Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
919293949596979899100
Valid Values:
HMAC-SHA1 (96-bit HMAC value using Secure Hash Algorithm-1, HMAC-SHA1)
AES-XCBC (128-bit value using Advanced Encryption Standard Extended Cipher Block Chaining
mode Message Authentication Code, AES128-XCBC)
HMAC-SHA2-256 (256-bit HMAC value using Secure Hash Algorithm-2)
HMAC-SHA2-384 (384-bit HMAC value using Secure Hash Algorithm-2)
HMAC-SHA2-512 (512-bit HMAC value using Secure Hash Algorithm-2)
Default: The value of the prf parameter in the IKEV2Policy-Defaults section of the profile file used.
The default prf parameter value is HMAC-SHA1 in /var/adm/ipsec/.ipsec_profile.
-life lifetime_seconds
The lifetime_seconds is the maximum lifetime for the IKEv2 SA, in seconds.
Range: 0 (infinite) or 600 - 4294967294 seconds (approximately 497102 days).
Default: The value of the life parameter in the IKEV2Policy-Defaults section of the profile file
used. The default life parameter value is 28,800 (8 hours) in /var/adm/ipsec/
.ipsec_profile.
-pfs ON|OFF
The -pfs argument specifies if Perfect Forward Secrecy (PFS) is enabled (ON) or disabled (OFF).
With PFS, the exposure of one key permits access only to data protected by that key. When PFS
is enabled, the IKE daemon performs a Diffie-Hellman exchange for all IKE and IPsec SA negotiations
after the initial IPsec SA pair is created, and a new Diffie-Hellman exchange for any SA re-keying.
Default: The value of the pfs parameter in the IKEV2Policy-Defaults section of the profile file used.
The default pfs parameter value is OFF in /var/adm/ipsec/.ipsec_profile.
-priority priority_number
The priority_number is the priority value HP-UX IPSec uses when selecting an IKEv2 policy (a
lower priority value has a higher priority). The priority must be unique for each IKEv2 policy.
Range: 1 - 2147483647.
Default: If you do not specify a priority, ipsec_config assigns a priority value that is set to the
current highest priority value (lowest priority) for IKEv2 policies in the configuration database,
incremented by the automatic priority increment value (priority) for IKEv2 policies specified in the
IKEV2Policy-Defaults section of the profile file (this policy will be the last policy evaluated before
the default policy). The default automatic priority increment value (priority) is 10.
If this is the first IKEv2 policy created, ipsec_config uses the automatic priority increment value
as the priority.
ipsec_config add ikev2 Command Example
The following command modifies the default IKEv2 policy to use Diffie-Hellman group 5 or group
2, with a higher preference for group 5:
ipsec_config add default ikev2 default -group 5,2
The following command configures D-H group 24 for an IKEv2 policy:
%ipsec_config add ikev2 policy_name -remote 192.6.1.1/32 \
-group 24 hash MD5 encryption 3DES -pfs OFF
The following command changes the default IKEv2 policy to include D-H group 24:
%ipsec_config add ikev2 default group 24 \
hash MD5 encryption 3DES -pfs OFF
Ipsec_config command has been enhanced to support the newly introduced algorithms in HP-UX
IPSec A.03.02.02. The user should be able to configure the newly introduced Authentication
Step 4: Configuring IKEv1 and IKEv2 Policies 93