Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
919293949596979899100
algorithms by using hash option and Encryption algorithms by using -encryption option of
ipsec_config add ikev2 command.
nl
Examples
1. Adding an IKEv2 policy with Authentication algorithm as HMAC-SHA2-256 and Encryption
algorithm as AES256-CBC with DH group 24.
nl
# ipsec_config add ikev2 policy_name remote 192.6.1.1/32 \
-group 24 hash HMAC-SHA2-256 encryption AES256-CBC pfs OFF
2. Adding an IKEv2 policy with Authentication algorithm as HMAC-SHA2-256 and Encryption
algorithm as 3DES with pfs ON.
nl
# ipsec_config add ikev2 policy_name remote 192.6.1.1/32 \
-group 24 hash HMAC-SHA2-256 encryption 3DES pfs ON
3. Adding an IKEv2 policy with Authentication algorithm as HMAC-SHA2-512 and Encryption
algorithm as AES192-CBC with DH group as 14 and PRF as HMAC-SHA2-256.
nl
# ipsec_config add ikev2 policy_name remote 192.6.1.1/32 \
-group 14 hash SHA2-512 encryption AES192-CBC prf HMAC-SHA2-256
CAUTION: The default PRF function is HMAC-SHA1. This can be changed to any of the
newly introduced HMAC-SHA2 series algorithms. The PRF function should be the same on
local and remote peer nodes.
4. Adding an IKEv2 policy with Authentication algorithm as HMAC-SHA2-384 and Encryption
algorithm as AES128-CBC with DH group as 2.
# ipsec_config add ikev2 policy_name remote 192.6.1.1/32 \
-group 2 hash HMAC-SHA2-384 encryption AES128-CBC pfs OFF
5. Adding an IKEv2 policy with Authentication algorithm as SHA2-512 and Encryption algorithm
as AES256-CBC with default group, prf and pfs.
nl
# ipsec_config add ikev2 policy_name remote 192.6.1.1/32 \
-hash HMAC-SHA2-512 encryption AES256-CBC
Step 5: Configuring Certificates
See Chapter 5: “Using Certificates with HP-UX IPSec ” (page 100) for information on configuring
certificate information if you are using RSA signatures for IKE authentication. After you have
configured certificate information, go to “Step 6: Configuring the Bypass List (Local IP Addresses)”
(page 94).
Step 6: Configuring the Bypass List (Local IP Addresses)
The bypass list specifies local IP addresses that IPsec bypasses or ignores. The system does not
attempt to find an IPsec policy for packets sent or received using an IP address in the bypass list,
and the system processes these packets as if HP-UX IPSec was not enabled.
The bypass list improves transmission rates for addresses in the bypass list. The bypass list is useful
in topologies where most of the network traffic passes in clear text and you only need to secure
selected traffic on specific interfaces.
If you do not need to configure bypass interfaces, go to “Step 7: Verifying the Batch File Syntax
(page 96).
Logical Interfaces
An entry in the bypass interface list affects only the logical interface for the IP address, not the
physical interface (network card). If you have multiple IP interfaces configured for a physical
interface (for example, lan0:0 , lan0:1, and lan0:2 ) and you want IPsec to bypass all IP
94 Configuring HP-UX IPSec