Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
51525354555657585960
ipsec_config add startup Syntax
Use the following ipsec_config add startup syntax to configure HP-UX IPSec to start
automatically at system startup time:
ipsec_config add startup -autoboot ON
See the ipsec_config_add(1M) manpage for complete syntax information.
Step 6: Creating backup copies of configuration files
Create backup copies of the following files:
The configuration database file, /var/adm/ipsec/config.db.
Your batch file. If you do not have a batch file, use the ipsec_config export command
to create one from the configuration database. See “Exporting the Configuration Database
to a Batch File” (page 117) for more information.
Backup the files on removable media and store them in a secure place.
Configuration tips and reminders
This section contains configuration tips.
Minimum Configuration Requirements
If you are using preshared keys for IKE authentication, your configuration must contain at least
the following objects:
Host policy
Authentication record (this contains the preshared key)
HP-UX IPSec also requires an IKEv2 policy or an IKEv1 policy. The configuration database
includes default IKEv2 and IKEv1 policies that can be used without modification.
Policy Order and Selection
HP-UX IPSec searches host policies, IKE policies, and authentication records in priority order
(within each type of policy or record). Lower priority values have higher priority (priority value
1 is the highest priority).
See “Host policy order and selection (page 63), “IKE Policy Order and Selection (page 86),
and Authentication Record Order and Selection” (page 77)for more information.
Mirror Host IPsec policies for client-server applications
Host IPsec policies are bidirectional, but most client-server applications require two host IPsec
policies. Client-server network services typically use dynamically assigned port numbers for
clients and static, well-known port numbers for a daemon on the server. If you want to secure
both inbound service requests (the local system is the server) and outbound requests from your
system (the local system is the client). you must configure two host IPsec policies: one for
inbound requests to the static server port on the local system and one for outbound requests
to the static server port on the remote system or systems.
For example, the following host IPsec policy secures only rlogin sessions initiated from the
local system, 10.10.10.10, to the system 10.20.20.20:
ipsec_config add rlogin_to_10.20.20.20 \
-source 10.10.10.10 -destination 10.20.20.20/32/RLOGIN \
-action ESP_AES128_HMAC_SHA1
To secure rlogin sessions from 10.20.20.20 to the local system, you must also configure the
following policy:
Step 6: Creating backup copies of configuration files 55