Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX IPSec version A.01.06 Administrator's Guide: HP-UX 11i Version 2 > Appendix B HP-UX IPSec Configuration Examples

Example 2: Authenticated ESP with Exceptions
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

You have a system, Carrot, on a LAN with the network address 192.1.1.*. You want to limit access to this LAN from outside nodes.

There is one system outside the LAN with IPSec, Potato, that you will allow to communicate with the nodes in your network using AES with SHA1. All other packets from external nodes will be discarded.

All nodes within the LAN have HP-UX IPSec installed, except for internal routers. You want encrypted ESP (AES with SHA1) for all IP packets between the nodes on this LAN, except ICMP packets to and from the routers, which you will allow to pass in clear text.

Except for the above specifications, you will use the default values for most parameters (such as Security Association Lifetimes).

Figure B-3 Example 2: Network IPSec Policy with Exceptions

Example 2: Network IPSec Policy with Exceptions

Carrot IPSec Policies

You configure four IPSec policies on Carrot.

  1. potato: accepts all packets to and from system Potato using ESP-AES-HMAC-SHA1.

  2. pass_icmp: allows all ICMP packets within the 192.1.1.* network to pass in clear text. Notice how the 192.1.1.* network is specified in the filter: the remote IP address is 192.1.1.0 and the prefix length is 24.The prefix length specifies the number of bits in the packet address that must match the configured remote IP address, beginning with the most significant bit.

  3. aes_lan: applies ESP-AES-HMAC-SHA1 authenticated ESP to all packets in the 192.1.1.* network.

  4. default: discards all other packets.

Policy Order

Note the order of the pass_icmp and aes_lan policies. The pass_icmp policy MUST have a lower order number (higher priority) than the aes_lan policy. This is because internal ICMP packets will match both the pass_icmp and aes_lan policy, and assigning the pass_icmp policy a lower order number causes IPSec to select the pass_icmp policy for the ICMP packets instead of the aes_lan policy.

pass_icmp IPSec Policy

aes_lan IPSec Policy

potato IPSec Policy

default IPSec Policy

You modify the default IPSec policy to discard all packets, since it will only be used for packets from outside your network other than packets from Potato.

ISAKMP Policy

Since there are several remote nodes that you will need to authenticate for IKE, you may want to use certificate-based authentication (RSA signatures) instead of preshared keys for IKE. This would require you to install a Public Key Infrastructure (PKI) product from a third-party vendor, but would eliminate the need to configure a preshared key for each other remote IPSec node in the network. It may be difficult to use a PKI with the external system, Potato, so you could configure IPSec to use preshared keys for Potato, and RSA signatures for all other IPSec nodes. To do this, you would configure two ISAKMP policies: one using preshared keys (isakmp_preshared_keys, for example), and one using RSA signatures (isakmp_rsa, for example). You would specify the name of the ISAKMP preshared keys policy (isakmp_preshared_keys) in the potato IPSec policy, and specify the name of the ISAKMP RSA signatures policy (isakmp_rsa) in the aes_lan policy.

Preshared Keys

If you are not using RSA signatures for IKE authentication, you must configure a preshared key for each remote IPSec system. Each remote system must configure a preshared key for the system Carrot.



Example 1: telnet Between Two Systems
  		 


Appendix C HP-UX IPSec Configuration Worksheets  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2003 Hewlett-Packard Development Company, L.P.