Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
71727374757677787980
The transform_list in a tunnel policy are tunnel transports applied to packets encapsulated
between the tunnel endpoints.
If you are using dynamic keys, the transform list can contain:
A list that contains up to 2 AH transforms.
A list that contains up to 25 ESP transforms.
Use a comma to separate multiple transform specifications.
The order of transforms in the transform list is significant. The first transform is the most preferable
and the last transform is the least preferable. At least one transform must match a transform
configured on the remote system.
The format for each transform is:
transform_name[/lifetime_seconds[/lifetime_kbytes ]]
Where:
transform_name
A transform_name is a valid AH (Authentication Header) or ESP (Encapsulation Security Payload)
transform name, as specified in Table 5: “ipsec_config transforms” (page 68).
Default: The transform defined for the action parameter in the TunnelPolicy-Defaults section of the
profile file used. The default action is ESP_AES128_HMAC_SHA1 in /var/adm/ipsec/
.ipsec_profile.
TIP: AES256 is the most secure form of encryption, with performance comparable to or better
than 3DES.
lifetime_seconds
The lifetime_seconds is the maximum lifetime for the IPsec SA, in seconds. A transform lifetime
can be specified by time (seconds), and by kilobytes transmitted or received. HP-UX IPSec considers
the lifetime to be exceeded if either value is exceeded.
Range: 0 (infinite) or 600 - 4294967294 seconds (approximately 497102 days).
Default: 28,800 (8 hours).
lifetime_kbytes
The lifetime_kbytes is the maximum lifetime for the IPsec SA, measured by kilobytes transmitted
or received. A transform lifetime can be specified by time (seconds), and by kilobytes transmitted
or received. HP-UX IPSec considers the lifetime to be exceeded if either value is exceeded.
Range: 0 (infinite), or 5120 - 4294967294 kilobytes.
Default: 0 (infinite).
CAUTION: HP recommends that you do not specify an infinite value for lifetime_seconds
(0) with a finite value for lifetime_kbytes.
Tunnel IPsec policy configuration example
This example corresponds to the example host policy that specifies a tunnel policy in “Host IPsec
policy configuration examples” (page 71). The local system (10.1.1.1) is using a end-to-end tunnel
(host-to-host tunnel) with system 10.2.2.2. The following batch file entry configures the tunnel to
use ESP with AES128 encryption and HMAC SHA-1 authentication.
ipsec_config add tunnel my_host_host_tunnel \
-tsource 10.1.1.1 -tdestination 10.2.2.2 \
-source 10.1.1.1 -destination 10.2.2.2 \
-action ESP_AES128_HMAC_SHA1
76 Configuring HP-UX IPSec