ipsec_config_add(1M) ipsec_config_add(1M)
NAME
ipsec_config_add - add HP-UX IPSec configuration objects to the HP-UX IPSec configuration database
SYNOPSIS
DESCRIPTION
The command configures objects in the database. The following commands are described in more detail in the section below.
Configure authenthication records, which specify IKE identities and
preshared keys.
Configure entries in the HP-UX IPSec bypass list.
Add a certificate for a Certificate Authority (CA) to the HP-UX
IPSec storage scheme.
Add a Certificate Revocation List (CRL) to the HP-UX IPSec storage scheme.
Create a Certificate Signing Request (CSR) for the local system.
Configure host IPsec policies.
Configure Internet Key Exchange (IKE) version 1 policies.
Configure Internet Key Exchange (IKE) version 2 policies.
Add a certificate for the local system to the HP-UX
IPSec storage scheme.
Specify general operating parameters, including the option to
automatically start HP-UX IPSec at system boot-up time.
Configure tunnel IPsec policies.
Options and Operands
IPSEC_CONFIG ADD AUTH COMMAND
Name
- configure authentication records, which specify IKE authentication methods, IKE identity values, and preshared key values
Synopsis
auth_name
preshared_key]
local_id_type local_id]
remote_id_type remote_id]
priority_number]
profile_name]
Description
Authentication records specify the IKE version, IKE authentication method (preshared keys or certificates with RSA signatures), IKE ID val-
ues, and preshared key values.
Each peer must match at least one authentication record. If a remote system is multihomed, each address of the remote system must match at
least one authentication record.
You can configure one authentication record for multiple peers by specifying a subnet address for the argument and using subnet address or
subtree matching for the remote ID. However, HP does not recommend that you use this method with preshared keys.
Options and Operands
The command recognizes the following options and operands.
auth_name
Specifies the user-defined name for the authentication record. This name must be unique for each authentication record and is
case-sensitive.
Acceptable values: 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen or underscore
Specifies the IP address and network prefix length that specifies the
remote system or subnet for this authentication record. The values for ip_addr and prefix are defined as follows:
ip_addr
Specifies the IP address of the remote system.
Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. HP-
UX IPSec does not support unspecified IPv6 addresses. However, you can use the double-colon (::) notation within a
specified IPv6 address to denote a number of zeros(0) within an address. The address cannot be a broadcast, subnet
broadcast, multicast, or anycast address.
Default: None.
prefix
Specifies the prefix length, or the number of leading bits, that must match when comparing an IP address of the
remote system with ip_addr.
For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in both addresses must match. Use a value
less than 32 to specify a subnet address filter.
For IPv6 addresses, a prefix length of 128 bits indicates that all the bits in both addresses must match. Use a
value less than 128 to specify a subnet address filter.
The following table shows the range and default for IPv4 and IPv6 addresses. The defaults apply to non-zero
addresses.
Type Range Default
------------------------------------------------
IPv4 0 - 32 32 (0 for all-zero addresses)
IPv6 0 - 128 128 (0 for all-zero addresses)
The default prefix is zero(0) if the address is all zeros.
Subnet Addresses: You can use a subnet address in an authentication record with a specific remote ID or with a sub-
net or subtree remote ID that matches multiple remote IDs.
Specifying a subnet address with a specific remote ID is useful when configuring an authentication record for a
remote system that has a dynamically allocated IP addresses.
Specifying a subnet address with a subnet or subtree remote ID enables you to configure one authentication record for
multiple remote systems. HP recommends that you use subnet and subtree remote IDs only when using certificate-based
authentication. Although it is possible to use subnet or subtree remote IDs with preshared keys to configure one
preshared key for multiple remote systems, HP strongly recommends that you do not do this.
Specifies the IKE Key Management Protocol (KMP) version.
Acceptable Values:
Use IKEv1.
Use IKEv2.
Use IKEv1 if the local system is the initiator in an IKE negotiation.
Accept IKEv1 or IKEv2 requests if the local system is the responder.
Use IKEv2 if the local system is the initiator in an IKE negotiation.
Accept IKEv2 or IKEv1 requests if the local system is the responder.
Default: IKEV1
Specifies the exchange type for the IKE Phase 1 negotiation.
This must match what is configured on the remote system.
This argument is valid only if the IKE version is IKEv1 (the argument value includes
Acceptable Values:
Aggressive Mode
Main Mode
Aggressive Mode is less secure than Main Mode because it does not provide identity protection for the IKE peers
(the IKE peers exchange identity information before establishing a secure channel), but it is more efficient.
The IKE protocol specification requires implementors to support Main Mode but does not require implementors to sup-
port Aggressive Mode.
Default: MM (Main Mode)
Specifies the preshared key used for IKE authentication.
This must match the preshared key configured on the remote system.
Acceptable values: A text string, containing 1 - 128 ASCII characters or a hexadecimal value prefixed with (Whitespace is not
allowed.) If it includes shell special characters, enclose the value in double quotes if you are running from the command
line. For example,
The argument specifies the IKE authentication method the local system uses to authenticate itself to the remote system. The argu-
ment specifies the IKE authentication method the local system uses to authenticate the remote system.
Valid Values:
Preshared key
Certificates with RSA signatures
The and arguments must have the same value.
Default: If you omit the and arguments but specify a preshared key (the argument), the and default to If you omit the and argu-
ment, the and values default to the and values in the AUTHPolicy-Defaults section of the profile file used. The default and
parameter values are in
If you specify one method type but not the other, uses the specified method type for the unspecified method type. For example,
if you specify but do not specify uses for the value.
Specifies the local ID type and value the system sends to the remote system
when negotiating an IKE Security Association (IKE SA).
The valid local_id_type values and corresponding local_id values are as follows:
An IPv4 address in dotted-decimal notation.
If you are using RSA signatures (RSASIG) for IKE authentication, this must match the IPv4 address in the subjectAlter-
nativeName of the certificate for the local system.
An IPv6 address in colon-hexadecimal notation.
If you are using RSA signatures (RSASIG) for IKE authentication, this must match the IPv6 address in the subjectAlter-
nativeName of the certificate for the local system.
A Fully Qualified Domain Name, also known as Domain Name
Service or DNS name, such as If you are using RSA signatures (RSASIG) for IKE authentication, this must match the FQDN
in the subjectAlternativeName of the certificate for the local system.
A character string used by the peer to identify a preshared key.
This is valid only if the authentication method is preshared key. The maximum length for is 320 characters.
A User-Fully Qualified Domain Name in SMTP format (also
referred to as RFC 822 email address format), such as If you are using RSA signatures (RSASIG) for IKE authentication,
this must match the user FQDN in the subjectAlternativeName in the certificate.
An X.500 Distinguished Name (DN). This is valid only if the local authentication method is RSA signatures (RSASIG).
If the value is HP-UX IPSec uses the subjectName of the certificate for the local system for the local ID value and any
value specified for is ignored.
Default: If local_id_type and local_id are not specified, HP-UX uses the IPv4 or IPv6 address of the interface the IKE daemon
uses to communicate with the remote system.
Specifies the ID type and value used to verify the ID payload sent by the
remote system when negotiating an IKE Security Association (IKE SA). If you are using RSA signatures (RSASIG) for IKE authen-
tication, the value is also used to verify contents of the remote security certificate.
The valid remote_id_type values and corresponding remote_id values are as follows:
An IPv4 address in dotted-decimal notation.
The value can be a subnet (address with prefix) or IP address range. For example, or If you are using RSA signatures
(RSASIG) for IKE authentication, this must match the IPv4 address in the subjectAlternativeName of the remote system's
certificate.
An IPv6 address in colon-hexadecimal notation.
The value can be a subnet (address with prefix) or IP address range. If you are using RSA signatures (RSASIG) for IKE
authentication, this must match the IPv6 address in the subjectAlternativeName of the remote system's certificate.
A Fully Qualified Domain Name, also known as Domain Name
Service or DNS name, such as
If you are using RSA signatures (RSASIG) for IKE authentication, the FQDN must match the subjectAlternativeName of the
remote system's certificate.
To specify a subtree FQDN that matches multiple values, prefix the FQDN with a dot For example, matches and It does not
match or
A character string used by the peer to identify a preshared key.
This is valid only if the authentication method is preshared key. The maximum length for is 320 characters.
