HP-UX IPSec Configuration and Management Features

Easy-to-use configuration utilities

You configure HP-UX IPSec using ipsec_config, which allows batch mode operation. To configure security certificates, use ipsec_mgr, which has a graphical user interface (GUI) and online help.

Packet-based configuration

You control IPSec behavior by defining packet filters in IPSec policies. An IPSec policy contains a packet filter definition and list of actions or transforms (pass, discard, use ESP or AH) to apply to the packets. The packet filter definition contains the following fields:

You can also select a network service for the filter, such as telnet, instead of the upper-layer protocol and port numbers.

Bypass IPv4 address configuration

You can configure HP-UX IPSec to bypass, or ignore, local IPv4 interfaces that you do not need to secure. This feature is useful for internal networks where most traffic passes in clear text and only specific applications need to be secured.

Configuration test utility

The ipsec_policy utility takes a packet definition (local and remote IP addresses, upper-layer protocol, local and remote port numbers) as input and reports the IPSec policy that HP-UX IPSec would apply to packets matching the definition.

Audit logging

HP-UX IPSec maintains an audit log of events, including events that may indicate attempts to compromise network security.

Data reporting utility

The ipsec_report utility reports IPSec runtime data, including information about SAs and entries in the audit log.

Status reporting utility

The ipsec_admin utility reports the status of HP-UX IPSec components. The ipsec_admin utility also performs general administrative functions, such as starting and stopping HP-UX IPSec, setting the audit level, and deleting or resetting runtime data.