HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

181

182

183

184

185

186

187

188

189

190

F Using Manual Keys

This appendix describes how to configure and troubleshoot manual keys for IPsec SAs. Manual

keys are an alternative to IKE. Instead of dynamically generating and distributing cryptography

keys for ESP and AH, the cryptography keys are static and manually distributed. Manual keys are

typically used only when the remote system does not support IKE. This chapter addresses the

following topics:

• “Configuring Manual Key SAs” (page 190)

“Manual Key Policy Restrictions” (page 190)◦

◦ “Selecting Encryption Keys” (page 191)

◦ “Using the HP-UX Strong Random Number Generator” (page 191)

◦ “Manual Key Configuration Example” (page 191)

• “Troubleshooting Manual Key Problems” (page 192)

Configuring Manual Key SAs

You specify information for manual key SAs with -in and -out statements in host and tunnel

policies:

-in manual_key_sa_specification

-out manual_key_sa_specification

The format for manual_key_sa_specification is:

ESP/spi /auth_key /enc_key [/iv]

ESP indicates the transform is an ESP transform.

spi is the decimal or hexadecimal (prefixed by 0x) Security Parameters Index (SPI) number,

used to identify the Security Association (SA). The inbound SPI must be unique on the local system

for all ESP SAs, outside the range of dynamic SPI numbers, and match the outbound SPI on the

remote system. The outbound SPI must match the inbound SPI on the remote system.

In installations using the HP-UX IPSec default range for dynamic key SPI numbers (300 - 2500000),

the ranges for inbound manual key SPI numbers are 1 - 299 and 2500001 - 4294967295.

auth_key is the hexadecimal authentication key, prefixed by 0x. For MD5, auth_key is 32

hexadecimal digits. For SHA-1, auth_key is 40 hexadecimal digits. The key must match what is

configured on the remote system.

enc_key is the hexadecimal encryption key, prefixed by 0x. For 3DES, enc_key is 48

hexadecimal digits (192 bits). For AES128, enc_key is 32 hexadecimal digits (128 bits). The

key must match what is configured on the remote system.

iv is the Initialization Vector (IV). Hexadecimal (prefixed by 0x), 64-bit initial block used for

cipher block chaining encryption. The IV must match what is configured on the remote system. The

default value for iv is 0x0000000000000000.

Manual Key Policy Restrictions

A host or tunnel policy for manual keys specifies one IPsec SA pair between two specific systems.

Because of this characteristic, follow these restrictions when configuring host policies for manual

keys:

• Do not specify multiple instances of the -source or -destination arguments.

• Do not specify wildcard IP addresses or IP address ranges in the -source or -destination

arguments.

190 Using Manual Keys