A User-Fully Qualified Domain Name in SMTP format (also
referred to as RFC 822 email address format), such as
If you are using RSA signatures (RSASIG) for IKE authentication and the remote system is an HP-UX system, this must
match the user FQDN in the subjectAlternativeName of the certificate for the remote system.
To specify a subtree user FQDN that matches multiple values, specify only the FQDN, preceded by an at sign to match any
user at that domain, or specify the FQDN preceded by a dot to match any user in the subtree domain. For example,
matches the user FQDNs and The user FQDN matches the user FQDNs It does not match the user FQDNs or
An X.500 Distinguished Name (DN).
HP-UX IPSec supports the following attributes in the DN:
All attributes are optional, but you must specify at least one of the above attributes.
When HP-UX IPSec searches for an authentication record that matches a remote ID payload sent by a peer, every attribute
specified in the authentication record must be present and matched in the peer's remote ID payload. When verifying the
peer's certificate, HP-UX IPSec compares all attributes in the remote ID payload with the subjectName in the certifi-
cate and verifies that they match.
Separate multiple attributes using commas. The order of the attributes is ignored and the DN is not case sensitive.
To specify a subtree DN that matches multiple values, specify only the attributes that are the same for all the nodes
you want to match, and omit the attribute or attributes that are unique. In most cases, you will omit the CN (common-
Name) attribute.
The order of the attributes is ignored and the DN is not case sensitive. For example:
CN=host1,C=US,O=HP
If there are spaces in the DN, you must enclose the DN in double quotes (" "). For example:
The variables are defined as follows:
commonName
The commonName of the DN in printable string format. The maximum length is 64 characters.
country
The two-character ISO 3166-1 code for the country in the DN, for example for United States of America.
organization
The organization of the DN, for example The maximum length is 64 characters.
organizationalUnit
organizationalUnit for the DN, for example The maximum length is 64 characters.
Default: If remote_id_type and remote_id are not specified, uses the value of the argument for the remote ID and the appropri-
ate address type (IPv4 or IPv6) as the remote ID type.
The priority value HP-UX IPSec will use when selecting an authentication
record (a lower priority value has a higher priority). The priority must be unique for each authentication record.
Range: 1 - 2147483647.
Default: If you do not specify a priority, assigns a priority value that is set to the current highest priority value (lowest
priority) for authentication records in the configuration data base, incremented by the automatic priority increment value
(priority) for authentication records specified in the section of the profile file used (this policy will be the last policy
evaluated before the default policy). The default automatic priority increment value (priority) is 10 in
If this is the first authentication record created, uses the automatic priority increment value as the priority.
Additional options for this policy.
Specifies that this IPsec policy is used for clients that use
stateless or stateful address autoconfiguration. To use HP-UX IPSec with autoconfiguration clients, the configura-
tion must meet the following requirements:
o The local system cannot be the initiator in IKE SA negotiations with autoconfiguration clients.
o If the IKE version is IKEv1 (the argument is or the default value), the exchange mode must be Aggressive Mode
o The remote ID type cannot be IPV4 or IPV6.
o The argument must specify the address and prefix that matches the autoconfiguration address pool. The authentica-
tion method can be RSA signatures or preshared keys
No additional options.
Default: The value of the flags parameter in the section of the profile file used. The default flags value is in
The utility verifies the authentication record, but does not add it to the configuration database. This option is not valid if you
are specifying an operation in a batch file.
The name of the profile file containing default argument values for this
policy. The argument values are evaluated once, when the policy is added to the configuration database. Values used from the
profile file become part of the configuration record for the policy. This argument is not valid if you are specifying an oper-
ation in a batch file.
Maximum length: 1023 characters.
Default:
Examples
Configure an IKEv1 authentication record for preshared key authentication for remote system which is an HP-UX IPSec system with only one
address (a non-multihomed system). Both systems use IPv4 addresses for IDs. The argument causes the local and remote authentication meth-
ods to default to
Configure a similar record for IKEv2:
Configure an IKEv1 authentication record for RSA signature (security certificate) authentication with remote system that uses X.500 Distin-
guished Names (X500-DN) for ID types. The absence of the argument causes the local and remote authentication methods to default to
Configure IKEv2 authentication records preshared key authentication for a remote multihomed HP-UX IPSec system, with addresses and
IPSEC_CONFIG ADD BYPASS COMMAND
Name
- configures entries in the HP-UX IPSec bypass list
Synopsis
Description
Use the command to configure entries in the HP-UX IPSec bypass list. The bypass list specifies local addresses that IPSec will bypass or
ignore. The system does not attempt to find an IPsec policy for packets sent or received using an IP address in the bypass list, and the
system processes these packets as if HP-UX IPSec was not enabled.
The bypass list improves transmission rates for addresses in the bypass list. The bypass list is useful in topologies where most of the
network traffic passes in clear text and you only need to secure selected traffic on specific interfaces.
HP recommends that you do not configure entries in the bypass list on systems that have public interfaces (an interface connected to a pub-
lic network), or on systems on which you are using HP-UX IPSec as a filter or firewall to protect your network.
Options and Operands
The command recognizes the following operators and operands:
ip_address
The address to bypass. This can be a virtual IP address (a secondary IP address configured for an interface, such as an address
configured for
An entry in the bypass interface list affects only the logical interface for the IP address, not all logical interfaces on the
physical interface (network card). If you have secondary IP interfaces configured for a physical interface (for example, and and
you want IPSec to bypass all IP addresses for that physical interface, you must configure all the IP addresses for the physical
interface in the bypass list.
The utility verifies the policy, but does not add it to the configuration database. This argument is not valid if you specify an
operation in a batch file.
Examples
The system has two physical interfaces, both connected to secure, internal networks. You want to use HP-UX IPSec to encrypt traffic on one
interface, but disable HP-UX IPSec on the second interface,
IPSEC_CONFIG ADD CACERT COMMAND
Name
- add a certificate for a Certificate Authority (CA) to the HP-UX IPSec storage scheme.
Synopsis
port_number]
search_filter]
user_name password]]
Description
The command adds a certificate for a certificate authority (CA) to the HP-UX IPSec storage scheme. There are two syntax formats for the
command:
o
This syntax extracts the certificate from a file. The certificate must be encoded using Abstract Syntax Notation 1 (ASN.1)
Distinguished Encoding Rules (DER) or Privacy-Enhanced Mail base64 (PEM) format.
o
This syntax retrieves the certificate from an LDAP directory. The certificate must be encoded using DER or PEM.
The utility stores the certificates in the directory
The command is one of four commands for using certificates with HP-UX IPSec; the other commands are and
Options and Operands
The command recognizes the following options and operands:
Specifies the name of the DER or PEM file containing the certificate for the CA.
Specifies the hostname or IP address of the LDAP server where the certificate
for the CA is stored.
Default: None.
Specifies the TCP port number for the LDAP server.
Range: 1 - 65535.
Default: 389, the IANA registered port number for LDAP.
Search base for the certificate, in X.500 Distinguished Name (DN) format,
such as The search_base with the filter appended to it forms a search path to the location of the certificationAuthority
object in the LDAP directory.
The maximum length of the search_base is 272 characters. If there are spaces in the DN, you must enclose the DN in double
quotes (" "). For example,
Default: None.
An RFC 2254-compliant LDAP search filter. If it includes spaces or shell
special characters, enclose the value in double quotes. For example,
The maximum length of the filter is 272 characters.
Default: (match all objectClass values).
User name and password needed to access the LDAP directory.
If the user name includes spaces, enclose the name in double quotes.
Default: None.
Multiple Level CA Requirements
If you are using multiple-level CAs, you must use the command to add a certificate for each CA in the authentication chain from the local
system to the peer (the root CA, all CAs from the local system to the root CA, and all CAs from the peer to the root CA). Each certificate
must be contained in a separate file or directory object. HP-UX IPSec cannot store multiple certificates from a single file or directory
object.
Examples
Load the certificate saved in the file
Load the certificate from the LDAP server 192.6.2.1, at path
IPSEC_CONFIG ADD CRL COMMAND
Name
- add a Certificate Revocation List (CRL) to the HP-UX IPSec storage scheme.
Synopsis
port_number]
search_filter] user_name password]]
Description
The command adds a certificate revocation list (CRL) to the HP-UX IPSec storage scheme. The CRL must be encoded using Abstract Syntax
Notation 1 (ASN.1) Distinguished Encoding Rules (DER) or Privacy Enhanced Mail (PEM) format. There are two syntax formats for the command:
o
This syntax extracts the CRL from a file.
o
This syntax retrieves the CRL from an LDAP directory.
