HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

Table 5 ipsec_config transforms (continued)

DescriptionTransform Name

ESP with triple-DES CBC, three encryption iterations, each with a different

56-bit key (3DES), authenticated 512-bit HMAC using Secure Hash

Algorithm-2, HMAC-SHA2

ESP_3DES_HMAC_SHA2_512

ESP with null encryption and authenticated 256-bit HMAC using Secure

Hash Algorithm-2, HMAC-SHA2

ESP_NULL_HMAC_SHA2_256

ESP with null encryption and authenticated 384-bit HMAC using Secure

Hash Algorithm-2, HMAC-SHA2

ESP_NULL_HMAC_SHA2_384

ESP with null encryption and authenticated 512-bit HMAC using Secure

Hash Algorithm-2, HMAC-SHA2

ESP_NULL_HMAC_SHA2_512

lifetime_seconds

The lifetime_seconds is the maximum lifetime for the IPsec SA, in seconds. A transform lifetime

can be specified by time (seconds), and by kilobytes transmitted or received. HP-UX IPSec considers

the lifetime to be exceeded if either value is exceeded.

Range: 0 (infinite) or 600 - 4294967294 seconds (approximately 497102 days).

Default: 28,800 (8 hours).

lifetime_kbytes

The lifetime_kbytes is the maximum lifetime for the IPsec SA, measured by kilobytes transmitted

or received. A transform lifetime can be specified by time (seconds), and by kilobytes transmitted

or received. HP-UX IPSec considers the lifetime to be exceeded if either value is exceeded.

Range: 0 (infinite), or 5120 - 4294967294 kilobytes.

Default: 0 (infinite).

CAUTION: HP recommends that you do not specify an infinite value for lifetime_seconds

(0) with a finite value for lifetime_kbytes.

-flags flags

The flags are additional options for this policy. Join multiple flags with a plus sign (+ ).

Table 6 Host Policy Flags

DescriptionFlag

Specifies session-based keying. Session-based keying uses a different pair of IPsec SAs

per connection or session. Only packets with the same source IP address, destination IP

EXCLUSIVE

address, network protocol, source port, and destination port will use the same IPsec SA.

Session-based keying incurs more overhead but provides more security and privacy. If

you do not specify session-based keying, all packets using the same IPsec policy to the

same remote node will share the same IPsec SA pair and cryptography keys.

You cannot specify the EXCLUSIVE flag if you are using manual keys, or the action is

PASS or DISCARD.

Specifies that IPsec packets can pass in clear text if:FALLBACK_TO_CLEAR

• the local system is the initiator in an IKE negotiation and the negotiation fails

• the system receives a packet in clear text and there is no existing IPsec SA or kernel

policy cache entry for an IPsec SA

In both cases, HP-UX IPSec adds an entry to the kernel policy cache to allow subsequent

inbound and outbound packets for the five-tuple (defined by source and destination IP

addresses, protocol, and source and destination port numbers) to pass in clear text.

This feature is useful when configuring host policies for remote subnets where not all nodes

in the subnet support IPsec.

70 Configuring HP-UX IPSec