HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

171

172

173

174

175

176

177

178

179

180

No HP-UX IPSec configuration is needed on Host2.

Cisco Configuration

The IOS configuration commands on the Cisco router are as follows.

Configure the IKE preshared key:

Router (config)# crypto isakmp key myKey address 192.0.0.2

Configure the IKE policy:

Router (config)# crypto isakmp policy 40

Router (config-isakmp)# group 2

Router (config-isakmp)# hash md5

Router (config-isakmp)# enc 3des

Router (config-isakmp)# auth pre-share

Router (config-isakmp)# exit

Define the IPsec transform for the tunnel (mode tunnel):

Router (config)# crypto ipsec transform-set aes-sha1 esp-aes 128 esp-sha-hmac

Router (cfg-crypto-trans)# mode tunnel

Router (cfg-crypto-trans)# exit

Define an IPsec policy map:

Router(config)# access-list 100 permit ip host 192.1.1.2 host 192.0.0.2

Router(config)# crypto map hpux-1 1 ipsec-isakmp

Router (config-crypto-map)# set peer 192.0.0.2

Router (config-crypto-map)# set transform-set aes-sha1

Router (config-crypto-map)# match address 100

Router (config-crypto-map)# exit

Apply IPSec to the specific interface gi0/1:

Router (config-if)# interface gi0/1

Router (config-if)# crypto map hpux-1

Router (config-if)# exit

Router (config)# exit

Tips

The following tips might help you configure HP-UX IPSec and Cisco IPsec implementations:

• The Cisco configuration documentation and utilities use the term ISAKMP (or isakmp) to see

IKE components.

• The Cisco configuration includes default ISAKMP policies, which are enabled using the crypto

isakmp default policy command. In this example, the crypto isakmp policy

command is used to add a specific ISAKMP policy with the priority 40 (a lower priority value

has a higher priority).

The default IKEv1 parameters for the IOS crypto isakmp policy command are as follows:

◦ Hash: SHA-1. On HP-UX systems, the default IKEv1 hash algorithm is MD5.

◦ Group: 1. On HP-UX systems, the default Diffie-Hellman group is 2. HP-UX IPSec does

not support group 1.

◦ Encryption: DES. On HP-UX systems, the default IKEv1 encryption algorithm is 3DES.

HP-UX IPSec does not support DES.

◦ Authentication: RSA. On HP-UX systems, the authentication method is specified using the

-local_method and -remote_method arguments. The default method is RSA

signatures if no preshared key (-psk) argument is specified.

• Under certain conditions, Cisco IOS IPsec negotiates two unidirectional IKE SAs with a peer

instead of one bidirectional IKE SA. If this occurs with an HP-UX peer and you stop HP-UX

IPSec, HP-UX IPSec sends an IKE DELETE message to the Cisco device for the IKE SA that

HP-UX IPSec initiated. The Cisco device deletes this IKE SA, but retains the second IKE SA. If

Cisco 177