Step 2: Configuring Tunnel IPSec Policies

The tunnel_policy_name is the user-defined name for the tunnel IPSec policy. This name must be unique for each tunnel IPSec policy and is case-sensitive.

Acceptable Values: 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen (-), or underscore (_).

The tunnel_address is the IP address for the tunnel endpoint. The -tsource tunnel_address is the local tunnel endpoint; the -tdestination tunnel_address is the remote tunnel endpoint.

Acceptable Values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. The IP address type (IPv4 or IPv6) must be the same for the tunnel source and destination address. HP-UX IPSec does not support unspecified IPv6 addresses. However, you can use the double-colon (::) notation within a specified IPv6 address to denote a number of zeros (0) within an address. The address must be a unicast address.

Default: None.

HP-UX IPSec uses the ip_addr, prefix, and port_number or service_name] with the protocol argument to form an address identifier. When negotiating an outbound IPSec tunnel SA, HP-UX IPSec uses the source address identifier as the proxy source ID, and uses the destination address identifier as the proxy destination ID. When negotiating an inbound IPSec tunnel SA, HP-UX IPSec uses the destination address identifier as the proxy source ID and the source address identifier as the proxy destination ID. The proxy ID values must exactly match the proxy ID values on the remote system.

If you are using manual keys with an IPv6 ESP, HP-UX IPSec also uses the address identifier to verify the address fields in the original (end-to-end) packet. For an outbound tunneled packet (the local address is the source address in the tunnel packet header), HP-UX IPSec verifies the source address identifier with the source address fields in the original packet, and the destination address identifier with the destination address fields in the original packet. For an inbound tunneled packet (the local address is the destination address in the tunnel packet header), HP-UX IPSec verifies the source address identifier with the destination address fields in the original packet, and the destination address identifier with the source address fields in the original packet.

Default: If you do not specify ip_addr, prefix, and port_number or service_name, ipsec_config uses the value of the source or destination parameter in the TunnelPolicy-Defaults section of the profile file used.of the profile file used. The default value for source and destination is 0.0.0.0/0/0 (match any IPv4 address, any port).

Where:

port

The port is the upper-layer protocol (TCP or UDP) port number Specify the upper-layer protocol with the protocol argument described below. The upper-layer protocol must be TCP or UDP if you specify a non-zero port number

Acceptable Values: 0 - 65535. 0 indicates all ports.

	NOTE: The port value must be 0 if the corresponding host policy (the host policy that references this tunnel policy) uses a transform (the corresponding host policy action is not PASS).

Default: 0 (all ports).

The protocol is the value or name of the upper-layer protocol that HP-UX IPSec uses in the address filter to select an IPSec policy for a packet. You cannot specify protocol and service_name in the same policy.

Specifying ICMPV6 affects only the following ICMPv6 messages: Echo Request, Echo Reply, Mobile Prefix Solicitation, Mobile Prefix Advertisement.

To ensure proper operation of IPv6 networks, HP-UX IPSec always allows all ICMPv6 messages not listed above to pass in clear text

Acceptable Values: Integer value 0 (any protocol) - 255, or one of the following protocol names:

The protocols ICMP and IGMP are valid with IPv4 addresses only. The protocols ICMPV6 and MH are valid with IPv6 addresses only.

	NOTE: The protocol value must be ALL or 0 if the corresponding host policy (the host policy that references this tunnel policy) uses a transform (the host policy action is not PASS).

Default: ALL.

	CAUTION: Discarding or requiring ICMP messages (Internet Control Message Protocol messages for IPv4; protocol value 1) to be encrypted or authenticated may cause connectivity problems. See Appendix A “Product Specifications”, “IPv4 ICMP Messages” for more information.

A transform specifies the IPSec authentication and encryption applied to packets using AH (Authentication Header) and ESP (Encapsulation Security Payload) headers. A transform list specifies the transforms acceptable for packets using the policy. The HP-UX IPSec IKE daemon proposes the transform list when negotiating the transform for IPSec Security Associations (SAs) with a remote system.

The transform_list in a tunnel policy are tunnel transports applied to packets encapsulated between the tunnel endpoints.

If you are using dynamic keys, the transform list can contain:

Use a comma to separate multiple transform specifications.

The order of transforms in the transform list is significant. The first transform is the most preferable and the last transform is the least preferable. At least one transform must match a transform configured on the remote system.

The format for each transform is:

transform_name[/lifetime_seconds[/lifetime_kbytes]]

Where:

transform_name

A transform_name is a valid AH (Authentication Header) or ESP (Encapsulation Security Payload) transform name, as specified in Table 3-2 “ipsec_config Transforms”, or a nested AH and ESP transform formed by joining an AH transform and an ESP transform with a plus sign (+). For example, AH_MD5+ESP_3DES.

	TIP: AES128 is the most secure form of encryption, with performance comparable to or better than DES and 3DES. For added security, use AES in an authenticated ESP transform, such as ESP_AES128_HMAC_SHA1. ESP transforms without authentication (such as ESP-AES128) do not provide data integrity and should not be used.

Default: The transform defined for the action parameter in the TunnelPolicy-Defaults section of the profile file used. The default action is ESP_AES128_HMAC_SHA1.

The lifetime_seconds is the maximum lifetime for the IPSec SA, in seconds. A transform lifetime can be specified by time (seconds), and by kilobytes transmitted or received. HP-UX IPSec considers the lifetime to be exceeded if either value is exceeded.

Range: 0 (infinite), or 600 - 4294967294 seconds (approximately 497102 days).

Default: 28,800 (8 hours).

The lifetime_kbytes is the maximum lifetime for the IPSec SA, measured by kilobytes transmitted or received. A transform lifetime can be specified by time (seconds), and by kilobytes transmitted or received. HP-UX IPSec considers the lifetime to be exceeded if either value is exceeded.

Range: 0 (infinite), or 5120 - 4294967294 kilobytes.

Default: 0 (infinite).

	CAUTION: HP recommends that you do not specify an infinite value for lifetime_seconds (0) with a finite value for lifetime_kbytes.