The utility stores the retrieved CRL in the directory.
When used to retrieve the CRL from an LDAP directory, the command also saves the LDAP directory parameters in a file in the directory,
which is used by the CRL cron script file,
The command is one of four commands for using certificates with HP-UX IPSec; the other commands are and
Options and Operands
The command recognizes the following options and operands:
Specifies the local file from which
will retrieve the CRL. The file must contain a CRL in ASN.1 DER or PEM format.
Specifies the hostname or IP address of the LDAP server where the CRL is stored.
The CRL must be stored in ASN.1 DER or PEM format.
Default: None.
Specifies the TCP port number for the LDAP server.
Range: 1 - 65535.
Default: 389, the IANA registered port number for LDAP.
Search base for the CRL, in X.500 Distinguished Name (DN) format,
such as The search_base with the filter appended to it forms a search path to the location of the certificateRevocation-
List object in the LDAP directory.
The maximum length of the search_base is 272 characters. If there are spaces in the DN, you must enclose the DN in double
quotes (" "). For example,
Default: None.
An RFC 2254-compliant LDAP search filter. If it includes spaces or shell
special characters, enclose the value in double quotes. For example,
The maximum length of the filter is 272 characters.
Default: (match all objectClass values).
User name and password needed to access the LDAP directory.
If the user name includes spaces, enclose the name in double quotes.
Default: None.
Multiple Level CA Requirements
If you are using multiple-level CAs, you must use the command to add a CRL for each CA in the authentication chain from the local system to
peer (the root CA, all CAs from the local system to the root CA, and all CAs from the peer to the root CA). Each CRL must be contained in
a separate file or directory object.
Examples
Load the CRL saved in the file
Load the CRL from the LDAP server 192.6.2.1, at path
IPSEC_CONFIG ADD CSR COMMAND
Name
- create a Certificate Signing Request (CSR) for the local system
Synopsis
subject_name
ipv4_addr]
fqdn] user_fqdn]
number_days] number_bits]
Description
The command creates a PKCS#10 Certificate Signing Request (CSR) for the local system. The utility generates a public/private key pair and
encodes an unsigned X.509 certificate with the public key in a PKCS#10 CSR file and encoded using Privacy-Enhanced Mail (PEM) base64 encod-
ing. The utility saves the CSR in the file The administrator can then submit the file to the Certificate Authority (CA) and request a
signed certificate.
The command is one of four commands for using certificates with HP-UX IPSec; the other commands are and
Options and Operands
The command recognizes the following options and operands:
Specifies the value you want in the
field for the certificate in X.500 Distinguished Name (DN) format. The DN consists of at least one of the following attributes:
The attributes are all optional, but you must specify at least one. Use commas to delimit multiple attributes. The order of the
attributes is ignored and the DN is not case sensitive. For example: CN=host1,C=US,O=HP
If there are spaces in the DN, you must enclose the DN in double quotes (" "). For example:
The variables are defined as follows:
commonName
The commonName of the DN in printable string format. The maximum length is 64 characters.
country
The two-character ISO 3166-1 code for the country in the DN, for example for United States of America.
organization
The organization of the DN, for example The maximum length is 64 characters.
organizationalUnit
organizationalUnit for the DN, for example The maximum length is 64 characters.
Specifies the IPv4 address you want in the
subjectAlternativeName field of the certificate.
Specifies the Fully Qualified Domain Name (FQDN) you want in
the subjectAlternativeName field of the certificate, such as The FQDN is also referred to as the Domain Name Service or DNS name.
Specifies the User-Fully Qualified Domain Name in SMTP format that
you want in the the subjectAlternativeName field of the certificate, such as such as
Specifies the number of days for which the certificate will be valid.
Verify that the number you specify is within the range allowed by Certificate Authority (CA).
Range: 1 - 65535.
Default: 365.
Specifies the key length for the public/private keys, in bits.
Verify that the number you specify is allowed by your CA.
Valid values: 512, 1024, 2048, or 4096 bits.
Default: 1024.
Examples
Create a CSR for the system with the DN as the subject, and its IPv4 address, in the subjectAlternativeName field.
IPSEC_CONFIG ADD HOST COMMAND
Name
- configure host IPsec policies
Synopsis
host_policy_name
protocol_id]
priority_number]
tunnel_policy_name]
manual_key_sa_specification manual_key_sa_specification]
profile_name]
Description
Use the command to configure host IPsec policies. Host IPsec policies specify HP-UX IPSec behavior for IP packets sent or received by the
local system as an end host.
When an IPsec system sends a packet or receives a packet for an address on the local system, HP-UX IPSec searches the host IPsec policies
in priority order and selects the first policy with address, protocol, and port specifications that match the packet. HP-UX IPSec then
takes the action specified in the selected host IPsec policy.
The HP-UX IPSec configuration database includes a host IPsec policy named HP-UX IPSec uses the default host IPsec policy for a packet if no
other host IPsec policies match the packet. The default host IPsec policy shipped with HP-UX IPSec allows packets to pass in clear text.
(the argument value is You cannot delete the host IPsec policy, or modify any argument values except the argument for its behavior (the
value for the argument). You can use the following command to change the default host IPsec policy so it discards packets:
To change back the default host IPsec policy so it passes packet in clear text, use the following command:
Options and Operands
The command recognizes the following options and operands:
host_policy_name
The user-defined name for the host IPsec policy. This name must be unique for each host IPsec policy and is case-sensitive.
The name is reserved.
Acceptable values: 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen or underscore
HP-UX IPSec uses the
ip_addr, prefix, and port_number or service_name with the argument to form an address filter. HP-UX IPSec uses the address
filter to select an IPsec policy for a packet. Specify a local IP address in the source address filter. For an outbound
packet, HP-UX IPSec compares the source address filter with the source address fields in the packet, and the destination
address filter with the destination address fields in the packet. For an inbound packet, HP-UX IPSec compares the source
address filter specification with the destination address fields in the packet, and the destination address filter with the
source address fields in the packet.
If you are not using manual keys, you can repeat the or arguments up to 20 times each to specify multiple filters. HP-UX
IPSec selects a policy for a packet if any of the filters matches a packet.
Default: If you do not specify ip_addr, prefix, port_number, or service_name, uses the value of the source or destination
parameter in the section of the profile file used. The default value for source and destination is (match any IPv4 address,
any port) in
The address filter is defined with the following values:
ip_addr
The source or destination IP address. If you are not using manual keys, you can also specify an address range with
two addresses separated by a dash and no spaces The second address in a range must be higher number than the first.
For example, 10.1.1.1-10.1.1.3 matches any of the following addresses: 10.1.1.1, 10.1.1.2, 10.1.1.3.
Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. The
IP address type or must be the same for the source and destination address. HP-UX IPSec does not support unspecified
IPv6 addresses. However, you can use the double-colon (::) notation within a specified IPv6 address to denote a num-
ber of zeros(0) within an address. The address cannot be a broadcast, subnet broadcast, multicast, or anycast
address. If you are using manual keys, ip_addr cannot be a wildcard address or
prefix
The prefix length, or the number of leading bits that must match when comparing the IP address in a packet with
ip_addr. If the ip_addr is an address range, the prefix applies to all addresses in the range.
You must specify prefix if you specify port_number or service_name.
For IPv4 addresses, a prefix length of 32 bits specifies that all the bits in the policy address must match the
packet address. Use a value less than 32 to specify a subnet address filter.
For IPv6 addresses, a prefix length of 128 bits specifies that all the bits in the policy address must match the
packet address. Use a value less than 128 to specify a subnet address filter.
The following table shows the range and default for IPv4 and IPv6 addresses. The defaults apply to non-zero
addresses.
Type Range Default
------------------------------------------------
IPv4 0 - 32 32 (0 for all-zero addresses)
IPv6 0 - 128 128 (0 for all-zero addresses)
The default prefix is zero(0) if the address is all zeros.
If you are using manual keys, prefix must be 32 if ip_addr is an IPv4 address or 128 if ip_addr is an IPv6 address.
port The upper-layer protocol (TCP or UDP) port number. You can specify a single port number, or a range of port numbers
with two port numbers separated by a dash and no spaces The second port number in a range must be higher than the
first. For example, 22-24 matches any of the following port numbers: 22, 23, 24.
