HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
The bypass list improves transmission rates for addresses in the bypass list and is useful in
topologies where most of the network traffic passes in clear text and only specific traffic must
be secured by IPsec.
• Start-up options
The start-up options allow you to configure HP-UX IPSec to start automatically at system boot-up
time and to specify general operating parameters.
HP-UX IPSec also supports gateway IPsec policies when used with HP-UX Mobile IPv6. See “Using
Manual Keys” (page 190) for more information on using gateway IPsec policies.
Although you can configure the above components in any order, HP recommends that you use the
following procedure to configure IPsec:
1. Configure host IPsec policies.
See “Step 1: Configuring host IPsec policies” (page 63) for a description of this step.
2. Configure tunnel IPsec policies.
See “Step 2: Configuring tunnel IPsec policies” (page 72) for a description of this step. Skip
this step if the local system is not a tunnel endpoint.
3. Configure authentication records. If you are using preshared key authentication, the
authentication records also specify the preshared key values.
See “Step 3: Configuring authentication records and preshared keys” (page 77) for a
description of this step. Skip this step if the local system uses only manual keys for IPsec.
4. Modify the default IKEv2 or IKEv1 policy, if needed.
See “Step 4: Configuring IKEv1 and IKEv2 Policies” (page 86) for a description of this step.
Skip this step if the local system uses only manual keys for IPsec. You can also skip this step
if the default IKEv2 or IKEv1 parameters meet your requirements.
5. Configure security certificates, if you are using RSA signatures for IKE authentication.
See Chapter 5: “Using Certificates with HP-UX IPSec ” (page 100) for a description of this step.
6. Configure the bypass list of local IP addresses (optional).
See “Step 6: Configuring the Bypass List (Local IP Addresses)” (page 94) for a description of
this step.
7. Verify the batch file.
HP recommends that you use an ipsec_config batch file to add configuration information,
and that you use the ipsec_config batch command with the nocommit option to verify
the contents of the batch file before committing the batch file operations to the database file.
See “Step 7: Verifying the Batch File Syntax” (page 96) for a description of this step.
8. Commit the batch file operations to the database and start HP-UX IPSec to verify operation.
After you have verified the contents of the batch file, commit the batch file operations to the
configuration database file. Start HP-UX IPSec and verify operation. See “Step 8: Committing
the Batch File Configuration and Verifying Operation” (page 96) for a description of this step.
9. Configure HP-UX IPSec to start automatically at system boot-up time (optional).
See “Step 9: Configuring HP-UX IPSec to Start Automatically” (page 98) for a description of
this step.
10. Back up the ipsec_config batch file and the configuration database.
See “Step 10: Creating Backup Copies of the Configuration Files” (page 99) for a description
of this step.
62 Configuring HP-UX IPSec