HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

ipsec_config add ikev1 Command Examples

The following batch file entries configure two IKEv1 policies. The first policy (apple) is for a remote

system (10.1.1.1) that uses 3DES for IKE encryption. The second policy (all_others) is for all

other systems in the local network (10.*.*.*), which use AES128-CBC for IKE encryption.

The priority argument is omitted, and the automatic priority increment assigns the second policy

(all_others) a lower priority (higher priority value) than the first policy (apple).

add ikev1 apple -remote 10.1.1.1 -encryption 3DES

add ikev1 all_others -remote 10.0.0.0/8 -encryption AES128-CBC

Ipsec_config command is enhanced to support the newly introduced algorithms in HP-UX IPSec

A.03.02.02. The user should be able to configure the newly introduced Authentication algorithms

by using –hash option and Encryption algorithms by using -encryption option of

ipsec_config add ikev1 command.

nl

Examples

1. Adding an IKEv1 policy with Authentication algorithm as SHA2-256 and Encryption algorithm

as AES256-CBC with DH group 24.

# ipsec_config add ikev1 policy_name –remote 192.6.1.1/32 \

-group 24 –hash SHA2-256 –encryption AES256-CBC –pfs OFF

2. Adding an IKEv1 policy with Authentication algorithm as SHA2-256 and Encryption algorithm

as 3DES with pfs ON.

# ipsec_config add ikev1 policy_name –remote 192.6.1.1/32 \

-group 24 –hash SHA2-256 –encryption 3DES –pfs ON

3. Adding an IKEv1 policy with Authentication algorithm as SHA2-512 and Encryption algorithm

as AES192-CBC with DH group as 14.

# ipsec_config add ikev1 policy_name –remote 192.6.1.1/32 \

-group 14 –hash SHA2-512 –encryption AES192-CBC –pfs OFF

4. Adding an IKEv1 policy with Authentication algorithm as SHA2-384 and Encryption algorithm

as AES128-CBC with DH group as 2.

# ipsec_config add ikev1 policy_name –remote 192.6.1.1/32 \

-group 2 –hash SHA2-384 –encryption AES128-CBC –pfs OFF

5. Adding an IKEv1 policy with Authentication algorithm as SHA2-512 and Encryption algorithm

as AES256-CBC with default group and pfs.

# ipsec_config add ikev1 policy_name –remote 192.6.1.1/32 \

-hash HMAC-SHA2-512 –encryption AES256-CBC

ipsec_config add ikev2 Syntax

You can use the following the ipsec_config add ikev2 syntax in most installations:

ipsec_config add ikev2 ikev2_policy_name

-remote ip_addr[/prefix]

[-group group_number]

[-hash hash_algorithm]

[-encryption encryption_algorithm]

[-prf pseudo-random_function]

[-life lifetime_seconds]

[-pfs ON|OFF]

[-priority priority_number]

HP recommends that you use an ipsec_config batch file to configure HP-UX IPSec. To specify an

add ikev2 operation for an ipsec_config batch file, use the above syntax without the

ipsec_config command name:

add ikev2 default ikev2_policy_name

-remote ip_addr[/prefix]

[-group group_number]

90 Configuring HP-UX IPSec