Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
31323334353637383940
Identity authentication
The IKE protocol authenticates the identity of the remote system. HP-UX IPSec supports the
following forms of IKE authentication:
Preshared keys.
Digital signatures (RSA signatures), using X.509 version 3 security certificates.
Because IKE verifies the identity of the remote system, AH and ESP also provide data origin
authentication.
Host-based IPsec topologies
HP-UX IPSec is supported on host systems in host-to-host and in host-to-gateway topologies.
You can use HP-UX IPSec to provide security in internal networks and to provide Virtual Public
Network (VPN) solutions across public Internet communication.
You can also use HP-UX IPSec with application servers (proxy application servers) and IPsec
VPN gateways from other vendors.
Interoperability
HP-UX IPSec interoperates with numerous other IPsec implementations, including those of Cisco,
Microsoft, Linux, and FreeBSD.
Mobile IPv6 Home Agent security
You can use HP-UX IPSec on HP-UX Mobile IPv6 Home Agents to secure communication
between the Home Agent and mobile nodes. HP-UX IPSec is conformant with RFC 3776, Using
IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents.
Powerful and flexible management utilities
The HP-UX IPSec product includes the configuration and management features listed below.
Easy-to-use configuration utilities
You configure HP-UX IPSec using the ipsec_config command-line utility, which also
supports batch mode operation.
Flexible, packet-based configuration
You control IPsec behavior by defining packet filters in IPsec policies. An IPsec policy
contains a packet filter definition and list of actions or transforms (pass, discard, use ESP
or AH) to apply to the packets. The packet filter definition contains the following fields:
local IP address
local address prefix length (for subnet addresses)
remote IP address
remote address prefix length (for subnet addresses)
upper-layer protocol (such as TCP, UDP. or ICMP)
local TCP or UDP port number
remote TCP or UDP port number
You can specify wildcards (match any value) for field values. You can also select a network
service for the filter, such as telnet, instead of the upper-layer protocol and port numbers.
Bypass address configuration
You can configure HP-UX IPSec to bypass, or ignore, local IP interfaces that you do not
need to secure. This feature is useful for internal networks where most traffic passes in
clear text and only specific applications need to be secured.
Features 31