HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
Table 6 Host Policy Flags (continued)
DescriptionFlag
The FALLBACK_TO_CLEAR flag is not valid if the action is PASS or DISCARD, or if the
policy specifies a tunnel.
WARNING! Using the FALLBACK_TO_CLEAR flag is a security risk. It can allow packets
from non-secure nodes to communicate with the local system.
Specifies that this IPsec policy is used for Mobile IPv6 packets. HP-UX IPSec checks the
Mobile IPv6 binding cache for routing information. (This flag does not specify or affect
MIPV6
any protocol specification for the source or destination address filter used when selecting
the IPsec policy for a packet.)
You cannot specify the MIPV6 flag with IPv4 addresses in the source and destination
arguments.
See Appendix F: “Using Manual Keys” (page 190) for more information on configuring
HP-UX IPSec with Mobile IPv6.
No flags.NONE
Default: The value of the flags parameter in the HostPolicy-Defaults section of the profile file used.
The default flags value is NONE in /var/adm/ipsec/.ipsec_profile.
Host IPsec policy configuration examples
The following batch file entry configures a host IPsec policy that requires all traffic between 10.1.1.1
(the local system) and 10.5.5.5 to use ESP with AES128 encryption and HMAC SHA-1
authentication:
add host apple_banana -source 10.1.1.1 \
-destination 10.5.5.5 -pri 20 \
-action ESP_AES128_HMAC_SHA1
The following batch file entry configures a host IPsec policy that requires all outbound IPv4 rlogin
sessions (where the local system is an rlogin client) to use ESP with AES128 encryption and HMAC
SHA-1 authentication. The user does not specify the source argument, and the ipsec_config
program uses the default source argument value from the /var/adm/ipsec/.ipsec_profile
file (0.0.0.0/0/0 - the wildcard IPv4 address and any port). The destination argument specifies
the wildcard IPv4 address (0.0.0.0/0 ) and service name RLOGIN (port 513, protocol TCP).
add host rlogin_out -destination 0.0.0.0/0/RLOGIN \
-pri 100 -action ESP_AES128_HMAC_SHA1
The following batch file entry configures a host IPsec policy that requires telnet requests (where the
local system is the telnet server) from subnet 10.0.0.0 to use ESP with AES128 encryption and
HMAC SHA-1 authentication.
add host telnet_in -source 0.0.0.0/0/TELNET \
-destination 10.0.0.0/8 -pri 120 \
-action ESP_AES128_HMAC_SHA1
The following batch file entry configures a host IPsec policy for an application that listens for
requests on local TCP port 50000. Clients have addresses in the range 10.1.1.0 to 10.1.1.25.
The policy requires all packets connecting to the application to use AH with HMAC SHA-1
authentication.
add host my_app -source 0.0.0.0/0/50000 -destination 10.1.1.0-10.1.1.25 \
-protocol TCP \
-pri 140 -action AH_SHA1
The local system (10.1.1.1) is using a end-to-end tunnel (host-to-host tunnel) with system 10.2.2.2.
The following batch file entry configures a host IPsec policy that references the tunnel policy
my_host_host_tunnel and specifies clear text (no transform) for the transport. See “Tunnel
IPsec policy configuration example” (page 76) for the batch file entry used to configure the tunnel
IPsec policy my_host_host_tunnel.
Step 1: Configuring host IPsec policies 71