Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
61626364656667686970
[-protocol protocol_id] [-priority priority_number]
[-action PASS|DISCARD|transform_list] [-flags flags]
HP recommends that you use an ipsec_config batch file to configure HP-UX IPSec. To specify an
add host operation for an ipsec_config batch file, use the above syntax without the
ipsec_config command name:
add host host_policy_name
[-source ip_addr[/prefix[/port_number|service_name]]]
[-destination ip_addr[/[prefix[/port_number|service_name]]]
[-protocol protocol_id] [-priority priority_number]
[-action PASS|DISCARD|transform_list] [-flags flags]
The complete ipsec_config add host syntax specification also allows you to specify the
following arguments:
nocommit (verify the syntax but do not commit the information to the database)
profile (alternate profile file)
in and out (inbound and outbound SA information for manual keys)
dst_icmp_type and src_icmp_type (source and destination ICMPv4 type values)
dst_icmpv6_type and src_icmpv6_type (source and destination ICMPv6 type values)
dst_mh_type and src_mh_type (source and destination IPv6 Mobility Header type values)
See the ipsec_config_add(1M) manpage for complete syntax information.
host_policy_name
The host_policy_name is the user-defined name for the host IPsec policy. This name must be
unique for each host IPsec policy and is case-sensitive.
Valid Values: 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen
(-), or underscore (_).
The name default is reserved. See default Host IPsec policy (page 63) for more information.
-source and -destination addresses and ports
HP-UX IPSec uses the ip_addr , prefix , and port_number or service_name with the
protocol argument to form address filters. HP-UX IPSec uses the address filters to select an IPsec
policy for a packet.
TIP: For host policies, the source address is the local address and the destination address is the
remote address.
Specify a local IP address for the source ip_addr. For an outbound packet, HP-UX IPSec compares
the source address filters with the source address fields in the packet, and the destination address
filters with the destination address fields in the packet. For an inbound packet, HP-UX IPSec compares
the source address filter with the destination address fields in the packet, and the destination
address filter with the source address fields in the packet.
You can repeat the -source and -destination arguments up to 20 times each to specify
multiple filters. HP-UX IPSec will select a policy for a packet if any of the filters matches the packet.
For more information about how HP-UX IPSec uses the address and port specifications when
negotiating IPsec SAs, see “IPsec SA Packet Descriptors” (page 161).
Default: If you do not specify ip_addr, prefix , and port_number or service_name,
ipsec_config uses the value of the source or destination parameter in the
HostPolicy-Defaults section of the profile file used. The default value for source and destination
is 0.0.0.0/0/0 (match any IPv4 address, any port) in /var/adm/ipsec/.ipsec_profile.
64 Configuring HP-UX IPSec