Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
71727374757677787980
(::) notation within a specified IPv6 address to denote a number of zeros (0) within an address.
The address must be a unicast address.
Default: If you do not specify a tsource or tdestination option, the field will be null and
HP-UX IPSec will use the end source or end destination address of the packet as the tunnel endpoint
when creating the tunnel.
You must specify the tsource and tdestination options if you are using manual keying.
-source and -destination ip_addr [/prefix]
You can repeat the -source and -destination arguments up to 20 times each if you are not
using manual keys. HP-UX IPSec uses the -source and -destination arguments with the
protocol argument to form traffic selectors for IKEv2, or as the proxy IDs for IKEv1. For more
information about how HP-UX IPSec uses the address and port specifications when negotiating
IPsec SAs, see “IPsec SA Packet Descriptors” (page 161).
Default: If you do not specify -source or -destination arguments, ipsec_config uses the
value of the source or destination parameter in the TunnelPolicy-Defaults section of the profile
file used. The default value for source and destination is 0.0.0.0/0 (match any IPv4 address)
in /var/adm/ipsec/.ipsec_profile.
Where:
ip_addr
The ip_addr is the source or destination IP address. If you are not using manual keys, you can
also specify an address range with two addresses separated by a dash and no spaces
(ip_addr-ip_addr). The second address in a range must be higher number than the first. For
example, 10.1.1.1-10.1.1.3 matches any of the following addresses: 10.1.1.1, 10.1.1.2,
10.1.1.3.
Valid Values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal
notation. The IP address type (IPv4 or IPv6) must be the same for the source and destination address.
HP-UX IPSec does not support unspecified IPv6 addresses. However, you can use the double-colon
(::) notation within a specified IPv6 address to denote a number of zeros (0) within an address.
The address must be a unicast address.
prefix
The prefix is the prefix length, or the number of leading bits that must match when comparing
the IP address in a packet with the source or destination IP address (ip_addr) in the policy. If the
ip_addr is an address range, the prefix applies to all addresses in the range.
For IPv4 addresses, a prefix length of 32 bits specifies that the all bits in the policy address must
match the packet address.
For IPv6 addresses, a prefix length of 128 bits specifies that the all bits in the policy address must
match the packet address.
A prefix length of 0 bits matches all addresses.
Range: 0 - 32 for an IPv4 address; 0 - 128 for an IPv6 address. If you are using manual keys,
prefix must be 32 if ip_addr is an IPv4 address or 128 if ip_addr is an IPv6 address.
Default: 32 if ip_addr is a non-zero IPv4 address, 128 if ip_addr is a non-zero IPv6 address,
or 0 (match any address) if ip_addr is an all-zeros address (0.0.0.0 or 0::0). You must specify
a prefix value if you specify a port or service name as part of the address filter.
-protocol protocol_id
The protocol is the value or name of the upper-layer protocol that HP-UX IPSec uses in the address
filter to select an IPsec policy for a packet.
74 Configuring HP-UX IPSec