HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
If the system is an HP-UX Mobile IPv6 Home Agent, it can also act as a gateway, but only when
forwarding packets between a Mobile IPv6 client and its Correspondent Node. See “Using Manual
Keys” (page 190) if you are configuring HP-UX IPSec for Mobile IPv6.
Tunnel IPsec policies are referenced in host or gateway IPsec policies. HP-UX IPSec first selects a
host or gateway IPsec policy to use for a packet. If the host or gateway IPsec policy specifies a
tunnel policy name, HP-UX IPSec uses the information in the tunnel IPsec policy to establish an IPsec
tunnel with the tunnel destination.
Tunnel IPsec policies are referenced in host IPsec policies. HP-UX IPSec first selects a host IPsec
policy to use for a packet. If the host IPsec policy specifies a tunnel policy name, HP-UX IPSec uses
the information in the tunnel IPsec policy to establish an IPsec tunnel with the tunnel destination.
If the local system is a tunnel endpoint, you must configure tunnel IPsec policies. HP recommends
that you use an ipsec_config batch file to configure tunnel IPsec policies.
ipsec_config add tunnel syntax
If you are not using manual keys, you can use the following ipsec_config add tunnel syntax
in most installations:
ipsec_config add tunnel tunnel_policy_name
[-tsource tunnel_address]
[-tdestination tunnel_address]
[-source ip_addr[/prefix]]
[-destination ip_addr[/prefix]]
[-protocol protocol_id] [-action transform_list]
HP recommends that you use an ipsec_config batch file to configure HP-UX IPSec. To specify an
add tunnel operation for an ipsec_config batch file, use the above syntax without the
ipsec_config command name:
add tunnel tunnel_policy_name
[-tsource tunnel_address]
[-tdestination tunnel_address]
[-source ip_addr[/prefix]]
[-destination ip_addr[/prefix]]
[-protocol protocol_id] [-action transform_list]
The complete ipsec_config add tunnel syntax specification also allows you to specify the
following arguments:
• nocommit (verify the syntax but do not commit the information to the database)
• profile (alternate profile file)
• in and out (inbound and outbound SA information for manual keys)
See the ipsec_config_add(1M) manpage for complete syntax information.
tunnel_policy_name
The tunnel_policy_name is the user-defined name for the tunnel IPsec policy. This name must
be unique for each tunnel IPsec policy and is case-sensitive.
Valid Values: 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen
(-), or underscore (_).
-tsource and -tdestination tunnel_address
The tunnel_address is the IP address for the tunnel endpoint. The -tsource tunnel_address
is the local tunnel endpoint; the -tdestination tunnel_address is the remote tunnel
endpoint.
Valid Values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal
notation. The IP address type (IPv4 or IPv6) must be the same for all the addresses in the policy.
HP-UX IPSec does not support unspecified IPv6 addresses. However, you can use the double-colon
Step 2: Configuring tunnel IPsec policies 73