Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
919293949596979899100
addresses for that physical interface, you must enter all the IP addresses for the physical interface
in the bypass list.
Example
You have a critical application and must encrypt and authenticate its network packets. All other
IP traffic in the network can pass in clear text. You configure additional logical interfaces (lan0:1)
for the critical application (16.1.1.1 and 16.2.2.2), and configure the critical application to use
only the specific logical interfaces. You can then configure the remaining logical interfaces in the
bypass list (15.1.1.1 and 15.2.2.2).
Figure 13 Bypass List Example
bypass
secure
Node1 Node2
15.1.1.1(lan0:0)
16.1.1.1(lan0:1)
15.2.2.2(lan0:0)
16.2.2.2(lan0:1)
Maximizing Security
An IP address in the bypass list has the same effect as an open IPsec policy, with the bypass
interface address as the local address, a wildcard (*) remote address, wildcard protocol and ports,
and a Pass transform.
If you configure entries in the bypass list, intruders may be able to access services or ports bound
to addresses in the bypass list from other interfaces on the system, even if the other interface IP
addresses are secured by IPsec policies. Intruders may access services or ports bound to addresses
in the bypass list even if the intruders are not directly connected to interfaces in the bypass list.
HP recommends that you do not use the bypass list on systems where you are using HP-UX IPSec
as a filter or firewall to protect your network.
See “Maximizing security” (page 57) for more information.
ipsec_config add bypass Syntax
You can use the following ipsec_config add bypass syntax to configure preshared keys in
most installations:
ipsec_config add bypass ip_address
HP recommends that you use an ipsec_config batch file to configure HP-UX IPSec. To specify an
add bypass operation for an ipsec_config batch file, use the above syntax without the
ipsec_config command name:
add bypass ip_address
The complete ipsec_config add bypass syntax also allows you to specify the nocommit
argument (verify the syntax but do not commit the information to the database).
See the ipsec_config_add(1M) manpage for complete syntax information.
ip_address
The ip_address is the IP address to bypass. This can be a virtual IP address (a secondary IP
address configured for an interface, such as an address configured for lan0:1).
Step 6: Configuring the Bypass List (Local IP Addresses) 95