Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
61626364656667686970
delete an IKE policy, any existing IKE SAs remain established, but no new IKE SAs can be
established for the policy.
nocommit argument
The nocommit argument validates entries but does not update the configuration and runtime
cache. The nocommit argument is illegal inside batch files (you cannot specify the nocommit
argument as part of a statement inside a batch file). You can specify the nocommit argument as
part of the ipsec_config batch command line and ipsec_config will apply it to all entries
in the batch file. See the ipsec_config_add(1M) manpage for more information.
Configuration overview
There are eight main configuration components:
Host IPsec policies
Host IPsec policies specify HP-UX IPSec behavior for IP packets sent or received by the local
system as an end host. A host IPsec policy contains address specifications used to select the
host IPsec policy for a packet. A host IPsec policy also specifies the HP-UX IPSec behavior
(action) for packets using the policy: pass the packets in clear text, discard the packets, or
apply an IPsec transform (AH or ESP) to the packets.
Tunnel IPsec policies
Tunnel IPsec policies specify the behavior for tunnel endpoints. If the local system is an end
host in a end-to-end tunnel (host-to-host tunnel) topology, or the end host in a host-to-gateway
tunnel topology, you must configure tunnel IPsec policies. If the local system is only an end
host with no IPsec tunneling, do not configure tunnel IPsec policies.
IKE authentication records
IKE Authentication records contain information that IKE uses to authenticate identities with the
remote system, including local and remote ID values, authentication method (preshared key
or RSA signature with certificates), and preshared keys, if preshared key authentication is
used. IKE authentication records also specify the IKE version (IKEv1 or IKEv2) to use with the
remote system. If IKEv1 is used, the authentication record also specifies the exchange mode
(Main Mode or Aggressive Mode).
IKEv1 policies
IKEv1 policies define the parameters used when negotiating an IKEv1 Security Association
(SA). IPsec uses IKE SAs to negotiate IPsec SAs; an IKE SA must exist with a remote system
before IPsec can negotiate IPsec SAs.
IKEv2 policies
IKEv2 policies define the parameters used when negotiating an IKEv2 Security Association
(SA).
Security certificates
You can use security certificates with RSA signatures for IKE authentication (also referred to
as primary authentication) instead of preshared keys.
Bypass list
The bypass list specifies the local IP addresses that IPsec will bypass or ignore. The system
will not attempt to find an IPsec policy for packets sent or received using an IP address in the
bypass list, and will process these packets as if HP-UX IPSec was not enabled.
Configuration overview 61