Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Installing and Administering IPSec/9000 > Chapter 1 Installing and Configuring IPSec/9000

Step 6: Configuring an IPSec/9000 Policy: Overview and Preliminary Steps
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

There are five main configuration areas: IPSec Policies, Transforms, ISAKMP Policies, (Security) Certificates, and Preshared Keys.

Although you can configure these components in any order, HP recommends that you start by configuring the IPSec policy. You can configure the ISAKMP policy from a subscreen of the IPSec policy screen. Once you have configured the IPSec policy and the ISAKMP policy, configure preshared keys and/or get a local certificate. You determine whether you use preshared keys or certificate authentication by choosing one of these as the primary authentication method in the ISAKMP policy.

The following are overviews of each of the components of a complete IPSec configuration:

IPSec Policies

An IPSec Policy specifies the actions or transformations performed on IP packets traveling between IPSec systems. The main components of an IPSec policy are: IP packet filter (IP address, protocol, and port information), transform (action) list, and ISAKMP policy name.When an IP packet is initially sent or received, IPSec/9000 uses the IP packet filters to select an IPSec Policy. It then takes an action according to the contents of the transform list. If the action is to authenticate or encrypt the packet, the ISAKMP policy is used to establish an ISAKMP Security Association (SA), so that in turn, IPSec SAs can be established for authentication or encryption.

ISAKMP Policies

An ISAKMP Policy defines the parameters used when negotiating an ISAKMP SA. These include the authentication and encryption algorithms, and the primary authentication method such as preshared keys or a certificate-based method, such as RSA signatures.

Preshared Keys

A preshared key is one of the available methods ISAKMP can be configured to use for primary authentication.

Certificates

A certificate is one of the available methods ISAKMP can be configured to use for primary authentication.

As part of the configuration process, a certificate from the Certificate Authority (CA) is requested. The local system receives the certificate and loads the information for use by IPSec/9000.

Transforms

The Transforms area of the GUI lets you change the system-wide default lifetimes for the transforms. You can also change the lifetimes of the transforms for individual IPSec policies from the IPSec Policies screen.

NOTE: IPSec/9000 cannot be configured to selectively encrypt or authenticate services with dynamically assigned port numbers, such as the Network File Service (NFS) mountd, lockd and statd services.

IPSec/9000 also cannot be used to authenticate or encrypt IP packets with broadcast, subnet broadcast, multicast, or anycast IP addresses.

  1. At the HP-UX prompt, enter: ipsec_mgr. This utility cannot be run as a background process because an IPSec/9000 password is prompted.

    If no password has been set, you must create one using the ipsec_admin command. Refer to "Step 4: Setting the IPSec/9000 Password" for instructions.

    NOTE: The ipsec_mgr configuration GUI requires a graphical display device. If you are using a remote graphical display device, be sure that you:

    • Execute the ipsec_mgr program from the system console.

    • Set the DISPLAY environment variable to your display device. For example, if you are using the KORN shell, the command is: 

             export DISPLAY=display_device:0.0

  2. Select the IPSec Policies tab to display existing IPSec/9000 Policies.

    NOTE: The configuration files for IPSec Manager are stored in /var/adm/ipsec. They include: policies.txt (default and not encrypted), pskeys.text (encrypted), certstatus.txt (not encrypted), cainfo.txt (not encrypted), certs.txt (not encrypted), and various control files (encrypted). Alternate (multiple) policy files may exist for the policies.txt file only. You can bring in a pre-created IPSec Policy file by selecting Open from the File menu.

  3. Go on to "Step 6A, Configuring an IPSec/9000 Policy: Filter."



Step 5C: Requesting a Baltimore Certificate
  		 


Step 6A: Configuring an IPSec/9000 Policy: Filter  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2001 Hewlett-Packard Development Company, L.P.