Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
71727374757677787980
Specifying ICMPV6 affects only the following ICMPv6 messages: Echo Request, Echo Reply, Mobile
Prefix Solicitation, Mobile Prefix Advertisement.
To ensure proper operation of IPv6 networks, HP-UX IPSec always allows all ICMPv6 messages
not listed above to pass in clear text
Valid Values: Integer value 0 (any protocol) - 255, or one of the following protocol names:
TCP
UDP
ICMP
ICMPV6
IGMP
MH (Mobile IPv6 Mobility Headers)
ALL (any protocol)
The protocols ICMP and IGMP are valid with IPv4 addresses only. The protocols ICMPV6 are valid
with IPv6 addresses only.
The protocols ICMP and IGMP are valid with IPv4 addresses only. The protocols ICMPV6 and MH
are valid with IPv6 addresses only.
Default: ALL.
NOTE: The protocol value must be ALL or 0 if the corresponding host policy (the host policy that
references this tunnel policy) uses a transform (the host policy action is not PASS ).
ICMPv4 messages
If protocol_id is ICMP or ALL, the policy applies to all ICMPv4 message types by default. You
can specify ICMPv4 message type values for end-to-end packets using the -dst_icmp_type and
-src_icmp_type arguments.
CAUTION: Discarding or requiring ICMP messages for IPv4 (protocol value 1) to be encrypted
or authenticated may cause connectivity problems.
For more information, see“ICMPv4 Message Processing” (page 163).
ICMPv6 messages
If protocol_id is ICMPV6 or ALL, the policy applies to only the following ICMPv6 message
types:
Echo Request
Echo Reply
Mobile Prefix Solicitation
Mobile Prefix Advertisement
To ensure proper operation of IPv6 networks, the default HP-UX IPSec behavior allows all other
ICMPv6 message types to pass in clear text. To discard or secure other ICMPv6 message types in
end-to-end packets, you must explicitly specify the message type value using the
-dst_icmpv6_type and -src_icmpv6_type arguments.
For more information, see “ICMPv6 Message Processing” (page 163).
-action transform_list
A transform specifies the IPsec authentication and encryption applied to packets using AH
(Authentication Header) and ESP (Encapsulation Security Payload) headers. A transform list specifies
the transforms acceptable for packets using the policy. The HP-UX IPSec IKE daemon proposes the
transform list when negotiating the transform for IPsec Security Associations (SAs) with a remote
system.
Step 2: Configuring tunnel IPsec policies 75