Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
61626364656667686970
Valid actions are:
PASS
Allow packets using this host IPsec policy to pass in clear text with no alteration. The default
host IPsec policy shipped with the product specifies -action PASS.
DISCARD
Discard packets using this host IPsec policy.
transform_list
A list of IPsec AH (Authentication Header) or ESP (Encapsulation Security Payload) transforms.
See “transform_list .
Default: The value of the action parameter in the HostPolicy-Defaults section of the profile
file used. The default action is DISCARD in /var/adm/ipsec/.ipsec_profile.
transform_list
A transform specifies the IPsec authentication and encryption applied to packets using AH
(Authentication Header) and ESP (Encapsulation Security Payload) headers. A transform list specifies
the transforms acceptable for packets using the policy. The HP-UX IPSec IKE daemon proposes the
transform list when negotiating the transform for IPsec Security Associations (SAs) with a remote
system.
The transform list in a host policy are transport transforms and are applicable to the host-to-host
SA (end-to-end or transport SA) between the source and destination addresses.
If you are using dynamic keys, the transform list can contain:
A list that contains up to 2 AH transforms
A list that contains up to 25 ESP transforms
Use a comma to separate multiple transform specifications.
The order of transforms in the transform list is significant. The first transform is the most preferable
and the last transform is the least preferable. At least one transform must match a transform
configured on the remote system.
The format for each transform is:
transform_name[/lifetime_seconds[/lifetime_kbytes ]]
Where:
transform_name
The transform_name is one of the following AH (Authentication Header) or ESP (Encapsulation
Security Payload) transform specifications.
TIP: AES256 is the most secure form of encryption, with performance comparable to or better
than 3DES.
Table 5 ipsec_config transforms
DescriptionTransform Name
AH, with 128-bit key Hashed Message Authentication Code using RSA
Message Digest-5, HMAC-MD5.
AH_MD5
AH, with 160-bit key HMAC using Secure Hash Algorithm-1,
HMAC-SHA1.
AH_SHA1
ESP with 128-bit Advanced Encryption Standard (AES128) CBC,
authenticated with HMAC-MD5.
ESP_AES128_HMAC_MD5
68 Configuring HP-UX IPSec