HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

100

descending order of preference. At least one group number must match a Diffie-Hellman group

number configured on the remote system.

HP recommends that you do not use group 1 unless you are required to for compatibility reasons.

For efficiency when negotiating IKE SAs, HP recommends that you specify the group that is most

commonly used in your network first, other than group 1.

Valid Values:

1 (MODP, 768-bit exponent)

2 (MODP, 1024-bit exponent)

5 (MODP, 1536-bit exponent)

14 (MODP, 2048-bit exponent)

24 (MODP, 2048-bit exponent and 256-bit prime order subgroup)

Default: The value of the group parameter in the IKEV2Policy-Defaults section of the profile file

used. The default group parameter value is 2 in /var/adm/ipsec/.ipsec_profile.

-hash hash_algorithm

The hash argument specifies the hash algorithm for authenticating IKEv2 messages. You can

specify multiple hash_algorithm values, delimited by commas and no spaces, and specified

in descending order of preference. At least one hash algorithm must match a hash algorithm

configured on the remote system.

Valid Values:

AES-XCBC (96-bit key using Advanced Encryption Standard Extended Cipher Block Chaining

mode Message Authentication Code, AES96-XCBC-MAC)

HMAC-MD5 (128-bit key HMAC using Message Digest 5, HMAC-MD-5)

HMAC-SHA1 (160-bit key HMAC using Secure Hash Algorithm-1, HMAC-SHA1)

HMAC-SHA2-256 (256-bit key HMAC using Secure Hash Algorithm-2, HMAC-SHA2)

HMAC-SHA2-384 (384-bit key HMAC using Secure Hash Algorithm-2, HMAC-SHA2)

HMAC-SHA2-512 (512-bit key HMAC using Secure Hash Algorithm-2, HMAC-SHA2)

Default: The value of the hash parameter in the IKEV2Policy-Defaults section of the profile file

used. The default hash parameter value is HMAC-SHA1 in /var/adm/ipsec/.ipsec_profile.

-encryption encryption_algorithm

The encryption_algorithm is the encryption algorithm for encrypting IKEv2 messages. You

can specify multiple encryption_algorithm values, delimited by commas and no spaces,

in descending order of preference. At least one encryption algorithm must match an encryption

algorithm configured on the remote system.

Valid Values:

AES128-CBC (128–bit Advanced Encryption Standard CBC)

AES192-CBC (192-bit Advanced Encryption Standard CBC)

AES256-CBC (256-bit Advanced Encryption Standard CBC)

3DES (triple-DES CBC, three encryption iterations, each with a different 56-bit key, 3DES-CBC)

NULL (null encryption)

Default: The value of the encryption parameter in the IKEV2Policy-Defaults section of the profile

file used. The default encryption parameter value is 3DES in /var/adm/ipsec/

.ipsec_profile.

-prf pseudo-random_function

The pseudo-random_function is the pseudo-random function (PRF) algorithm IKEv2 uses when

generating keying material. You can specify multiple pseudo-random_function values, delimited

by commas and no spaces, in descending order of preference. At least one PRF algorithm must

match a PRF algorithm configured on the remote system.

92 Configuring HP-UX IPSec