Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
11121314151617181920
Features in HP-UX IPSec A.03.01.01
The A.03.01.01 release of HP-UX IPSec introduces the following changes:
Revised requirement for OpenSSL software
HP-UX IPSec now requires version A.00.09.08q or later.
IKE support for D-H group 24
HP-UX IPSec now supports the D-H (Diffie-Hellman) group having Transform ID 24 for IKE. The
group is used with the IKE protocol to provide security for Internet communications. The IKE
protocol was defined by the Internet Engineering Task Force (IETF) and is used for setting up
an SA (Security Association) in the IPsec protocol suite. The D-H group 24 is described in RFC
5114. For more information, see the RFC 5114 at the following IETF web page: http://
tools.ietf.org/html/rfc5114.
New option for configuration of D-H group 24
The HP-UX IPSec ipsec_config command has been enhanced to allow you to configure D-H
group 24. Specify–group 24 with the ipsec_config add ikev1 or ipsec_config add ikev2
command. HP-UX IPSec also supports configuration of groups 2, 5, and 14.
The following command example configures D-H group 24 for an IKEv1 policy:
%ipsec_config add ikev1 policy_name -remote 192.6.1.1/32 \
-group 24 hash MD5 encryption 3DES -pfs OFF
The following command changes the default IKEv1 policy to include D-H group 24:
%ipsec_config add ikev1 default group 24 \
hash MD5 encryption 3DES -pfs OF
The following command configures D-H group 24 for an IKEv2 policy:
%ipsec_config add ikev2 policy_name -remote 192.6.1.1/32 \
-group 24 hash MD5 encryption 3DES -pfs OFF
The following command changes the default IKEv2 policy to include D-H group 24:
%ipsec_config add ikev2 default group 24 \
hash MD5 encryption 3DES -pfs OFF
Features in HP-UX IPSec A.03.00.01
With the A.03.00.01 release of HP-UX IPSec, the ipsec_config add csr command now supports
specifying multiple values (up to 20) for the following types of alternative names for the
subjectAlternativeName field of a certificate:
-alt-ipv4
-alt-fqdn
-alt-user_fqdn
Without this enhancement, if IPSec is being used with the SRP (Secure Resource Partitions) product,
then each SRP would have to use the same ID when authenticating. For more information about
SRP, see the HP-UX Security Manuals web page at the following location: http://www.hp.com/
go/hpux-security-docs (select HP-UX Secure Resource Partitions (SRP) Software).
Revised ipsec_config add csr command syntax
The new command syntax for the command is as follows:
nl
ipsec_config add csr -subj[ect_name]
nl
subject_name [-alt-ipv4 ipv4_addr1 [-alt-ipv4 ipv4_addr2 ... -alt-ipv4
ipv4_addr20]]
nl
[-alt-fqdn fqdn1 [-alt-fqdn fqdn2 ... -alt-fqdn fqdn20]]
nl
18