Specify the upper-layer protocol with the argument described below. The upper-layer protocol must be or if you spec-
ify a non-zero port number.
Acceptable values: 0 - 65535. 0 indicates all ports.
Default: 0 (all ports).
service_name
A character string that specifies a network service. The utility will add a policy to the configuration database
with the appropriate port number and protocol, as listed below. You cannot specify service_name and the argument in
the same policy.
service_name Port Protocol
-------------------------------
DNS-TCP 53 TCP
DNS-UDP 53 UDP
FTP-DATA 20 TCP
FTP-CONTROL 21 TCP
HTTP-TCP 80 TCP
HTTP-UDP 80 UDP
NTP 123 UDP
REXEC 512 TCP
RLOGIN 513 TCP
RWHO 513 UDP
REMSH 514 TCP
REMPRINT 515 TCP
SMTP 25 TCP
TELNET 23 TCP
TFTP 69 UDP
Upper-layer protocol. Value or name of the upper-layer protocol
that HP-UX IPSec in the address filter to select an IPsec policy for a packet. You cannot specify the argument and a ser-
vice_name in the same policy.
Acceptable values: integer value in the range 0 (any protocol) - 255, or one of the following protocol names: (any protocol).
protocol_id must be or if port_number is specified and is not zero.
Default: If you do not specify protocol_id, uses the value of the parameter in the section of the profile file used. The
default value for is in
The priority value HP-UX IPSec will use when selecting a host IPsec policy
(a lower priority value has a higher priority). The priority must be unique for each host IPsec policy.
Range: 1 - 2147483647.
Default: If you do not specify a priority, assigns a priority value that is set to the current highest priority value (lowest
priority) for host IPsec policies in the configuration data base, incremented by the automatic priority increment value (pri-
ority) for host IPsec policies specified in the section of the profile file used (this policy will be the last policy evalu-
ated before the default policy). The default automatic priority increment value (priority) is 10 in
If this is the first host IPsec policy created, uses the automatic priority increment value as the priority.
If packets using this host IPsec policy
will be tunneled and the local system is one of the tunnel endpoints, enter the name of the tunnel IPsec policy to use with
this host IPsec policy.
Specifies the action HP-UX IPSec will perform on packets using
this policy.
The action must be if this is an end system in a host-to-host tunnel topology.
Default: The action defined for the action parameter in the section of the profile file used. The default definition for
action is in
The values are defined as follows:
Defines the action.
Allow packets using this host IPsec policy to pass in clear text with no
alteration. The host IPsec policy shipped with the product specifies
Discard packets using this host IPsec policy.
transform_list
A transform specifies the IPsec authentication and encryption applied to packets using AH (Authentication Header) and ESP
(Encapsulation Security Payload) headers. A transform_list specifies the transforms acceptable for packets using the pol-
icy. The HP-UX IPSec IKE daemon proposes the transform_list when negotiating the transform for IPsec Security Associa-
tions (SAs) with a remote system.
The transform_list in a host policy are transport transforms and are applicable to the host-to-host SA (transport SA)
between the source and destination addresses.
If you are using manual keys, the transform list can contain only one transform.
If you are using dynamic keys, the transform list can contain:
o up to 6 ESP transforms
o up to 2 AH transforms
Use a comma to separate multiple transform specifications.
The order of transforms in the transform list is significant. The first transform is the most preferable and the last
transform is the least preferable. At least one transform must match a transform configured on the remote system.
The format for each transform is:
where the variables are defined as follows:
transform_name
One of the following AH (Authentication Header) or ESP (Encapsulation Security Payload) transform specifica-
tions.
(AH, with 128-bit key Hashed Message Authentication Code
using RSA Message Digest-5, HMAC-MD5.)
(AH, with 160-bit key HMAC
using Secure Hash Algorithm-1, HMAC-SHA1.)
(ESP with triple-DES CBC, three encryption iterations, each with a
different 56-bit key, 3DES-CBC, authenticated with HMAC-MD5.)
(ESP with triple-DES CBC, three encryption iterations, each with a
different 56-bit key, 3DES-CBC, authenticated with HMAC-SHA1.)
(ESP with 128-bit Advanced Encryption Standard CBC,
authenticated with HMAC-MD5.)
(ESP with 128-bit Advanced Encryption Standard CBC,
authenticated with HMAC-SHA1.)
(ESP, with null encryption and authenticated with HMAC-MD5.)
(ESP, with null encryption and authenticated with HMAC-SHA1.)
is the most secure form of encryption, with performance comparable to or better than
lifetime_seconds
The maximum lifetime for the IPsec SA, in seconds. A transform lifetime can be specified by time (seconds), and
by kilobytes transmitted or received. HP-UX IPSec considers the lifetime to be exceeded if either value is
exceeded. HP recommends that you do not specify an infinite lifetime_seconds(0) with a finite value for life-
time_kbytes.
This parameter is not valid for manual keys.
Acceptable values: 0 (infinite) - 4294967295 seconds (approximately 497102 days).
Default: 28,800 (8 hours).
lifetime_kbytes
The maximum lifetime for the IPsec SA, measured by kilobytes transmitted or received. A transform lifetime can
be specified by time (seconds), and by kilobytes transmitted or received. HP-UX IPSec considers the lifetime to
be exceeded if either value is exceeded.
This parameter is not valid for manual keys.
Acceptable values: 0 (infinite), or 5120 - 2147483647 kilobytes.
Default: 0 (infinite).
Note: HP recommends that you do not specify an infinite value for lifetime_seconds(0) with a finite value for
lifetime_kbytes.
Additional options for this policy. Join multiple flags with a plus sign
Specifies session-based keying.
Session-based keying uses a different pair of IPsec SAs per connection or session. Only packets with the same source IP
address, destination IP address, network protocol, source port, and destination port will use the same IPsec SA. Session-
based keying incurs more overhead but provides more security and privacy. If you do not specify session-based keying, all
packets using the same IPsec policy to the same remote system will share the same IPsec SA pair and cryptography keys.
You cannot specify the flag with manual keys, or if the action is or
Specifies that IPsec packets can pass
in clear text if the local system is the initiator in an IKE negotiation and the negotiation fails or if the system receives
a packet in clear text and there is no existing IPsec SA or kernel policy cache entry for an IPsec SA. In both cases, HP-UX
IPSec adds an entry to the kernel policy cache to allow subsequent inbound and outbound packets for the 5-tuple (defined by
source and destination IP addresses, protocol, and source and destination port numbers) to pass in clear text.
This feature weakens IPsec security but is useful when configuring host policies for remote subnets where not all nodes in
the subnet support IPsec. The flag is not valid if the action is or or if the policy specifies a tunnel.
No additional options.
Default: The value of the flags parameter in the section of the profile file used. The default flags value is in
Specifies destination or source ICMPv4 type values for the policy.
You must specify to use these arguments. If you specify or and do not specify or arguments, the policy applies to all ICMPv4 mes-
sage types.
Acceptablevalues: An integer in the range 0 - 255 or
Specifies destination or source ICMPv6 type values for the policy.
You must specify to use these arguments. If you specify or and do not specify or arguments, the policy applies only to the follow-
ing ICMPv6 message types:
Echo Request
Echo Reply
Mobile Prefix Solicitation
Mobile Prefix Advertisement
To ensure proper operation of IPv6 networks, the default behavior of HP-UX IPSec always allows all ICMPv6 messages not listed above
to pass in cleartext
Acceptablevalues: An integer in the range 0 - 255 or
CAUTION: Discarding or requiring ICMP messages to be encrypted or authenticated can cause connectivity problems.
Specify the
manual_key_SA_specification and manual_key_SA_specification arguments to use static, manual keys for the IPsec SAs.
The format of the manual_key_SA_specification is:
where the values are defined as follows:
type Type of IPsec transform.
Acceptable values: (Authentication Header) or (Encapsulating Security Payload).
spi Security Parameters Index (SPI) number, used to identify the SA. You can specify the SPI in hexadecimal, prefixed by 0x, or
decimal. For an inbound SA, the SPI must be unique on the local system within the SPIs assigned for each SA type (AH or
ESP), must be outside the range for dynamic key SPI numbers, and must match the SPI configured on the remote system for the
outbound SA.
For an outbound SA, the SPI must match what is configured on the remote system for the inbound SA, and must be unique on the
remote system.
