Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX IPSec version A.01.06 Administrator's Guide: HP-UX 11i Version 2 > Chapter 3 Configuring HP-UX IPSec

Step 2A: Configuring the IPSec Policy Filter
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

  1. Click Create on the ipsec_mgr screen to create a new IPSec policy.

    The Create IPSec Policy screen appears.

    For detailed information about the fields on this screen, see Appendix D “Configuration Reference” or click Help at the bottom of the screen.

  2. In the Name field, enter a name that uniquely identifies this IPSec policy. The name is not case-sensitive.

  3. Click the Exclusive checkbox if you want to specify session-based keying. Leave the Exclusive checkbox unchecked if you want to specify host-based keying.

    You can select session-based keying (check the Exclusive checkbox) only if the transform list does not contain Discard or Pass as the transform policy.

    You must use session-based keying if the transform for the policy is not Pass or Discard, and the remote prefix length indicates a subnet (value of less than 32 for IPv4 or value of less than 128 for IPv6) or if the remote IP address is a wildcard (*). In this case, the Exclusive checkbox is selected and unmodifiable (grayed out).

  4. Select the Policy Type (hashed or ordered) for this HP-UX IPSec policy. For more information, refer to “Policy Type”.

  5. Enter the IP Address and Prefix Length of your local system. You can use an IPv4 address or an IPv6 address. The local IP address must be in the same format (IPv4 or IPv6) as the remote IP address.

    The local IP address cannot be a broadcast, subnet broadcast, multicast, or anycast address.

    NOTE: Unspecified IPv6 addresses are not supported by IPSec. However, the :: notation can be used within a specified IPv6 address to denote a number of zeros (0) within the address. For example, fe80::2222:3333:4444:5555 is understood by IPSec to be the same as fe80:0:0:0:2222:3333:4444:5555.

    The Prefix Length field is disabled if the IP address is a wildcard *. Otherwise, it becomes enabled and is preset to the default of 32 bits if the local address is in IPv4 format or 128 bits if the local address is in IPv6 format.

    The Prefix Length indicates the number of bits that must match when comparing an IP address of a packet to the IP address in the policy.

    For IPv4 addresses, a Prefix Length of 32 bits indicates that all the bits in both addresses must match. This Prefix Length value is equivalent to an address mask of 255.255.255.255.

    For IPv6 addresses, a Prefix Length of 128 bits indicates that all the bits in both addresses must match.

  6. Enter the IP Address and Prefix Length of your remote system. You can use an IPv4 address or an IPv6 address. The remote IP address must be in the same format (IPv4 or IPv6) as the local IP address.

    The remote IP address cannot be a broadcast, subnet broadcast, multicast, or anycast address.

    Unspecified IPv6 addresses are not supported by IPSec. However, the :: notation can be used within a specified IPv6 address to denote a number of zeros (0) within the address.

    The Prefix Length field is disabled if the IP address is a wildcard *. Otherwise, it becomes enabled and is preset to the default of 32 if the remote address is in IPv4 format or 128 if the remote address is in IPv6 format.

    NOTE: The remote IP address cannot be an IP address assigned to the local host.

  7. Check the Configure Policy Based on Service checkbox to configure the service and ports automatically. Choose the service you want to configure from the Service list. Specify whether the direction is inbound or outbound in the Direction list.

    If you do not select Configure Policy Based on Service, you must select a protocol, and enter the local and remote port numbers. In addition, the Apply to IP Datagrams subarea will be configurable. By default, the Local to Remote box will be checked (the policy will apply to packets that originate from the local system) and Remote to Local box will be checked (the policy will also apply to packets that originate from the remote system).

    NOTE: If you are using IPv6 addresses, you cannot choose the IGMP protocol. Additionally, you cannot choose the ICMP protocol except in specific, limited circumstances. See Appendix D “Configuration Reference” or the online help for more information.

  8. Go on to “Step 2B: Configuring the IPSec Policy Transform List”.



Step 1: Starting the ipsec_mgr Configuration Utility
  		 


Step 2B: Configuring the IPSec Policy Transform List  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2003 Hewlett-Packard Development Company, L.P.