HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

181

182

183

184

185

186

187

188

189

190

-source 15.2.2.2/32/TELNET \

-priority 20 -action ESP_AES128_HMAC_SHA1

add host telnetBA -destination 15.1.1.1/32/TELNET \

-source 15.2.2.2 \

-priority 30 -action ESP_AES128_HMAC_SHA1

# Auth record with preshared key

add auth apple -remote 15.1.1.1 -preshared apple_banana_key

Subnet ESP with Exceptions

You have a system, Carrot, on a LAN with the network address 192.1.1.*. You want to limit access

to this LAN from outside nodes.

There is one system outside the LAN with IPsec, Potato, that you will allow to communicate with

the nodes in your network using AES with SHA1. All other packets from external nodes will be

discarded.

All nodes within the LAN have HP-UX IPSec installed, except for internal routers. You want to use

ESP (AES with SHA1) for all IP packets between the nodes on this LAN, except ICMP packets to

and from the routers, which you will allow to pass in clear text.

Except for the above specifications, you will use the default values for most parameters (such as

Security Association Lifetimes).

Figure 21 Example 2: Network IPsec Policy with Exceptions

193.3.3.3

Potato

Router

192.1.1.2

192.1.1.3 192.1.1.4

IPsec ESP-AES

HMAC-SHAI

No IPsec

Pass in clear text

192.1.1.1

Carrot

IPsec

No IPsec

IPsec IPsec IPsec

Carrot Configuration

The ipsec_config batch file on Carrot contains the following entries.

Host IPsec Policies

You configure four host IPsec policies on Carrot.

1. potato : accepts all packets to and from system Potato using ESP-AES-HMAC-SHA1.

add host potato -destination 193.3.3.3 -priority 20 \

-action ESP_AES128_HMAC_SHA1

2. pass_icmp : allows all ICMP packets within the 192.1.1.* network to pass in clear text,

including ICMP packets to and from the router on that network. Notice how the 192.1.1.*

network is specified in the filter: the remote IP address is 192.1.1.0 and the prefix length is

24. The prefix length specifies the number of bits in the packet address that must match the

configured remote IP address, beginning with the most significant bit.

add host pass_icmp -destination 192.1.1.0/24 \

-protocol ICMP -priority 30 -action pass

184 HP-UX IPSec Configuration Examples