Range: Manual key SPI numbers must be outside the range for dynamic key SPI numbers. In installations using the default
range for dynamic key SPI numbers (300 - 2500000), the ranges for inbound manual key SPI numbers are 1 - 299 and 2500001 -
4294967295.
Refer to the spi_min and spi_max parameters for the command for more information on the range for dynamic key SPI numbers.
auth_key
The hexadecimal authentication key (prefixed by The auth_key value must match what is configured on the remote system.
Acceptable values: Hexadecimal digits, prefixed by
Type Default
-----------------------------------------
MD5 32 hexadecimal digits (128 bits)
SHA-1 40 hexadecimal digits (160 bits)
enc_key
The hexadecimal encryption key (prefixed by This is required only for ESP. The enc_key value must match what is configured
on the remote system.
Acceptable values: Hexadecimal digits, prefixed by
Type Default
------------------------------------------
3DES 48 hexadecimal digits (192 bits)
AES128 32 hexadecimal digits (128 bits)
For 3DES, HP-UX IPSec replaces the eighth bit of each byte with an odd parity bit. The 3DES algorithm uses only the first
seven bits of each byte for encryption.
iv Initialization Vector (IV) definition. Required only for SAs using or Hexadecimal (prefixed by 64-bit initial block used
for cipher block chaining encryption. This must match what is configured on the remote system.
Range: 64 bits (16 hexadecimal digits),
Default:
The utility verifies the host IPsec policy, but does not add it to the configuration database. This argument is not valid if
you are specifying an operation in a batch file.
The name of the profile file containing default argument values for this
policy. The argument values are evaluated once, when the policy is added to the configuration database. Values used from
the profile file become part of the configuration record for the policy. This argument is not valid if you are specifying
an operation in a batch file.
Maximum length: 1023 characters.
Default:
Examples
Configure a host IPsec policy that requires all outbound rlogin sessions (where the local system is an rlogin client) to use ESP, with
AES128 encryption and HMAC SHA-1 authentication.
Configure a host IPsec policy that requires all telnet requests (where the local system is the telnet server) from subnet to use ESP, with
AES128 encryption and HMAC SHA-1 authentication.
Configure a host IPsec policy for an application that listens for requests on local TCP port
The policy requires all packets connecting to the application to use AH with HMAC SHA-1 authentication.
The local system is using an host-to-host tunnel with system Configure a host IPsec policy that references the tunnel policy and specifies
clear text (no transform) for the transport (end-to-end) transform. The command used to configure the tunnel is listed in the examples for
the command.
Configure a host IPsec policy that uses manual keys for ESP, with AES128 encryption and HMAC SHA-1 authentication for all packets between
local address and remote address
IPSEC_CONFIG ADD IKEV1 COMMAND
Name
- configure an Internet Key Exchange version 1 (IKEv1) policy
Synopsis
ikev1_policy_name
priority_number]
group_number]
hash_algorithm
encryption_algorithm]
profile_name]
Description
Use the command to configure an Internet Key Exchange version 1 (IKEv1) policy. HP-UX IPSec uses the parameters in an IKEv1 policy when
establishing IKEv1 Security Associations (SAs) with remote systems. IPsec uses IKE SAs to negotiate IPsec SAs; an IKE SA must exist with a
remote system before IPsec can negotiate IPsec SAs.
When initiating IKE negotiations, the IKE version used is determined by the key management protocol field in the authentication record, as
configured using the argument in the command. When responding to IKE negotiation requests, the IKE version used is determined by informa-
tion in the header of the IKE message, and verified against the key management protocol field in the authentication record.
You can also use the command to modify the preloaded IKEv1 policy. HP-UX IPSec uses the IKEv1 policy for IKEv1 negotiations when no other
IKEv1 policy matches the peer's IP address. The IKEv1 policy has the following parameter values:
Address: None. This argument is not supported for the default policy and the default policy matches all
remote IP addresses.
Diffie-Hellman Group: 2
IKEv1 hash algorithm: MD5
IKEv1 encryption algorithm: 3DES
IKEv1 SA lifetime: 28,800 seconds (8 hours)
PFS: OFF
You cannot delete the default IKEv1 policy. You do not need to configure IKEv1 policies if the default parameters meet your requirements,
if you are using only manual keys for IPsec, or if you are only using HP-UX IPSec to discard packets.
Options and Operands
ikev1_policy_name
The user-defined name for the IKEv1 policy. This name must be unique for each IKEv1 policy and is case-sensitive.
Acceptable values: 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen or underscore
The name is reserved. The configuration database contains a preloaded IKEv1 policy. The policy is the last policy in the
search order. You cannot delete the policy, but you can modify it using the command.
The IP address and network prefix length that specifies the remote system or
subnet for this policy.
This argument is not valid for the IKEv1 policy. The IKEv1 policy matches all addresses.
ip_addr
The remote IP address.
Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. HP-
UX IPSec does not support unspecified IPv6 addresses. However, you can use the double-colon (::) notation within a
specified IPv6 address to denote a number of zeros(0) within an address. The address cannot be a broadcast, subnet
broadcast, multicast, or anycast address.
Default: None.
prefix
The prefix length, or the number of leading bits that must match when comparing an IP address of the remote system
with ip_addr.
For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in both addresses must match. Use a value
less than 32 to specify a subnet address filter.
For IPv6 addresses, a prefix length of 128 bits indicates that all the bits in both addresses must match. Use a
value less than 128 to specify a subnet address filter.
The default is 0 (match any address) if ip_addr is an all-zeros address ( or
Specifies the priority value HP-UX IPSec will use when selecting an
IKE policy (a lower priority value has a higher priority). The priority must be unique for each IKE policy.
Range: 1 - 2147483647.
Default: If you do not specify a priority, assigns a priority value that is set to the current highest priority value (lowest
priority) in the configuration data base, incremented by the automatic priority increment value (priority) for IKEv1 policies
specified in the section of the profile file (this policy will be the last policy). The default automatic priority increment
value (priority) is 10.
If this is the first IKEv1 policy created, uses the automatic priority increment value as the priority.
The Diffie-Hellman group used to
select initial Diffie-Hellman values. You can specify multiple group_number values, delimited by commas and no spaces, in
descending order of preference. At least one group number must match a Diffie-Hellman group number configured on the remote
system.
HP recommends that you do not use group 1 unless you are required to for compatibility reasons. For efficiency when negotiat-
ing IKE SAs, HP recommends that you specify the group that is most commonly used in your network first, other than group 1.
Acceptable values:
(MODP, 768-bit exponent)
(MODP, 1024-bit exponent)
(MODP, 1536-bit exponent)
(MODP, 2048-bit exponent)
Default: The value of the the parameter in the section of the profile file used. The default parameter value is in
Specifies the hash algorithm for authenticating IKE messages.
You can specify multiple hash_algorithm values, delimited by commas and no spaces, in descending order of preference. At
least one hash algorithm must match a hash algorithm configured on the remote system.
Acceptable values:
128-bit key using Message Digest 5, MD5.
160-bit key using Secure Hash Algorithm-1, SHA1.
Default: The value of the the parameter in the section of the profile file used. The default parameter value is in
Specifies the encryption algorithm for encrypting IKE messages.
You can specify multiple encryption_algorithm values, delimited by commas and no spaces, in descending order of preference.
At least one encryption algorithm must match a encryption algorithm configured on the remote system.
Acceptable values:
128-bit Advanced Encryption Standard, AES128-CBC
triple-DES CBC, three encryption iterations, each with a
different 56-bit key, 3DES-CBC
Null encryption
Default: The value of the the parameter in the section of the profile file used. The default parameter value is in
Specifies the maximum lifetime for the IKE SA, in seconds.
Range: 0 (infinite) or 600 - 4294967295 seconds (approximately 497102 days).
Default: 28,800 (8 hours).
Specifies if Perfect Forward Secrecy is enabled
or disabled With PFS, the exposure of one key permits access only to data protected by that key. When PFS is enabled, the IKE
daemon performs a Diffie-Hellman exchange for each IPsec SA negotiation.
This must match what is configured on the remote system. Do not enable key for negotiations with systems using an HP-UX
IPSec release prior to A.03.00.
Acceptable values:
Enable PFS
Disable PFS
Default: The value of the parameter in the section of the profile file used. The default parameter value is in
The utility verifies the policy, but does not add it to the configuration database. This argument is not valid if you specify an
operation in a batch file.
