Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
41424344454647484950
manual-keys
mipv6
For a simple host-to-host topology, edit the batch file template /var/adm/ipsec/templates/
host-to-host as follows:
Uncomment the appropriate configuration statements. At a minimum, you must uncomment
and configure the following items:
Host IPsec policies. At a minimum, you must configure one host IPsec policy. However,
most client-server applications require two host IPsec policies: one policy for service
requests initiated from the local system (the remote system is the server), and a second
policy for service requests initiate from the remote system (the local system is the server).
Authentication records. Configure an authentication record for each remote system. The
authentication record specifies the IKE version, IKE authentication methods, and IKE ID
information. If the authentication method is preshared key, the record also contains the
preshared key value.
IKEv2 or IKEv1 policy. The configuration database contains a default IKEv2 policy and
a default IKEv1 policy. If the default parameters do not meet your requirements, you can
modify this policy.
Replace the addresses and other parameters in angle brackets (<> ) with values that match
your topology.
Save the edited file under a different file name, such as host1_batch.
NOTE: If you are using HP-UX IPSec on a system with an interface attached to a public network
and an interface on a private network, HP recommends that you take additional precautions to
isolate potential attacks from the public network. See “Maximizing security” (page 57) for more
information.
Policy priority order and selection
HP-UX IPSec searches host IPsec and IKE policies in priority order (within each type of policy).
Lower priority values have higher priority (priority value 1 is the highest priority).
If you have policies with overlapping address specifications, configure the more specific policies
with higher priorities (lower priority values) so HP-UX IPSec will search them before policies with
less specific addresses.
Automatic priority assignment
If you do not specify a priority when creating a policy with the ipsec_config add command,
ipsec_config automatically assigns the policy a priority so that the new policy is the last policy
searched before the default policy within its policy type. The example in this section does not
specify priority values and uses the values assigned by ipsec_config.
See “Host policy order and selection” (page 63) , “IKE Policy Order and Selection” (page 86),
and Authentication Record Order and Selection” (page 77) for more information.
Host-to-host template file
The /var/adm/ipsec/templates/host-to-host template file is reproduced below.
######################################################################
# /var/adm/ipsec/templates/host-to-host
#
# Sample ipsec_config batch file for securing host-to-host IP packets
# using preshared keys.
#
# Copyright 2009, Hewlett-Packard Development Company L.P.
#
Step 2: Modifying the configuration batch file template 49