HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

If you omit the priority argument, ipsec_config assigns a priority value that is set to the

current highest priority value (lowest priority) for the appropriate IKE policies (IKEv2 or IKEv2) in

the configuration database, incremented by the automatic priority increment value for the

appropriate IKE policies. The result is that the new policy will be the last IKEv1 or IKEv2 policy

evaluated before the default policy. The automatic priority increment values are specified by

the priority parameter values in the IKEV1Policy-Defaults and IKEV2Policy-Defaults

section of the profile file. The default is 10 for both values.

If you are configuring the first IKEv1 or IKEv2 policy and do not specify a priority argument,

ipsec_config assigns the automatic priority increment value as the priority.

Syntax

To configure IKEv1 policies, use the ipsec_config add ikev1 command, as described in

“ipsec_config add ikev1 Syntax” (page 87).

To configure IKEv2 policies, use the ipsec_config add ikev2 command, as described in

“ipsec_config add ikev2 Syntax” (page 90).

ipsec_config add ikev1 Syntax

You can use the following ipsec_config add ikev1 syntax in most installations:

ipsec_config add ikev1 ikev1_policy_name

-remote ip_addr[/prefix]

[-group group_number]

[-hash hash_algorithm]

[-encryption encryption_algorithm]

[-life lifetime_seconds]

[-pfs ON|OFF]

[-priority priority_number]

HP recommends that you use an ipsec_config batch file to configure HP-UX IPSec. To specify

an add ikev1 operation for an ipsec_config batch file, use the above syntax without the

ipsec_config command name:

add ikev1 ikev1_policy_name -remote ip_addr[/prefix]

[-group group_number]

[-hash hash_algorithm]

[-encryption encryption_algorithm]

[-life lifetime_seconds]

[-pfs ON|OFF]

[-priority priority_number]

The complete ipsec_config add ikev1 syntax specification also allows you to specify the

following arguments:

• nocommit (verify the syntax but do not commit the information to the database)

• profile (alternate profile file)

See the ipsec_config_add(1M) manpage for complete syntax information.

ikev1_policy_name

The ikev1_policy_name is the user-defined name for the IKEv1 policy. This name must be

unique for each IKEv1 policy and is case-sensitive.

Valid Values: 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen

(-), or underscore (_).

The name default is reserved. See “default IKE Policies” (page 86) for more information.

-remote ip_addr[/prefix ]

The ip_addr and prefix are the IP address and network prefix length that specifies the remote

system or subnet for this policy.

Step 4: Configuring IKEv1 and IKEv2 Policies 87