The name of the profile file containing default argument values for this
policy. The argument values are evaluated once, when the policy is added to the configuration database. Values used from
the profile file become part of the configuration record for the policy. This argument is not valid if you specify an opera-
tion in a batch file.
Maximum length: 1023 characters.
Default:
Example
Modify the IKEv1 default policy to use Diffie-Hellman group 5 or 2, with a higher preference for group 5:
IPSEC_CONFIG ADD IKEV2 COMMAND
Name
- configure an Internet Key Exchange version 2 (IKEv2) policy
Synopsis
ikev2_policy_name
priority_number]
group_number]
hash_algorithm
encryption_algorithm]
pseudo-random_function]
profile_name]
Description
Use the command to configure an Internet Key Exchange version 2 (IKEv2) policy. HP-UX IPSec uses the parameters in an IKEv2 policy when
establishing IKEv2 Security Associations (SAs) with remote systems. IPsec uses IKE SAs to negotiate IPsec SAs; an IKE SA must exist with a
remote system before IPsec can negotiate IPsec SAs.
When initiating IKE negotiations, the IKE version used is determined by the key management protocol field in the authentication record, as
configured using the argument in the command. When responding to IKE negotiation requests, the IKE version used is determined by informa-
tion in the header of the IKE message, and verified against the key management protocol field in the authentication record.
You can also use the command to modify the preloaded IKEv2 policy. HP-UX IPSec uses the IKEv2 policy for IKEv2 negotiations when no other
IKEv2 policy matches the peer's IP address. The IKEv2 policy has the following parameter values:
Address: None. This argument is not supported for the default policy and the default policy matches all
remote IP addresses.
Diffie-Hellman Group: 2
IKEv2 hash algorithm: HMAC-SHA1
IKEv2 encryption algorithm: 3DES
Pseudo-random function (PRF): HMAC-SHA1
IKEv2 SA lifetime: 28,800 seconds (8 hours)
PFS: OFF
You cannot delete the default IKEv2 policy. You do not need to configure IKEv2 policies if the default parameters meet your requirements,
if you are using only manual keys for IPsec, or if you are only using HP-UX IPSec to discard packets.
Options and Operands
ikev2_policy_name
The user-defined name for the IKEv2 policy. This name must be unique for each IKEv2 policy and is case-sensitive.
Acceptable values: 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen or underscore
The name is reserved. The configuration database contains a preloaded IKEv2 policy. The policy is the last policy in the
search order. You cannot delete the policy, but you can modify it using the command.
The IP address and network prefix length that specifies the remote system or
subnet for this policy.
This argument is not valid for the IKEv2 policy. The IKEv2 policy matches all addresses.
ip_addr
The remote IP address.
Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. HP-
UX IPSec does not support unspecified IPv6 addresses. However, you can use the double-colon (::) notation within a
specified IPv6 address to denote a number of zeros(0) within an address. The address cannot be a broadcast, subnet
broadcast, multicast, or anycast address.
Default: None.
prefix
The prefix length, or the number of leading bits that must match when comparing an IP address of the remote system
with ip_addr.
For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in both addresses must match. Use a value
less than 32 to specify a subnet address filter.
For IPv6 addresses, a prefix length of 128 bits indicates that all the bits in both addresses must match. Use a
value less than 128 to specify a subnet address filter.
The default is 0 (match any address) if ip_addr is an all-zeros address ( or
Specifies the priority value HP-UX IPSec will use when selecting an
IKE policy (a lower priority value has a higher priority). The priority must be unique for each IKE policy.
Range: 1 - 2147483647.
Default: If you do not specify a priority, assigns a priority value that is set to the current highest priority value (lowest
priority) in the configuration data base, incremented by the automatic priority increment value (priority) for IKEv2 policies
specified in the section of the profile file (this policy will be the last policy). The default automatic priority increment
value (priority) is 10.
If this is the first IKEv2 policy created, uses the automatic priority increment value as the priority.
The Diffie-Hellman group used to
select initial Diffie-Hellman values. You can specify multiple group_number values, delimited by commas and no spaces, in
descending order of preference. At least one group number must match a Diffie-Hellman group number configured on the remote
system.
HP recommends that you do not use group 1 unless you are required to for compatibility reasons. For efficiency when negotiat-
ing IKE SAs, HP recommends that you specify the group that is most commonly used in your network first, other than group 1.
Acceptable values:
(MODP, 768-bit exponent)
(MODP, 1024-bit exponent)
(MODP, 1536-bit exponent)
(MODP, 2048-bit exponent)
Default: The value of the the parameter in the section of the profile file used. The default parameter value is in
Specifies the hash algorithm for authenticating IKE messages.
You can specify multiple hash_algorithm values, delimited by commas and no spaces, in descending order of preference. At
least one hash algorithm must match a hash algorithm configured on the remote system.
Acceptable values:
96-bit key using Advanced Encryption Standard Extended Cipher Block Chaining mode Message Authentication Code, AES96-XCBC-
MAC.
128-bit key HMAC using Message Digest 5, MD5.
160-bit key HMAC using Secure Hash Algorithm-1, HMAC-SHA1.
Default: The value of the the parameter in the section of the profile file used. The default parameter value is in
Specifies the encryption algorithm for encrypting IKE messages.
You can specify multiple encryption_algorithm values, delimited by commas and no spaces, in descending order of preference.
At least one encryption algorithm must match a encryption algorithm configured on the remote system.
Acceptable values:
128-bit Advanced Encryption Standard, AES128-CBC
triple-DES CBC, three encryption iterations, each with a
different 56-bit key, 3DES-CBC
Null encryption
Default: The value of the the parameter in the section of the profile file used. The default parameter value is in
Specifies the pseudo-random function (PRF) algorithm for generating keying
material. You can specify multiple pseudo-random_function values, delimited by commas and no spaces, in descending order of
preference. At least one PRF algorithm must match a PRF algorithm configured on the remote system.
Acceptable values:
128-bit Advanced Encryption Standard, AES128-XCBC
96-bit HMAC value using Secure Hash Algorithm-1, HMAC-SHA1
Default: The value of the parameter in the section of the profile file used. The default parameter value is in
Specifies the maximum lifetime for the IKE SA, in seconds.
Range: 0 (infinite) or 600 - 4294967295 seconds (approximately 497102 days).
Default: 28,800 (8 hours).
Specifies if Perfect Forward Secrecy is enabled
or disabled With PFS, the exposure of one key permits access only to data protected by that key. When PFS is enabled, the IKE
daemon performs a Diffie-Hellman exchange for all IKE and IPsec SA negotiations after the initial IPsec SA pair is created,
and a new Diffie-Hellman exchange for any SA re-keying.
This must match what is configured on the remote system.
Acceptable values:
Enable PFS
Disable PFS
Default: The value of the parameter in the section of the profile file used. The default parameter value is in
The utility verifies the policy, but does not add it to the configuration database. This argument is not valid if you specify an
operation in a batch file.
The name of the profile file containing default argument values for this
policy. The argument values are evaluated once, when the policy is added to the configuration database. Values used from
the profile file become part of the configuration record for the policy. This argument is not valid if you specify an opera-
tion in a batch file.
Maximum length: 1023 characters.
Default:
Example
Modify the IKEv2 default policy to use AES-XCBC and HMAC-SHA1 for the IKEv2 hash algorithm, with a higher preference for AES-XCBC.
IPSEC_CONFIG ADD MYCERT COMMAND
Name
- add a certificate for the local system to the HP-UX IPSec storage scheme.
Synopsis
port_number]
search_filter] user_name password]]
Description
The command adds a certificate for the local system to the HP-UX IPSec storage scheme. There are two syntax formats for the command:
o
This syntax extracts the certificate from a file. The certificate must be encoded using Privacy-Enhanced Mail base64 (PEM),
Abstract Syntax Notation 1 (ASN.1) Distinguished Encoding Rules (DER) or Public Key Cryptography Standards #12 (PKCS#12) for-
mat. If the file is encoded using PKCS#12 format and includes the corresponding private key, also extracts the private key.
o
This syntax retrieves the certificate from an LDAP directory. The certificate must be encoded using DER.
The utility stores the certificate in the file and the priviate key in the file The command is one of four commands for using certificates
with HP-UX IPSec; the other commands are and
Options and Operands
The command recognizes the following options and operands:
Specifies the name of the DER, PEM, or PKCS#12 file containing the certificate for the local system. If this is a PKCS#12 file,
prompts for the password and extracts the private key.
