ipsec_config - add, delete, export, and show HP-UX IPSec configuration
objects in the HP-UX IPSec configuration database
The command adds, deletes, exports, and shows HP-UX IPSec configuration
objects in the HP-UX IPSec configuration database, If HP-UX IPSec is
active and running, also updates the HP-UX runtime IPSec policy data-
base and runtime IKE information (IKE policies and authentication
You must be superuser to run
The utility can operate in command-line mode or batch mode. In com-
mand-line mode, reads all input from the command line. In batch mode,
reads add and delete operations from a file. Batch mode allows admin-
istrators to add and delete multiple configuration objects in one oper-
ation. HP-UX IPSec processes the operations in a batch file as a
group. Batch mode is useful if you are adding or deleting configura-
tion records that may affect other records.
HP recommends that you use a batch file to add configuration informa-
tion. A batch file provides a permanent record of the configuration
data and can be used to re-create the configuration database.
Separate command arguments using whitespace (blanks, tabs or newlines).
Use a backslash line continuation character to continue command input
on subsequent lines.
Operations and Object Types
The command supports the following operations:
ipsec_config_add(1M) for more information.
ipsec_config_batch(1M) for more information.
ipsec_config_delete(1M) for more information.
ipsec_config_export(1M) for more information.
ipsec_config_show(1M) for more information.
object_type can be one of the following:
Authentication records, which specify Internet Key
versions, authentication methods, iden-
tity information and preshared keys.
security certificate for a Certificate Authority (used
for IKE authentication
with RSA signatures).
Certificate Revocation List (CRL).
A CRL contains a list of revoked X.509
security certificates. If you have a
CRL, HP-UX IPSec check it during the
IKE authentication process to verify
that the remote system's security cer-
tificate is valid (not revoked).
Certificate Signing Request (CSR), which the HP-UX
administrator can submit to a Certifi-
cate Authority (CA) to request a signed
X.509 security certificate.
Host IPsec policies, which specify HP-UX IPSec behav-
processing IP packets when the local
system is an end host.
IKE version 1 (IKEv1) policies.
IKE version 2 (IKEv2) policies.
security certificate for the local system (used for
with RSA signatures).
Tunnel IPsec policies, which specify IPsec tunnel
In most HP-UX IPSec topologies, you must configure the fol-
o Host IPsec policies
o Authentication records (IKE ID information and
To establish IPsec security, you must also have an IKE ver-
sion 1 (IKEv1) or IKE version 2 (IKEv2) policy. The HP-UX
IPSec product installs a default IKEv1 policy and a default
IKEv2 policy. You can use these default policies without
modifications in many topologies.
HP recommends that you use the following procedure to con-
figure HP-UX IPSec:
1. Create a batch file to configure IPsec policies
and authentication records. An IKEv1 or IKEv2
policy is also required, but in most cases you can
use the default IKEv1 or IKEv2 installed with the
product. If you want to configure host-to-host
IPsec policies and use IKE with preshared keys for
IKE authentication, create a batch file to contain
the following statements:
See the command subsection in ipsec_con-
fig_add(1M) for syntax and usage information.
If you are using HP-UX IPSec with certificates
(RSA signatures) for IKE authentication, you
must also use the following commands to config-
You must enter the above commands at the com-
mand-line prompt. (You cannot specify them in
an batch file).
The command creates a certificate signing
request (CSR). As an alternative, you can use a
utility provided by the certificate vendor to
create the CSR.
2. Test the syntax of your batch file by entering
the following command:
The option verifies the syntax without adding
objects to the database.
3. If the syntax is correct, add the configuration
information to the configuration database by
entering the following command:
4. Start and verify HP-UX IPSec. Use the follow-
ing command to start HP-UX IPSec:
Generate network traffic that uses IPsec. Use
the following command to verify operation:
Verify that HP-UX IPSec has created Security
Associations (SAs) with the appropriate sys-
5. Use the command to configure HP-UX IPSec to
automatically start at system boot-up time.
The displays help and usage information for the HP-UX IPSec
operations. Use the following syntax to access help:
You have two systems, Apple and Banana Apple and Banana are
not multihomed. You want to secure all telnet packets
between the two systems using IPsec ESP with AES, authenti-
cated with SHA-1. The IKE version is IKEv1. This is a pri-
vate network, and you will allow all other packets to pass
in clear text. You use the default IKEv1 policy.
On Apple, you configure:
o Two host IPsec policies
o One authentication record
The first host IPsec policy, telnetAB, secures outbound
telnet connections (Apple is the telnet client). You do
not need to specify the source argument, since it will
default to any IP address and any port, and the telnet
client port number is dynamically allocated. The second
policy, telnetBA, secures inbound telnet connections (Apple
is the telnet server).
The authentication record specifies the preshared key value
used with (Banana):
The configuration on Banana is the mirror image of the con-
figuration on Apple:
was developed by HP.
default profile file.
ipsec_admin(1M), ipsec_config_add(1M), ipsec_con-
fig_batch(1M), ipsec_config_delete(1M), ipsec_con-
fig_export(1M), ipsec_config_show(1M), ipsec_migrate(1M),
HP-UX IPSec Software Required ipsec_config(1M)