Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
51525354555657585960
Strong end system model
To maximize security when using open policies or the bypass list, HP recommends that you enable
the strong end system (ES) model, which is described in RFC 1122. When the strong ES model is
enabled, a system cannot act as an IP router. A system with the strong ES model enabled silently
drops incoming IP packets with destination IP addresses that do not match the interface address.
The source IP address of an outbound packet must match the address of the interface used to
transmit the packet.
To enable the strong ES model, use the ndd utility. For example, the following ndd command
enables the strong ES model until the system is shut down or restarted:
ndd -set /dev/ip ip_strong_es_model 1
You can also enable the strong ES model at system startup time by editing the /etc/
rc.config.d/nddconf file. See ndd(1M) for more information.
Using ipsec_config
The ipsec_config utility adds, deletes and displays HP-UX IPSec configuration objects stored
in the configuration database, /var/adm/ipsec/config.db. If HP-UX IPSec is active and
running, ipsec_config also adds and deletes configuration information in the runtime
configuration database. The ipsec_config utility supports the following commands:
ipsec_config add
ipsec_config batch
ipsec_config delete
ipsec_config show
General syntax information
Argument delimiters
Separate arguments using white spaces (blanks, tabs or new lines).
Line continuation character (\)
Use a backslash (\) line continuation character to continue command input on multiple lines.
ipsec_config add command
The ipsec_config add command adds objects to the configuration database. For example,
the following command adds a host IPsec policy to the configuration database.
ipsec_config add host my_host_policy -source 10.1.1.1 \
-destination 10.0.0.0/8/TELNET -pri 100 \
-action ESP_AES128_HMAC_SHA1
ipsec_config batch command
The ipsec_config batch command allows you to use ipsec_config in batch mode. In
batch mode, ipsec_config reads add and delete operations from a file. Batch mode allows
administrators to add and delete multiple configuration objects in one operation. This is useful if
you are adding or deleting configuration records that affect other operations.
HP recommends that you use a batch file to add configuration information. A batch file provides
a permanent record of the configuration data and can be used to re-create the configuration
database.
58 Configuring HP-UX IPSec