Specifies the hostname or IP address of the LDAP server where the certificate
for the local system is stored.
Default: None.
Specifies the TCP port number for the LDAP server.
Range: 1 - 65535.
Default: 389, the IANA registered port number for LDAP.
Search base for the certificate, in X.500 Distinguished Name (DN) format,
such as The search_base with the filter appended to it forms a search path to the location of the userCertificate object
in the LDAP directory.
The maximum length of the search_base is 272 characters. If there are spaces in the DN, you must enclose the DN in double
quotes (" "). For example,
Default: None.
An RFC 2254-compliant LDAP search filter. If it includes spaces or shell
special characters, enclose the value in double quotes. For example,
The maximum length of the filter is 272 characters.
Default: (match all objectClass values).
User name and password needed to access the LDAP directory.
If the user name includes spaces, enclose the name in double quotes.
Default: None.
Examples
Load the certificate saved in the file
Load the certificate from the LDAP server 192.6.2.1, at path
IPSEC_CONFIG ADD STARTUP COMMAND
Name
- specify general operating parameters and configure HP-UX IPSec to automatically start at system boot-up
Synopsis
audit_level]
audit_directory]
max_size]
spi_min_value]
spi_max_value]
spd_soft_limit]
spd_hard_limit]
profile_name]
Description
Use the command to specify general operating parameters and to configure HP-UX IPSec to automatically start at system boot-up time. The
general operating parameters will be used when HP-UX IPSec is started at boot-up time or when the command is entered. (If you change the
general operating parameters, the changes do not take effect until the next time HP-UX IPSec starts.) Administrators can override the con-
figured general operating parameters using arguments in the command line.
Options and Operands
The command recognizes the following options and operands:
Configure HP-UX to automatically at system boot-up time.
Acceptable values: (HP-UX IPSec does not automatically start at boot-up time) or (HP-UX IPSec automatically starts at boot-up
time).
Default: The value of the parameter in the section of the profile file used. The default value is OFF in
Specifies the audit level for the HP-UX IPSec subsystem.
Valid audit levels are listed below, in ascending order:
Higher audit levels include all lower levels.
Default: If you do not specify audit_level, the default is the level specified for the audit parameter in the section of the pro-
file file used . The default audit level is which includes in
Refer to ipsec_admin(1M) for descriptions of the audit levels.
Specifies the directory in which HP-UX IPSec creates audit files.
Allowable values: Full file path name, up to 1023 characters long.
Default: If you do not specify audit_directory, the default is the directory specified for the directory parameter in the section
of the profile file used. The default directory value is in
Specifies the maximum size of an audit file (in kilobytes) that HP-UX
IPSec allows before it creates a new audit file.
Range: 1 - 4294967295.
Default: If you do not specify max_size, the default is the value specified for the maxsize parameter in the section of the pro-
file file used. The default maxsize value is 100 (kilobytes) in
Specifies the lower bound for inbound, dynamic key
Security Parameters Index (SPI) numbers in hexadecimal, prefixed by 0x, or decimal.
Range: 1 - 4294967295 (0x1 - 0xFFFFFFFF hexadecimal).
Default: If you do not specify spi_min_value, the default is the value specified for the spi_min parameter in the section of the
profile file used. The default spi_min value is 300 in
Specifies the upper bound for inbound, dynamic key
Security Parameters Index (SPI) numbers in hexadecimal, prefixed by 0x, or decimal.
Range: 1 - 4294967295 (0x1 - 0xFFFFFFFF hexadecimal).
Default: If you do not specify spi_max_value, the default is the value specified for the spi_max parameter in the section of the
profile file used. The default spi_max value is 2500000 in
Specifies the "soft" limit for the size of the Security Policy Database (SPD).
The SPD is the HP-UX IPSec runtime policy database, with cached policy decisions for packet descriptors (five-tuples consisting
of exact, non-wildcard source IP address, destination IP address, protocol, source port, and destination port).
When the size of the SPD exceeds the soft limit, HP-UX IPSec logs a warning message to the system console, and logs an additional
warning message to the system console for each 1000 SPD entries added.
The spd_soft_limit is measured in units of 1000 entries.
Range: 1 - 1000000 units of 1000 entries (1000 - 1000000000 entries).
Default: If you do not specify spd_soft_limit, the default is the value specified for the spd_soft parameter in the section of
the profile file used. The default spd_soft value is 25 (25000 entries; approximately 58000 Kbytes of memory) in
Specifies the "hard" limit for the size of the Security Policy Database (SPD).
When the size of the SPD exceeds the hard limit, HP-UX IPSec stops adding new cache entries, and discards any packets that do not
match existing entries.
The spd_hard_limit is measured in units of 1000 entries.
Range: 1 - 1000000 units of 1000 entries (1000 - 1000000000 entries).
Default: If you do not specify spd_hard_limit, the default is the value specified for the spd_hard parameter in the section of
the profile file. The default spd_hard value is 50 (50000 entries; approximately 116000 Kbytes of memory) in
Enable or disable RFC 4301 security processing for ICMP error messages.
When enabled, an IPsec SA used to secure a normal network session is also used to secure any ICMP or ICMPv6 error messages gener-
ated by that session.
Default: If you do not configure the ICMP error processing parameter, the default is the value specified for the parameter in the
section of the profile file. The default value for is in This matches HP-UX IPSec behavior in releases prior to HP-UX IPSec
A.03.00.
The utility verifies the policy, but does not add it to the configuration database. This argument is not valid if you specify an
operation in a batch file.
The name of the profile file containing default argument values for this
policy. The argument values are evaluated once, when the policy is added to the configuration database. Values used from the
profile file become part of the configuration record for the policy. This argument is not valid if you specify an operation in a
batch file.
Maximum length: 1023 characters.
Default:
Examples
Configure HP-UX IPSec to automatically start at system boot-up time, and to create audit files in the directory. All other startup parame-
ters will be set to the default values.
Configure HP-UX IPSec to create audit files in the directory. All other startup parameters will be set to the default values; autoboot
will be set to OFF.
IPSEC_CONFIG ADD TUNNEL COMMAND
Name
- configure tunnel IPsec policies.
Synopsis
tunnel_policy_name
tunnel_address]
tunnel_address]
protocol_id]
transform_list]
manual_key_sa_specification manual_key_sa_specification]
profile_name]
DESCRIPTION
Use the command to configure tunnel IPsec policies. Tunnel IPsec policies specify HP-UX IPSec behavior for IP packets tunneled by the
local system. In an IPsec tunnel, a tunnel endpoint system encapsulates the original packet in a new IPsec packet with an AH or ESP
header. The other tunnel endpoint system processes the AH or ESP header, decapsulates the packet, and sends the packet to the destination
address in the original packet header.
Tunnel IPsec policies are referenced in host IPsec policies. HP-UX IPSec first selects a host IPsec policy to use for a packet. If the
IPsec policy specifies a tunnel policy, HP-UX IPSec uses the information in the tunnel IPsec policy to establish an IPsec tunnel with the
tunnel_destination.
Options and Operands
The command recognizes the following options and operands:
tunnel_policy_name
The user-defined name for the tunnel IPsec policy. This name must be unique for each tunnel IPsec policy and is case-sensitive.
Acceptable values: 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen or underscore
The IP address for the tunnel endpoint.
The tunnel_address is the local tunnel endpoint; the tunnel_address is the remote tunnel endpoint.
Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. The IP address
type (IPv4 or IPv6) must be the same for the tunnel source and destination address. HP-UX IPSec does not support unspecified
IPv6 addresses. However, you can use the double-colon (::) notation within a specified IPv6 address to denote a number of zeros(0) within an address. The address must be a unicast address.
Default: If you are using manual keys, the and arguments are required. If you are not using manual keys and you omit the option,
uses the IP address and prefix from the option for the address; if you omit the option, uses the IP address and prefix from the
option for the address.
You can repeat the
or arguments up to 20 times each. HP-UX IPSec uses the and arguments with the argument to form IKEv2 traffic selectors or IKEv1
proxy IDs.
Default: If you do not specify or arguments, uses the value of the source or destination parameter in the section of the profile
file used. The default value for source and destination is is 0.0.0.0 (match any IPv4 address) in
Where the values are defined as follows:
ip_addr
The source or destination IP address of the end system. You can specify a single IP address, or an address range with
two addresses separated by a dash and no spaces The second address in a range must be higher number than the first.
