HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

161

162

163

164

165

166

167

168

169

170

psk.txt File

The path for the preshared key file is specified by the path pre_shared_key directive in the

racoon.conf file. In this example, the preshared key file is

/root/linux-native-racoon/psk_xport_1/psk.txt. The contents are as follows:

################## preshared key file (psk.txt)

10.0.0.11 myKey26

Tips

The following tips might help you configure HP-UX IPSec and Linux implementations:

• HP-UX IPSec does not support IP compression.

Do not specify the protocol ipcomp or the -C option in spdadd operations.

The syntax for the sainfo entry in the racoon.conf requires a compression_algorithm

statement even though IP compression is not used with HP-UX peers.

FreeBSD

HP-UX IPSec can interoperate with FreeBSD IPsec implementations.

Version and Functionalities

HP tested with the FreeBSD 6.3 release using IPsec functionality provided by the Racoon2

20090218 CVS build.

The following functionalities were tested:

• IKEv1 using preshared key authentication for end-to-end transport mode IPsec SAs for all ports

and protocols

• IKEv1 using RSA signature (certificates) authentication for end-to-end transport mode IPsec SAs

for all ports and protocols

• IKEv1 using preshared key authentication for end-to-end tunnel mode IPsec SAs for all ports

and protocols

• IKEv2 using preshared key authentication for end-to-end transport mode IPsec SAs for all ports

and protocols

NOTE: Tests using IKEv2 using RSA signature authentication failed. The Racoon2 implementation

does not support the IKEv2 CERTREQ payload.

Configuration Example: IKEv1 Using Preshared Keys

The following configuration data is for an IKEv1 topology using preshared keys for end-to-end

IPsec SAs.

The address for the Free BSD 6.3 system is 10.0.0.63. The address for the HP-UX system is

10.0.0.11.

HP-UX IPSec Configuration

The ipsec_config batch file contains the following entries:

add host Bsd63 \

-src 10.0.0.11 -dst 10.0.0.63 -protocol all \

-action ESP_AES128_HMAC_SHA1

# Note: the lifetime must match the BSD value

add ikev1 Bsd63 -rem 10.0.0.63 \

-group 2 -hash sha1 -enc 3des -life 600

add auth Bsd63Psk -rem 10.0.0.63 \

-kmp IKEV1 -psk myKey63

170 Interoperability