Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
51525354555657585960
#add ikev1 default -group 2 -hash MD5 -encryption 3DES -life 28800
#
# IKEv2 :
# The pre-loaded default IKEv2 policy has the following parameters:
# -Diffie-Hellman Group: 2
# -IKEv2 authentication: HMAC-SHA1
# -IKEv2 encryption: 3DES
# -Pseudo Random Function: HMAC-SHA1
# -IKEv2 SA lifetime: 28800 seconds
#
# If you use IKEv2 as the Key Exchange Protocol and these parameter values
# do not meet your requirements,
# uncomment the following policy to change the default IKEv2 policy:
#
#add ikev2 default -group 2 -hash HMAC-SHA1 -encryption 3DES \
# -prf HMAC-SHA1 -life 28800
#
Example
You have two systems: red , with address 10.1.1.1, and blue , with address 10.2.2.2. You want
to secure all telnet sessions between the two systems and use IKEv1. You will use the default
IKEv1 policy that is installed with the HP-UX IPSec product without modifications.
Red configuration
On red, you uncomment and edit the following three entries from the template file:
add host telnet_to_blue \
-source 10.1.1.1 \
-destination 10.2.2.2/32/TELNET \
-action ESP_AES128_HMAC_SHA1
add host telnet_from_blue \
-source 10.1.1.1/32/TELNET \
-destination 10.2.2.2 \
-action ESP_AES128_HMAC_SHA1
add auth blue -remote 10.2.2.2 \
-kmp ikev1 \
-local_method psk -psk my_red_blue_key
Blue configuration
On blue, you uncomment and edit the following three entries from the template file:
add host telnet_to_red \
-source 10.2.2.2 \
-destination 10.1.1.1/32/TELNET \
-action ESP_AES128_HMAC_SHA1
add host telnet_from_red \
-source 10.2.2.2/32/TELNET \
-destination 10.1.1.1 \
-action ESP_AES128_HMAC_SHA1
add auth red -remote 10.1.1.1 \
-kmp ikev1 \
-local_method psk -psk my_red_blue_key
Step 3: Verifying the batch file syntax
Use the following command to verify the contents of the ipsec_config batch file without
committing the configuration:
ipsec_config batch batch_file_name -nocommit
The ipsec_config utility displays the following message to indicate the profile file used:
Using default profile file /var/adm/ipsec/.ipsec_profile
52 Quick configuration procedure and tips