Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX IPSec version A.01.06 Administrator's Guide: HP-UX 11i Version 2 > Chapter 3 Configuring HP-UX IPSec

Step 4: Configuring a Tunnel
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

If your IPSec traffic needs to go through a specific gateway, you must configure a tunnel. HP-UX IPSec supports both end-to-gateway and end-to-end tunnels.

End-to-Gateway Tunnel. In an end-to-gateway tunnel, the outer IP packet header contains the addresses of the local end host and the gateway. The inner IP packet header contains the addresses of the local end host and the remote end host. Using ipsec_mgr, you can configure a transport transform in the IPSec Transform List to be used between the local and remote end hosts, and a tunnel transform in the Tunnel Transform List to be used between the local end host and the gateway (tunnel endpoint).

End-to-End Tunnel. In an end-to-end tunnel, the tunnel endpoint is the same as the remote end host IP. Therefore, the outer IP addresses and the inner IP addresses are the same. You must configure Pass in the IPSec Transform List. You must also configure a transform that is not Pass or Discard in the Tunnel Transform List.

IPv4 and IPv6 Restrictions. HP-UX IPSec tunnel mode supports IPv4 to IPv4 using an IPv4 secure router, and IPv6 to IPv6 using an IPv6 secure router only. Using an IPv6 router with IPv4 start and endpoint or an IPv4 router with IPv6 start and endpoints is not supported.

NOTE: The Tunnel checkbox is disabled if the Transform List is set to Discard.

    1. To configure a tunnel, click the Tunnel checkbox.

    2. Enter a Tunnel Endpoint. This is the IP address for the gateway for an end-to-gateway tunnel or the IP address of the end host (the same as the remote IP address) for an end-to-end tunnel. This address can be in IPv4 or IPv6 format, but must be in the same format (IPv4 or IPv6) as the local and remote IP addresses. You can configure another HP-UX IPSec system as the Tunnel Endpoint only if you are configuring an end-to-end tunnel. (An IPSec tunnel can have HP-UX systems at both endpoints only if it is an end-to-end tunnel.)

    3. Select the tunnel transform that will be used between the local host and the tunnel node. This transform cannot be Pass or Discard.

      If you are configuring an end-to-gateway tunnel (the tunnel endpoint IP address is different from the remote IP address for the IPSec policy), you can configure a different transform for the tunnel than you did for the transport transform between the local and remote system.

      If you are configuring an end-to-end tunnel (the tunnel endpoint IP address is the same as the remote IP address for the IPSec policy), you must choose Pass for the IPSec policy transform. The tunnel transform can be anything other than Pass or Discard.

    NOTE: The tunnel endpoint cannot be an IP address assigned to the local host.

  2. To configure a tunnel transform, click the Edit box in the HP-UX IPSec Tunnel Transform List area.
    The Tunnel Transform List area is disabled if the Tunnel checkbox is not selected.

    1. Select a transform in the Transform box.

    2. Click Add to move the transform to the Transform List box.

    3. If you want to select both an AH and an ESP transform, hold down the CTRL key and click to select both transforms in the Transform box. Click Add to move the transforms to the Transform List box. Only one AH and ESP combination is allowed.

    4. You can choose multiple AH transforms (up to 2) or multiple ESP transforms (up to 8). Use the procedure in steps C and D above to add multiple AH or ESP transforms to the Transform List box.

      The order in which you add transforms to the Transform List is the order used for preference by the IPSec policy. The first selected transforms will have the highest preference, the second selected transform will have the second highest preference, and so on.

  3. If you added an item to the Transform List, you can click Edit Lifetimes to modify the lifetimes of the transform. After modifying the lifetime(s), click OK to return to the Edit Transform List screen. Click OK again to return to the Create IPSec Policy screen.

  4. Configure a tunnel ISAKMP policy, following the steps described previously in “Step 3: Configuring the ISAKMP Policy”. This policy will be used to establish an SA between the local system and the tunnel endpoint.

  5. Click OK to save the IPSec policy.

    Go on to “Step 5: Configuring a Preshared Key” or Chapter 4 “Using Certificates with HP-UX IPSec ”. If you do not need to configure a preshared key or a certificate, return to “Step 2A: Configuring the IPSec Policy Filter” to continue configuring IPSec policies, or go to “Step 7: Configuring Boot-up Options”, or click Exit to leave ipsec_mgr. You do not have to go to the ISAKMP policy tab if you have already defined the ISAKMP policy in “Step 3: Configuring the ISAKMP Policy”.



Step 3: Configuring the ISAKMP Policy
  		 


Step 5: Configuring a Preshared Key  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2003 Hewlett-Packard Development Company, L.P.