Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
71727374757677787980
Range: 0 - 32 for an IPv4 address; 0 - 128 for an IPv6 address. If you are using manual keys,
prefix must be 32 if ip_addr is an IPv4 address or 128 if ip_addr is an IPv6 address.
Default: 32 if ip_addr is a non-zero IPv4 address, 128 if ip_addr is a non-zero IPv6 address,
or 0 (match any address) if ip_addr is an all-zeros address (0.0.0.0 or 0::0).
Subnet Addresses
You can use a subnet address in an authentication record with a specific remote ID or with a
subtree or address range remote ID. A subtree or address range remote ID matches multiple remote
IDs.
Specifying a subnet address with a specific remote ID is useful when configuring an authentication
record for a remote system that has a dynamically allocated IP addresses.
Specifying a subnet address with a subtree or address range remote ID enables you to configure
one authentication record for multiple remote systems. The remote systems may or may not use
dynamically allocated IP addresses.
HP recommends that you use subtree and address range remote IDs only when using certificate-based
authentication. Although it is possible to specify a subtree remote ID with a preshared key to
configure one preshared key for multiple remote systems, HP strongly recommends that you do not
do this.
For more information, see “Subtree and Address Range Remote ID Matching” (page 83).
-kmp ike_version
The -kmp argument specifies the IKE key management protocol (KMP) versions used by the IKE
daemon for negotiations.
Valid Values:
IKEV1 Use IKEv1.
IKEV2 Use IKEv2.
IKEV1,IKEV2 Use IKEv1 if the local system is the initiator in an IKE negotiation. Accept IKEv1
or IKEv2 requests if the local system is the responder.
IKEV2,IKEV1 Use IKEv2 if the local system is the initiator in an IKE negotiation. Accept IKEv2
or IKEv1 requests if the local system is the responder.
Default: The value for the kmp parameter in the AUTHPolicy-Defaults section of the profile file used.
The default kmp parameter value is IKEV1 in /var/adm/ipsec/.ipsec_profile.
-exchange AM|MM
Specifies the exchange mode for the IKEv1 Phase 1 negotiation. This must match what is configured
on the remote system.
This argument is valid only if the IKE version is IKEv1 (the -kmp argument value includes IKEV1).
Valid Values: AM ( Aggressive Mode) or MM (Main Mode). Aggressive Mode does not provide
identity protection (the IKE peers exchange identity information before establishing a secure channel),
but it is more efficient.
If the remote system is an autoconfiguration client (the AUTOCONF flag is set in the host IPsec policy)
or Mobile IPv6 client (the MIPV6 flag is set in the host IPsec policy), the exchange type must be
AM.
If the remote system is an autoconfiguration client (the AUTOCONF flag is set) and the IKE version
is IKEv1, the exchange type must be AM.
Default: MM (Main Mode).
TIP: Most IKEv1 implementations use Main Mode by default. The IKE protocol specification
requires implementations to support Main Mode; support for Aggressive Mode is optional.
Step 3: Configuring authentication records and preshared keys 79