HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
Figure 19 Example 1: telnet AB
telnet banana
apple
telnet client
(port varies)
banana
telnetd
(always port 23)
The second host IPsec policy (telnetBA ) is for inbound telnet requests from Banana to Apple
(users on Banana using the telnet service to Apple). Since the telnet clients on Banana may
use any non-reserved TCP port number, do not specify a port number in the destination address.
Figure 20 Example 1: telnet BA
telnet apple
apple
telnetd
(port 23)
banana
telnet client
(port varies)
The default host IPsec policy installed with HP-UX IPSec allows all other traffic to pass in clear
text. Apple and Banana are on an isolated LAN, so this “open” policy is not a security risk. The
ipsec_config batch file entries are listed below:
add host telnetAB \
-source 15.1.1.1 \
-destination 15.2.2.2/32/TELNET \
-priority 20 -action ESP_AES128_HMAC_SHA1
add host telnetBA \
-source 15.1.1.1/32/TELNET \
-destination 15.2.2.2 \
-priority 30 -action ESP_AES128_HMAC_SHA1
Authentication Record with Preshared Key
You must configure the preshared key to use when Apple authenticates system Banana’s identity
and to authenticate Apple’s identity to Banana. The ipsec_config batch file entry is listed below:
add auth banana -remote 15.2.2.2 -preshared apple_banana_key
IKEv1 Policy
You use the default IKEv1 policy without modifications.
Banana Configuration
The configuration on Banana is the mirror-image of the configuration on Apple. The administrator
created the host IPsec policies by copying the host policies from Apple, changing the name and
swapping the -source and -destination option names. The remote address for the IKE policy
and authentication record is 15.1.1.1 (Apple’s IP address) and the preshared key matches the key
configured on Apple for Banana. The ipsec_config batch file is listed below:
# Host Policies
add host telnetAB -destination 15.1.1.1 \
Host to Host telnet 183