1.1) that uses 3DES for IKE encryption. The second policy (all_others)
is for all other systems in the local network (10.*.*.*), which use AES128-CBC for IKE encryption.
The priority argument is omitted, and the automatic priority increment assigns the second
policy (all_others) a lower priority (higher priority value) than the first policy (apple).
98 Configuring HP-UX IPSec