Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
21222324252627282930
Support for multiple source and destination arguments in host and tunnel policies
You can specify up to 20 instances of the -source and -destination arguments in the
ipsec_config add host and ipsec_config add tunnel commands. For more information,
see “IPsec SA Packet Descriptors” (page 161).
This feature is not supported with manual keys. For more information, see “Manual Key Policy
Restrictions” (page 190).
Support for IP address and port number ranges in host policies
You can specify IP address or port number ranges in source and destination arguments (-source
and -destination) for IPsec host policies. For more information, see “Step 1: Configuring host
IPsec policies” (page 63).
This feature is not supported with manual keys. For more information, see “Manual Key Policy
Restrictions” (page 190).
Support for IP address ranges in tunnel policies
You can specify IP address ranges in the end-to-end source and destination arguments (-source
and -destination) for IPsec tunnel policies. For more information, see “Step 2: Configuring
tunnel IPsec policies” (page 72).
Port numbers and services are ignored in tunnel policies
Port numbers and service names are ignored in end-to-end source and destination arguments for
IPsec tunnel policies. They are no longer documented. For more information, see “IPsec SA Packet
Descriptors” (page 161).
Support for ICMPv4 and ICMPv6 type codes in host policies
The ipsec_config add host command supports the following options to specify ICMPv4 and
ICMPv6 message type codes in packet filters:
dst_icmp_type and src_icmp_type (source and destination ICMPv4 type values)
dst_icmpv6_type and src_icmpv6_type (source and destination ICMPv6 type values)
Support for IPv6 mobility header type codes in host policies
The ipsec_config add host command supports dst_mh_type and src_mh_type options
to specify IPv6 Mobility Header (MH) type codes in packet filters.
Certificate changes
The following sections describe product changes related to certificate configuration and processing.
The ipsec_config add cert command is deprecated
The ipsec_config add cert command and related commands (ipsec_config show cert,
ipsec_config delete cert) are deprecated. These commands are still supported, but not
documented. The ipsec_config add cert command will be obsolete in future releases and
HP recommends that you use the following commands instead:
ipsec_config add mycert
ipsec_config add cacert
The ipsec_config delete mycert command deletes the local system certificate and the
associated private key. It does not delete any CA certificate or CRL files. For more information
about managing certificates, see “Managing Certificate Data” (page 112).
24