 |
» |
|
|
|
Continue to the IPSec Transform List in the Create IPSec Policy screen and click Edit to modify the list. On the Transform List, choose the transport transform or transforms you
want to use for this policy. HP-UX IPSec applies the transforms you configure to the packets that
use this IPSec policy. Transforms perform actions such as encryption
and authentication of packets. Authenticated ESP transforms are listed as ESP transforms
with both an encryption algorithm and an authentication algorithm,
such as ESP-AES-HMAC-MD5. At least one transform must match a transform configured on
the remote system. The transforms in this list are the transport transforms and
are applicable to the end-to-end transport between the source and destination
addresses. If you are using a tunnel, you also configure tunnel
transforms that are applicable to the packets within
the tunnel. You configure tunnel transforms in the Tunnel Transform List, described in“Step 4: Configuring
a Tunnel”. | | | |  | NOTE: If you are configuring an end-to-end tunnel, you must choose pass as the
transform for the IPSec policy. See “Step 4: Configuring
a Tunnel” for more information. | | | | |
For more information about the function of a specific transform
and how transforms are negotiated, see Appendix D “Configuration Reference” or the online help. Click on a transform
in the Transform box to select it. Click Add to move the transform to the Transform List box. If you want to create a nested
AH and an ESP transform, use hold down the CTRL key and click to select an AH transform and an ESP transform
in the Transform box. Use this procedure to create a nested AH
and ESP transform configuration. Click Add to move the transforms to the Transform List box. You can configure multiple
AH transforms (up to 2), multiple ESP transforms (up to 8), or a
single nested AH and ESP transform. Use the procedure in steps C
and D to add multiple AH or ESP transforms to the Transform List box.
The order in which you
add transforms to the Transform List box is the order used for preference by the IPSec
policy. The first selected transforms will have the highest preference,
the second selected transform will have the second highest preference,
and so on.
AES is the most secure form of encryption. For added security,
use AES in an authenticated ESP transform, such as ESP-AES-HMAC-SHA1. If you add a transform to the Transform List box, you can choose Edit Lifetimes on the Edit Transform List window to modify the lifetimes of the transform.
Otherwise, HP-UX IPSec will use the system’s default lifetimes
(28,000 seconds). This value must fall within the following range:
300 second minimum to 28,800 second (8 hours) maximum. After modifying
the lifetime(s), click OK to return to the Edit Transform List screen. Click OK again to return to the Create IPSec Policy screen.
System
Default Transform Lifetimes. You can also configure the system-wide default lifetimes for
the transforms. To do this, go to the Options menu. Select System, then Transform Lifetimes. Select lifetime values as described in step 3 above. If the transform is Discard, or is Pass and you do not want to configure an IPSec tunnel,
click OK to save the IPSec policy. Return to “Step 2A: Configuring
the IPSec Policy Filter” to continue configuring IPSec
policies, or go to “Step 7: Configuring
Boot-up Options”,
or click Exit to leave ipsec_mgr. If the transform list contains an AH or ESP transform, go
on to “Step 2C: Configuring
the ISAKMP Policy Name”. If the transform is Pass and you want to configure an IPSec tunnel, go
on to “Step 4: Configuring
a Tunnel”.
|
Printable version
