HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

191

192

193

194

195

196

197

198

199

200

Follow these restrictions when configuring tunnel policies for manual keys:

• Do not specify multiple instances of the -tsource or -tdestination arguments.

• Do not specify wildcard IP addresses or IP address ranges in the -tsource or

-tdestination arguments.

Selecting Encryption Keys

You should configure strong, random, encryption keys for manual key SAs. If you are using 3DES

encryption, and the key is not sufficiently strong, ipsec_config reports an error messages similar

to the following:

Weak 3DES encryption key: 0xhhhh

...

Using the HP-UX Strong Random Number Generator

One way to generate strong encryption keys is using the HP-UX Strong Random Number Generator

product, available at no cost from the HP Software Depot (http://software.hp.com ). After you

have installed the HP-UX Strong Random Number Generator, you can generate a random number

and use the od utility to display an ASCII string of the hexadecimal digits by executing the following

command sequence:

od -Ax -Nnn /dev/random

nn is the number of bytes to extract from the random number generator. For example, the following

command extracts and displays a 24-byte random number for a 3DES encryption key:

od -Ax -N24 /dev/random

Manual Key Configuration Example

You want to secure rlogin sessions from the system Dog (10.2.2.2 ) to the system Cat (10.4.4.4 )

using manual keys. There is no configuration for rlogin sessions from Cat to Dog; these sessions

will use the default host IPsec policy and pass in clear text.

Dog Configuration

The ipsec_config batch file on Dog contains only one host IPsec policy. The -in substatement

specifies the parameters for the inbound SA: the type of IPsec header (ESP), the SPI Security

Parameters Index (2500004), the 128-bit AES key, and the 160-bit SHA-1 key. The -out

substatement specifies the parameters for the outbound SA.

No IKE policy or authentication record is required because you are using manual keys.

add host rlog_dog_to_cat -source 10.2.2.2 \

-destination 10.4.4.4/32/RLOGIN \

-action ESP_AES128_HMAC_SHA1 \

-in ESP/2500004/\

0x0123456789012345678901234567890123456789/\

0x12345678901234567890123456789012 \

-out ESP/2500003/\

0x1234567890123456789012345678901234567890/\

\0x12345678901234567890123456789012

Cat Configuration

The ipsec_config batch file on Cat is the mirror image of the batch file on Dog. The administrator

created the batch file by copying the batch file from Dog and swapping the source and destination

option names (-source and -dst ), and swapping the inbound and outbound SA option names

(-in and -out ).

add host rlog_dog_to_cat -destination 10.2.2.2 \

-source

10.4.4.4/32/RLOGIN \

-action ESP_AES128_HMAC_SHA1 \

-out ESP/2500004/\

Configuring Manual Key SAs 191