Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
81828384858687888990
Step 4: Configuring IKEv1 and IKEv2 Policies
The IKEv1 and IKEv1 policies specify parameters for negotiating IKEv1 and IKEv2 SAs. An IKE SA
is required to negotiate an IPsec SA pair with dynamic keys. You do not need to configure or
modify IKE policies if you are using manual keys or are using HP-UX IPSec only to discard packets.
default IKE Policies
The configuration database contains a preloaded default IKEv1 policy and a preloaded default
IKEv2 policy. Each default policy is the last policy in the search order for the IKE policy type.
You cannot delete the default IKE policies, but you can modify the parameters using the
ipsec_config add ikev1 default or ipsec_config add ikev2 default command.
The default IKEv1 policy has the following parameters:
Remote address: None. This argument is not supported for the default policy and the default
policy matches all remote IP addresses.
Diffie-Hellman Group: 2.
IKEv1 hash algorithm: MD5.
IKEv1 encryption algorithm: 3DES.
IKEv2 SA lifetime: 28,800 seconds (8 hours).
PFS: OFF.
The default IKEv2 policy has the following parameters:
Remote address: None. This argument is not supported for the default policy and the default
policy matches all remote IP addresses.
Diffie-Hellman Group: 2.
IKEv2 hash algorithm: HMAC-SHA1.
IKEv2 encryption algorithm: 3DES.
Pseudo-random function (PRF): HMAC-SHA1.
IKEv2 SA lifetime: 28,800 seconds (8 hours).
PFS: OFF.
You do not need to modify the default IKE policies if these parameters meet your requirements.
IKE Policy Order and Selection
Before searching for an IKE policy, HP-UX IPSec determines the authentication record for the peer
node. HP-UX IPSec uses the kmp (key management protocol) value in the authentication record to
determine if it will search the IKEv2 or IKEv1 policies. If the local system is the responder in an IKE
negotiation, HP-UX IPSec also checks if the IKE version for the IKE request matches a version
specified in the kmp value.
HP-UX IPSec searches the IKEv2 or IKEv1 policies according to the value of the priority parameter
for each policy and selects the first policy with the IP address and prefix specifications that match
the remote system’s address. If no match is found, HP-UX IPSec uses the default IKEv2 or IKEv1
policy.
Automatic Priority Increment
There are two ways to set the priority of an IKE policy:
Specify the priority argument to explicitly set the priority.
Omit the priority argument and have ipsec_config assign a priority using the automatic
priority increment value so that the new policy is the last policy evaluated before the default
policy.
86 Configuring HP-UX IPSec