HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
HP-UX IPSec Configuration
The ipsec_config batch file contains the following entries:
add host Bsd64 \
-src 10.0.0.11 -dst 10.0.0.64 -protocol all \
-action ESP_AES128_HMAC_SHA1
# Note: the lifetime must match the BSD value
add ikev1 Bsd64 -rem 10.0.0.64 \
-group 2 -hash sha1 -enc 3des -life 600
add auth Bsd64RSA -rem 10.0.0.64 \
-kmp IKEv1 -local_method RSASIG \
-rtype X500-DN -rid CN=BsdSys64 \
-ltype X500-DN -lid CN=HPSys11 \
The remote ID (rid) value matches the subjectName field in the BSD system certificate. The local
ID (lid) value is optional; when the local ID type (ltype) is X500–DN, ipsec_config overwrites
any specified value with the subjectName field from the local system certificate.
Racoon2 Configuration
The following Racoon 2 configuration files are located in the /usr/local/racoon2/etc/
racoon directory.
• racoon2.conf
• transport_ike.conf
• vals.conf
• default.conf
Certificate Files
In this example, the following certificate-related files are located in the /usr/local/racoon2/
etc/racoon/cert subdirectory:
• myPubKey.pem: public key for the local (FreeBSD) system
• myPvtKey.pem: (private key for the local (FreeBSD) system
• hpuxPeerPubkey.pem: the certificate for the peer (HP-UX) system
These files are manually installed by the administrator. The directory and file names are specified
in the vals.conf file.
racoon2.conf File
The racoon2.conf file has the same contents as the file used for IKEv1 with preshared keys. See
“racoon2.conf File” (page 171).
transport_ike.conf File
The transport_ike.conf has the same contents as the file used for IKEv1 with preshared keys
as shown in “transport_ike.conf File” (page 171), except for the remote ike_trans_remote
section. To use RSA signatures, the remote ike_trans_remote section has the following
contents:
remote ike_trans_remote {
acceptable_kmp { ikev1; };
ikev1 {
my_id x509_subject "${CERTDIR}/${MY_PUB_KEY}";
peers_id x509_subject "${CERTDIR}/${PEERS_PUB_KEY}";
peers_ipaddr "${PEERS_IPADDRESS}" port 500;
kmp_enc_alg { 3des_cbc; };
kmp_hash_alg { sha1; };
kmp_dh_group { modp1024; };
## Use Certificate
kmp_auth_method { rsasig; };
FreeBSD 173