For example, 10.1.1.1-10.1.1.3 matches any of the following addresses: 10.1.1.1, 10.1.1.2, 10.1.1.3.
Acceptable values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. The IP
address type or must be the same for all addresses in the policy. HP-UX IPSec does not support unspecified IPv6
addresses. However, you can use the double-colon (::) notation within a specified IPv6 address to denote a number of
zeros(0) within an address. The address cannot be a broadcast, subnet broadcast, multicast, or anycast address.
prefix
Specifies the prefix length, or the number of leading bits that must match when comparing the IP address of a packet
with ip_addr. If the ip_addr is an address range, the prefix applies to all addresses in the range.
For IPv4 addresses, a prefix length of 32 bits specifies that all the bits in the policy address must match the packet
address. Use a value less than 32 to specify a subnet address filter.
For IPv6 addresses, a prefix length of 128 bits specifies that all the bits in the policy address must match the packet
address. Use a value less than 128 to specify a subnet address filter.
Type Range Default
-------------------------------------------------
IPv4 0 - 32 32 (0 if address is all-zeros)
IPv6 0 - 128 128 (0 if address is all-zeros)
The default is 0 (match any address) if ip_addr is an all-zeros address ( or
Upper-layer protocol. Value or name of the upper-layer protocol
that HP-UX IPSec uses in the address filter to select an IPsec policy for a packet. You cannot specify the argument and a ser-
vice_name in the address filter in the same policy.
Acceptable values: integer value in the range 0 (any protocol) - 255, or one of the following protocol names: (any protocol).
and are valid only with IPv4 addresses. is valid only with IPv6 addresses.
protocol_id must be or if port_number is specified and is not zero. The protocol_id must be or if the corresponding host policy
the host policy that references this tunnel policy (uses a transform (the corresponding host policy action is not
Default: If you do not specify protocol_id, uses the value of the parameter in the section of the profile file used. The default
value for is in
A transform specifies the IPsec authentication and encryption
applied to packets using AH (Authentication Header) and ESP (Encapsulation Security Payload) headers. A transform_list specifies
the transforms acceptable for packets using the policy. The HP-UX IPSec IKE daemon proposes the transform_list when negotiating
the transform for IPsec Security Associations (SAs) with a remote system.
The transform_list in a tunnel policy are tunnel transports applied to packets encapsulated between the tunnel endpoints.
If you are using manual keys, the transform list can contain only one transform.
If you are using dynamic keys, the transform_list can contain:
o up to 6 ESP transforms
o up to 2 AH transforms
Use a comma to separate multiple transform specifications.
The order of transforms in the transform list is significant. The first transform is the most preferable and the last transform
is the least preferable. At least one transform must match a transform configured on the remote system.
Default: The transform defined for the action parameter in the section of the profile file used. The default action is in
The format for each transform is:
where the following values are defined:
transform_name
One of the following AH (Authentication Header) or ESP (Encapsulation Security Payload) transform specifications.
(AH, with 128-bit key Hashed Message Authentication Code
using RSA Message Digest-5, HMAC-MD5.)
(AH, with 160-bit key HMAC
using Secure Hash Algorithm-1, HMAC-SHA1.)
(ESP with triple-DES CBC, three encryption iterations, each with a
different 56-bit key, 3DES-CBC, authenticated with HMAC-MD5.)
(ESP with triple-DES CBC, three encryption iterations, each with a
different 56-bit key, 3DES-CBC, authenticated with HMAC-SHA1.)
(ESP with 128-bit Advanced Encryption Standard CBC,
authenticated with HMAC-MD5.)
(ESP with 128-bit Advanced Encryption Standard CBC,
authenticated with HMAC-SHA1.)
(ESP, with null encryption and authenticated with HMAC-MD5.)
(ESP, with null encryption and authenticated with HMAC-SHA1.)
is the most secure form of encryption, with performance comparable to or better than
lifetime_seconds
The maximum lifetime for the IPsec SA, in seconds. A transform lifetime can be specified by time (seconds), and by
kilobytes transmitted or received. HP-UX IPSec considers the lifetime to be exceeded if either value is exceeded. HP
recommends that you do not specify an infinite lifetime_seconds(0) with a finite value for lifetime_kbytes.
This parameter is not valid for manual keys.
Acceptable values: 0 (infinite) - 4294967295 seconds (approximately 497102 days).
Default: 28,800 (8 hours).
lifetime_kbytes
The maximum lifetime for the IPsec SA, measured by kilobytes transmitted or received. A transform lifetime can be
specified by time (seconds), and by kilobytes transmitted or received. HP-UX IPSec considers the lifetime to be
exceeded if either value is exceeded.
This parameter is not valid for manual keys.
Acceptable values: 0 (infinite), or 5120 - 2147483647 kilobytes.
Default: 0 (infinite).
Note: HP recommends that you do not specify an infinite value for lifetime_seconds(0) with a finite value for life-
time_kbytes.
Specify the
manual_key_SA_specification and manual_key_SA_specification arguments to use static, manual keys for the IPsec SAs.
The format of the manual_key_SA_specification is:
where the values are defined as follows:
type Type of IPsec transform.
Acceptable values: (Authentication Header) or (Encapsulating Security Payload).
spi Security Parameters Index (SPI) number, used to identify the SA. You can specify the SPI in hexadecimal or decimal.
For an inbound SA, the SPI must be unique on the local system within the SPIs assigned for each SA type (AH or ESP),
must be outside the range for dynamic key SPI numbers, and must match the SPI configured on the remote system for the
outbound SA.
For an outbound SA, the SPI must match what is configured on the remote system for the inbound SA, and must be unique
on the remote system.
Range: Manual key SPI numbers must be outside the range for dynamic key SPI numbers. In installations using the
default range for dynamic key SPI numbers (300 - 2500000), the ranges for inbound manual key SPI numbers are 1 - 299
and 2500001 - 4294967295.
Refer to the spi_min and spi_max parameters for the command for more information on the range for dynamic key SPI num-
bers.
auth_key
The hexadecimal authentication key (prefixed by 0x). The auth_key value must match what is configured on the remote
system.
Acceptable values: Hexadecimal digits, prefixed by 0x.
Type Default
-----------------------------------------
MD5 32 hexadecimal digits (128 bits)
SHA-1 40 hexadecimal digits (160 bits)
enc_key
The hexadecimal encryption key (prefixed by 0x). This is required only for ESP. The enc_key value must match what is
configured on the remote system.
Acceptable values: Hexadecimal digits, prefixed by 0x.
Type Default
------------------------------------------
3DES 48 hexadecimal digits (192 bits)
AES128 32 hexadecimal digits (128 bits)
For 3DES, HP-UX IPSec replaces the eighth bit of each byte with an odd parity bit. The 3DES algorithm uses only the
first seven bits of each byte for encryption.
iv Initialization Vector (IV) definition. Required only for SAs using or Hexadecimal (prefixed by 0x), 64-bit initial
block used for cipher block chaining encryption. This must match what is configured on the remote system.
Range: 64 bits (16 hexadecimal digits), 0x0000000000000000 - 0xFFFFFFFFFFFFFFFF.
Default: 0x0000000000000000.
The utility verifies the tunnel IPsec policy, but does not add it to the configuration database. This argument is not valid if you
are specifying an operation in a batch file.
Specifies the name of the profile file containing default argument
values for this policy. The argument values are evaluated once, when the policy is added to the configuration database. Values
used from the profile file become part of the configuration record for the policy. This argument is not valid if you are speci-
fying an operation in a batch file.
Maximum length: 1023 characters.
Default:
Examples
The local system is using a host-to-host tunnel with system Configure the tunnel to use ESP, with AES128 encryption and HMAC SHA-1 authen-
tication.
AUTHOR
was developed by HP.
FILES
configuration database.
default profile file.
directory for certificates and certificate revocation lists.
directory for CRL LDAP retrieval data.
certificate signing request file.
cron script for retrieving CRLs.
SEE ALSO
ipsec_admin(1M), ipsec_config(1M), ipsec_config_batch(1M), ipsec_config_delete(1M), ipsec_config_export(1M), ipsec_config_show(1M),
ipsec_migrate(1M), ipsec_policy(1M), ipsec_report(1M).
HP-UX IPSec Software Required ipsec_config_add(1M)