Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX IPSec version A.01.06 Administrator's Guide: HP-UX 11i Version 2 > Appendix B HP-UX IPSec Configuration Examples

Example 1: telnet Between Two Systems
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

Scenario

You have two systems, Apple (15.1.1.1) and Banana (15.2.2.2). You want to use authenticated ESP with AES encryption and SHA-1 authentication for all telnet traffic from Apple to Banana, and for all telnet traffic from Banana to Apple. All other network traffic will pass in clear text.You do not have a Public Key Infrastructure, so you can use only preshared keys for ISAKMP primary authentication.

You will use the default values for most parameters, such as the Security Association Lifetimes.

Apple System Configuration

IPSec Policies

On Apple, you must configure two IPSec policies. The first IPSec policy (telnetAB) is for outbound telnet requests from Apple to Banana (users on Apple using the telnet service to Banana). Note that since the telnet clients on Apple may use any non-reserved TCP port number, ipsec_mgr will set the local port number to an asterisk (“*”) to indicate any port number. The remote port number will be 23, the well-known port for the telnet service.

Figure B-1 Example 1: telnet AB

Example 1: telnet AB

The second IPSec policy (telnetBA) is for inbound telnet requests from Banana to Apple (users on Banana using the telnet service to Apple). Note that since the telnet clients on Banana may use any non-reserved TCP port number, ipsec_mgr will set the remote port number will be an asterisk (“*”) to indicate any port number. The local port number will be 23, the well-known port for the telnet service.

Figure B-2 Example 1: telnet BA

Example 1: telnet BA

Both IPSec policies telnetAB and telnetBA use the ISAKMP default policy.

In addition, you must modify the default IPSec policy to pass all other traffic in clear text.

telnetAB IPSec Policy on Apple System

telnetBA Policy on Apple System

default IPSec Policy on Apple System

default ISAKMP Policy on Apple System

Since you are using HP-UX IPSec between Apple and one other system (Banana), you can just modify the default ISAKMP policy for all requirements. The IKE authentication method must be set to preshared key since you do not have a Public Key Infrastructure.

Preshared Key on Apple System

You must configure the preshared key to use when authenticating system Banana’s identity and to authenticate your identity to Banana. Note that the remote address for the preshared key is 15.2.2.2 (Banana’s IP address).

Banana System Configuration

The configuration on Banana is the mirror-image of the configuration on Apple. Note that the remote address for the preshared key is 15.1.1.1 (Apple’s IP address) and the preshared key matches the key configured on Apple for Banana.

telnetAB IPSec Policy on Banana System

telnetBA IPSec Policy on Banana System

default IPSec Policy on Banana System

The default IPSec policy is the same as the Apple default IPSec policy.

default ISAKMP Policy on Banana System

The ISAKMP configuration matches the Apple ISAKMP configuration.

Preshared Key on Banana System

The preshared key matches the preshared key on Apple, except that the remote address for the preshared key is 15.1.1.1 (Apple’s IP address).



Appendix B HP-UX IPSec Configuration Examples
  		 


Example 2: Authenticated ESP with Exceptions  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2003 Hewlett-Packard Development Company, L.P.