Example 1: telnet Between Two Systems

You have two systems, Apple (15.1.1.1) and Banana (15.2.2.2) on a private, isolated LAN. You want to use authenticated ESP with AES encryption and SHA-1 authentication for all telnet traffic from Apple to Banana, and for all telnet traffic from Banana to Apple. By default, all other network traffic will pass in clear text.You do not have a Public Key Infrastructure, so you can use only preshared keys for ISAKMP primary authentication.




	CAUTION: If you do not have a private network, do not configure HP-UX IPSec to pass packets in clear text by default. Do not configure HP-UX IPSec to pass packets in clear text by default on systems where you are using HP-UX IPSec as a filter or firewall to protect your network. For more information, see “Maximizing Security”.

You will use the default values for most parameters, such as the Security Association Lifetimes.

Apple Configuration

Host IPSec Policies

On Apple, you configure two host IPSec policies. The first host IPSec policy (telnetAB) is for outbound telnet requests from Apple to Banana (users on Apple using the telnet service to Banana). Note that since the telnet clients on Apple may use any non-reserved TCP port number, you do not specify a port number in the source address.

Figure C-1 Example 1: telnet AB

The second host IPSec policy (telnetBA) is for inbound telnet requests from Banana to Apple (users on Banana using the telnet service to Apple). Since the telnet clients on Banana may use any non-reserved TCP port number, do not specify a port number in the destination address.

Figure C-2 Example 1: telnet BA

By default, the default host IPSec policy allows all other traffic to pass in clear text. Apple and Banana are on an isolated LAN, so this “open” policy is not a security risk. The ipsec_config batch file entries are listed below:

add host telnetAB \
-source 15.1.1.1 \
-destination 15.2.2.2/32/TELNET \
-priority 20 -action ESP_AES128_HMAC_SHA1

add host telnetBA \
-source 15.1.1.1/32/TELNET \
-destination 15.2.2.2 \
-priority 30 -action ESP_AES128_HMAC_SHA1

IKE Policy

You configure an IKE policy, banana, to use when Apple negotiates ISAKMP/MM Security Associations (SAs) with Banana. The ipsec_config batch file entry is listed below:

add ike banana -remote 15.2.2.2 -authentication psk

Authentication Record with Preshared Key

You must configure the preshared key to use when Apple authenticates system Banana’s identity and to authenticate Apple’s identity to Banana. The ipsec_config batch file entry is listed below:

add auth banana -remote 15.2.2.2 -preshared apple_banana_key

Banana Configuration

The configuration on Banana is the mirror-image of the configuration on Apple. The administrator created the host IPSec policies by copying the host policies from Apple, changing the name and swapping the -source and -destination option names. The remote address for the IKE policy and authentication record is 15.1.1.1 (Apple’s IP address) and the preshared key matches the key configured on Apple for Banana. The ipsec_config batch file is listed below:

# Host Policies
add host telnetAB -destination 15.1.1.1 \
-source 15.2.2.2/32/TELNET \
-priority 20 -action ESP_AES128_HMAC_SHA1

add host telnetBA -destination 15.1.1.1/32/TELNET \
-source 15.2.2.2 \
-priority 30 -action ESP_AES128_HMAC_SHA1

# IKE Policy
add ike apple -remote 15.1.1.1 -authentication psk

# Auth record with preshared key
add auth apple -remote 15.1.1.1 -preshared apple_banana_key

Example 1: telnet Between Two Systems

Technical documentation

» Table of Contents

» Glossary

» Index

Apple Configuration

Host IPSec Policies

IKE Policy

Authentication Record with Preshared Key

Banana Configuration