HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

181

182

183

184

185

186

187

188

189

190

3. aes_lan : applies ESP-AES-HMAC-SHA1 authenticated ESP to all packets in the 192.1.1.*

network.

add host aes_lan -destination 192.1.1.0/24 \

-priority 40 -action ESP_AES128_HMAC_SHA1

4. default : You modify the default host IPsec policy to discard all other packets. To modify

the default host IPsec policy, use the following batch file entry:

add host default -action DISCARD

The host policy entries in the batch file on Carrot are as follows:

add host potato -destination 193.3.3.3 -priority 20 \

-action ESP_AES128_HMAC_SHA1

add host pass_icmp -destination 192.1.1.0/24 \

-protocol ICMP -priority 30 -action pass

add host aes_lan -destination 192.1.1.0/24 \

-priority 40 -action ESP_AES128_HMAC_SHA1

add host default -action DISCARD

Policy Priority

Note the priority of the pass_icmp policy (30) and aes_lan policy (40). The pass_icmp policy

MUST have a lower order number (higher priority) than the aes_lan policy. This is because

internal ICMP packets will match both the pass_icmp and aes_lan policy, and assigning the

pass_icmp policy a lower order number causes IPsec to select the pass_icmp policy for the

ICMP packets instead of the aes_lan policy.

Authentication Records

The authentication record for Potato specifies the preshared key:

add auth potato -remote 193.3.3.3 \

-preshared carrot_potato_key

For the nodes in the 192.1.1.* network, you use certificates for authentication. You can configure

one authentication record using the IPv4 address as the remote ID and specifying the subnet address

for the remote ID value.

add auth 192.1.1_net -remote 192.1.1.0/24 \

-rtype IPV4 -rid 192.1.1.0/24 \

-ltype IPV4 -lid 192.1.1.1

IKEv1 Policy

You use the default IKEv1 policy without modifications.

Certificates

You must also get a certificate for the local system and load the certificate for the local system, the

certificate for the CA, and the CRL. See “Configuration Example” (page 111) in Chapter 5 (page 100)

for an example of this procedure.

Host to Gateway

On system Blue (15.5.5.5 ), you configure HP-UX IPSec to communicate back to Home1 (17.7.7.7

) using a secure IPsec tunnel to a gateway (a router), accessed using its 16.6.6.6 address. The

end-to-end packets pass in clear text.

Blue must use the router as the gateway to Home1. You may need to configure an explicit IP route

to Home1 that specifies 16.6.6.6 as the gateway address.

The gateway (router) cannot be an HP-UX system. (HP-UX IPSec does not support gateway

functionality.) Configure the gateway according to the manufacturer’s specifications.

There is no HP-UX IPSec configuration information on Home1. However, Home1 must use the router

as the gateway to Blue. You may need to configure an explicit IP route to Blue that specifies one

of the router’s addresses as the gateway address

Host to Gateway 185