HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
Figure 22 Host to Gateway Configuration Example
Router
15.5.5.5
16.6.6.6
17.7.7.7
Blue Home1
Blue Configuration
Host IPsec Policy
The ipsec_config batch file on Blue contains the following entry:
add host toHome1 \
-src 15.5.5.5 \
-dst 17.7.7.7/32 \
-priority 100 -action PASS -tunnel torouter
Tunnel IPsec Policy
The end source address specification for the tunnel IPsec policy is 17.0.0.0/8 , so this tunnel IPsec
policy can be used for host policies to other nodes in the 17.*.*.* network.
add tunnel torouter \
-src 15.5.5.5 \
-dst 17.0.0.0/8 \
-tsrc 15.5.5.5 \
-tdst 16.6.6.6 \
-action ESP_3DES_HMAC_MD5
Authentication Record
add auth torouter -rem 16.6.6.6 -psk Hello
IKEv1 Policy
The router in this topology uses Diffie-Hellman group 1. This does not match the default IKEv1
policy or the the Diffie-Hellman group used by other nodes in the network, so you configure an
IKEv1 policy for negotiations with the router:
add ikev1 toRouter -rem 16.6.6.6 \
-pri 50 -group 1 -enc 3DES
Autoconfiguration Clients
The system Server1 has the address 2001:db8:11:11::1111 on the subnet
2001:db8:11:11::/64 . This subnet has three autoconfiguration clients, configured with the
user FQDN IKE IDs joe_s@corp.com , mick_j@corp.com , andpaul_s@corp.com .
Server1 Configuration
The configuration on Server1 specifies the subnet address for the autoconfiguration clients as the
remote address.
The host policy on Server1 must specify the AUTOCONF flag, which forces the following requirements:
• Server1 cannot be the initiator in IKEv1 Phase 1 negotiations (Aggressive Mode negotiations)
with the autoconfiguration clients. Server1 can only be a responder in IKEv1 Phase 1
negotiations with the autoconfiguration clients.
• On Server1, you must configure authentication records for the autoconfiguration clients. The
authentication records must specify Aggressive Mode for the exchange mode (-exchange
186 HP-UX IPSec Configuration Examples