HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

181

182

183

184

185

186

187

188

189

190

D HP-UX IPSec Configuration Examples

This appendix provides configuration examples for the following topologies:

• “Host to Host telnet” (page 182)

This section contains example ipsec_config batch files for encrypting and authenticating

all telnet traffic between two systems using dynamic keys and preshared keys for IKE

authentication.

• “Subnet ESP with Exceptions” (page 184)

This section contains an example ipsec_config batch file for an HP-UX IPSec closed secure

network that communicates with one system outside the network (Potato). All packets to and

from system Potato are secured, and all packets within the local network are secured, except

for ICMP packets, which pass in clear text.

• “Host to Gateway” (page 185)

This section contains an example ipsec_config batch file for an end system using an IPsec

tunnel to a gateway.

• “Autoconfiguration Clients” (page 186)

This section contains an example ipsec_config batch file for use with autoconfiguration

clients (clients with dynamically assigned IP addresses, such as IPv6 stateless autoconfiguration

clients, and DHCP and DHCPv6 clients).

Configuration examples for Mobile IPv6 are provided in TBD.

NOTE: The addresses and keys in these examples are for illustrative purposes only.

Host to Host telnet

You have two systems, Apple (15.1.1.1 ) and Banana (15.2.2.2 ) on a private, isolated LAN.

You want to use authenticated ESP with AES encryption and SHA-1 authentication for all telnet

traffic from Apple to Banana, and for all telnet traffic from Banana to Apple. By default, all other

network traffic will pass in clear text.You do not have a Public Key Infrastructure, so you can use

only preshared keys for IKE primary authentication.

CAUTION: If you do not have a private network, do not configure HP-UX IPSec to pass packets

in clear text by default. Do not configure HP-UX IPSec to pass packets in clear text by default on

systems where you are using HP-UX IPSec as a filter or firewall to protect your network.

For more information, see “Maximizing security” (page 57).

You will use the default values for most parameters, such as the Security Association Lifetimes.

Apple Configuration

Host IPsec Policies

On Apple, you configure two host IPsec policies. The first host IPsec policy (telnetAB ) is for outbound

telnet requests from Apple to Banana (users on Apple using the telnet service to Banana).

Note that since the telnet clients on Apple may use any non-reserved TCP port number, you do

not specify a port number in the source address.

182 HP-UX IPSec Configuration Examples