Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
51525354555657585960
4 Configuring HP-UX IPSec
This chapter describes how to configure HP-UX IPSec, including preshared key configuration. If
you are using RSA signature authentication for IKE, you must also see Chapter 5: “Using Certificates
with HP-UX IPSec (page 100) for instructions on configuring certificates. This chapter also describes
how to maximize HP-UX IPSec security and how to use the HP-UX IPSec configuration utility,
ipsec_config.
This chapter contains the following sections:
“Maximizing security” (page 57)
“Using ipsec_config ” (page 58)
“Configuration overview” (page 61)
“Step 1: Configuring host IPsec policies” (page 63)
“Step 2: Configuring tunnel IPsec policies” (page 72)
“Step 3: Configuring authentication records and preshared keys” (page 77)
“Step 4: Configuring IKEv1 and IKEv2 Policies” (page 86)
“Step 5: Configuring Certificates” (page 94)
“Step 6: Configuring the Bypass List (Local IP Addresses)” (page 94)
“Step 7: Verifying the Batch File Syntax” (page 96)
“Step 8: Committing the Batch File Configuration and Verifying Operation” (page 96)
“Step 9: Configuring HP-UX IPSec to Start Automatically” (page 98)
“Step 10: Creating Backup Copies of the Configuration Files” (page 99)
Maximizing security
A system can have both “public” interface IP addresses and “private” interface IP addresses. A
public interface IP address is an IP address configured on a Network Interface Card (NIC) connected
to a public network. A private interface IP address is an IP address configured on a NIC connected
to a private internal network. If you have a system with both a public interface IP address and a
private interface IP address, do not assume that all packets processed by the private interface
originated from the private network. Do not configure any “open” IPsec policies that allow most
or all packets sent to the private interface IP address to pass in clear text.
If you configure an open IPsec policy for a private interface IP address on a system that also has
public interfaces, intruders may be able to access services or ports bound to the private interface
IP address from other NICs on the system, even if the other interface IP addresses are secured by
IPsec policies. Intruders may access services or ports bound to the private interface IP address,
even if the intruders are not directly connected to the private interface.
Bypass list
Configuring an entry in the bypass list has the same effect as configuring an open IPsec policy, so
the same conditions exist. Intruders may be able to access services or ports bound to the address
in the bypass list from other interfaces on the system, even if the other interfaces are secured by
IPsec policies. Intruders may access services or ports bound to the address in the bypass list even
if the intruders are not directly connected to the interface in the bypass list.
HP recommends that you do not configure open IPsec policies, or entries in the bypass list for
private interfaces on systems that also have public interfaces, or on systems on which you are using
HP-UX IPSec as a filter or firewall to protect your network.
Maximizing security 57