Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
71727374757677787980
The priority is 30 to ensure that HP-UX IPSec selects this policy instead of the policies for telnet and
the TCP port 50000 application when the local system is communicating with 10.2.2.2.
add host to_orange -source 10.1.1.1 \
-destination 10.2.2.2 -pri 30 -tunnel my_host_host_tunnel \
-action PASS
The user should be able to configure the newly introduced ESP transforms using action option
of ipsec_config add host” command.
Examples
1. Adding a host policy with ESP transforms with an encryption algorithm 3DES and Authentication
algorithm of HMAC-SHA2-256 for all traffic between 192.6.1.2 and 192.6.1.1.
# ipsec_config add host policy_name src 192.6.1.2/32/0 \
-dst 192.6.1.1/32/0 action ESP_3DES_HMAC_SHA2_256
2. Adding a host policy with ESP transforms with an encryption algorithm AES256 and
Authentication algorithm of HMAC-SHA2-256 for telnet traffic from both sides, run the following
command:
On host 192.6.1.2 for incoming telnet requests:
# ipsec_config add host policy_nameAB src 192.6.1.2/32/TELNET \
-dst 192.6.1.1/32 action ESP_AES256_HMAC_SHA2_256
On host 192.6.1.2 for outgoing telnet requests:
# ipsec_config add host policy_nameBA src 192.6.1.2/32 \
-dst 192.6.1.1/32/TELNET action ESP_AES256_HMAC_SHA2_256
Add similar policies on host 192.6.1.1 by exchanging src and dst.
3. Adding a host policy with ESP transforms with an encryption algorithm AES256 and
Authentication algorithm of HMAC-SHA1 for all the TCP traffic between 192.6.1.2 and
192.6.1.1 using –protocol option.
On host 192.6.1.2:
# ipsec_config add host policy_name src 192.6.1.2/32 \
-dst 192.6.1.1/32 prot tcp action ESP_AES256_HMAC_SHA1
Add similar policy on host 192.6.1.1 by exchanging src and dst.
4. Adding a host policy with ESP transforms with an encryption algorithm AES128 and
Authentication algorithm of HMAC-SHA2-512 for all the traffic between 192.6.1.2 and
192.6.1.1 with priority option.
# ipsec_config add host policy_name src 192.6.1.2/32/0 \
-dst 192.6.1.1/32/0 priority 20 action ESP_AES128_HMAC_SHA2_512
NOTE: If multiple host policies to the same host exist, the host policy with less priority will take
effect. Smaller number being the highest priority.
Step 2: Configuring tunnel IPsec policies
Complete this step only if you are using IPsec tunnels. If you are not using IPsec tunnels, skip this
step.
Tunnel IPsec policies specify HP-UX IPSec behavior for IP packets tunneled by the local system. In
an IPsec tunnel, a tunnel endpoint system encapsulates the original packet in a new IPsec packet
with an AH or ESP header. The other tunnel endpoint system processes the AH or ESP header,
decapsulates the packet, and sends the packet to the destination address in the original packet
header.
An HP-UX system can be the end host in a end-to-end tunnel (host-to-host tunnel) topology, or the
end host in a host-to-gateway tunnel topology.
72 Configuring HP-UX IPSec