|
|
United States-English | |
|
|
 |
|
HP-UX IPSec version A.02.00 Administrator's Guide: HP-UX 11i version 1 and HP-UX 11i version 2 > Chapter 3 Configuring HP-UX
IPSec
Step 3: Configuring IKE Policies |
|
|
Complete this step only if you are using dynamic keys for IPSec. You do not need to configure IKE policies if you are using only manual keys for IPSec, or if you are only using HP-UX IPSec to discard packets. If you are not using dynamic keys, go to “Step 6: Configuring the Bypass List (Local IPv4 Addresses)” HP-UX IPSec uses the parameters in an IKE policy when using the IKE protocol to establish ISAKMP/Main Mode (MM) Security Associations (SAs) with remote systems. IPSec uses ISAKMP/MM SAs to negotiate IPSec SAs; an ISAKMP/MM SA must exist with a remote system before IPSec can negotiate IPSec SAs. You must have at least one IKE policy if you are using dynamic keys for IPSec. If HP-UX IPSec cannot find an IKE policy with a remote address specification that matches the remote system, the ISAKMP/MM SA negotiation will fail. HP recommends that you use an ipsec_config batch file to configure IKE policies. When HP-UX IPSec needs to establish an ISAKMP/MM SA, it searches the IKE policies according to the value of the priority parameter for each policy and selects the first policy with the IP address and prefix specifications that match the remote system’s address. You can explicitly set the priority of an IKE policy with the priority argument, or you can use the automatic priority increment value for IKE policies in the profile file (the priority parameter value in the IKEPolicy-Defaults section of the profile file). If you do not specify a priority argument, ipsec_config assigns a priority value that is set to the current highest priority value (lowest priority) in the configuration data base, incremented by the automatic priority increment value for IKE policies. The result is that the new policy will be the last policy evaluated before the default policy. The default automatic priority increment value (priority) is 10. If you are configuring the first IKE policy and do not specify a priority argument, ipsec_config assigns the automatic priority increment value as the priority. You can use the following ipsec_config add ike syntax in most installations: ipsec_config add ike ike_policy_name HP recommends that you use an ipsec_config batch file to configure HP-UX IPSec. To specify an add ike operation for an ipsec_config batch file, use the above syntax without the ipsec_config command name: add ike ike_policy_name The full ipsec_config add ike syntax specification also allows you to specify the following arguments:
Refer to the ipsec_config(1M) manpage for full syntax information. The ike_policy_name is the user-defined name for the IKE policy. This name must be unique for each IKE policy and is case-sensitive. Acceptable Values: 1 - 63 characters. Each character must be an ASCII alphanumeric character, hyphen (-), or underscore (_). The ip_addr and prefix are the IP address and network prefix length that specifies the remote system or subnet for this policy. HP recommends that you do not specify a wildcard address (0.0.0.0/0 or 0::0/0). Wildcard addresses allow unauthorized systems to engage the local systems in IKE negotiations. Where: The ip_addr is the remote IP address. Acceptable Values: An IPv4 address in dotted-decimal notation or an IPv6 address in colon-hexadecimal notation. The IP address type (IPv4 or IPv6) must be the same for the source and destination address. HP-UX IPSec does not support unspecified IPv6 addresses. However, you can use the double-colon (::) notation within a specified IPv6 address to denote a number of zeros (0) within an address. The address must be a unicast address. Default: None. The prefix is the prefix length, or the number of leading bits that must match when comparing the remote IP address with ip_addr. For IPv4 addresses, a prefix length of 32 bits indicates that all the bits in both addresses must match. This prefix length is equivalent to an address mask of 255.255.255.255. Use a value less than 32 to specify a subnet address filter. For IPv6 addresses, a prefix length of 128 bits indicates that all the bits in both addresses must match. Use a value less than 128 to specify a subnet address filter. Range: 0 - 32 for an IPv4 address; 0 - 128 for an IPv6 address. If you are using manual keys, prefix must be 32 if ip_addr is an IPv4 address or 128 if ip_addr is an IPv6 address. Default: 32 if ip_addr is a non-zero IPv4 address, 128 if ip_addr is a non-zero IPv6 address, or 0 (match any address) if ip_addr is an all-zeros address (0.0.0.0 or 0::0). The priority_number is the priority value HP-UX IPSec uses when selecting an IKE policy (a lower priority value has a higher priority). The priority must be unique for each IKE policy. Range: 1 - 2147483647. Default: If you do not specify a priority, ipsec_config assigns a priority value that is set to the current highest priority value (lowest priority) for IKE policies in the configuration data base, incremented by the automatic priority increment value (priority) for IKE policies specified in the HostPolicy-Defaults section of the profile file (this policy will be the last policy evaluated before the default policy). The default automatic priority increment value (priority) is 10. If this is the first IKE policy created, ipsec_config uses the automatic priority increment value as the priority. The authentication_type is the primary authentication method HP-UX IPSec will use when establishing the ISAKMP/MM SA. This must match the method configured on the remote system. Acceptable Values:
If you specify PSK, you must configure a preshared key using the ipsec_config add auth command. If you specify RSASIG, you must use security certificates. See Chapter 4 “Using Certificates with HP-UX IPSec ” for information on using security certificates with HP-UX IPSec. Default: The value of the authentication parameter in the IKE-Defaults section of the profile file used. The default authentication parameter value is PSK. The group argument specifies the Oakley Group (sometimes referred to as the Diffie-Hellman group) used to select initial Diffie-Hellman values. This must match the Oakley Group configured on the remote system. Acceptable Values:
Default: The value of the group parameter in the IKE-Defaults section of the profile file used. The default group parameter value is 2. The hash argument specifies the hash algorithm for authenticating IKE messages. This must match the hash algorithm configured on the remote system. Acceptable Values:
Default: The value of the hash parameter in the IKE-Defaults section of the profile file used. The default hash parameter value is MD5. The encryption_algorithm is the encryption algorithm for encrypting IKE messages. This must match the encryption algorithm configured on the remote system. Acceptable Values:
Default: The value of the encryption parameter in the IKE-Defaults section of the profile file used. The default encryption parameter value is 3DES. The lifetime_seconds is the maximum lifetime for the ISAKMP/MM SA, in seconds. Range: 0 (infinite), or 600 - 4294967294 seconds (approximately 497102 days). Default: 28,800 (8 hours). The max_quick_modes is the maximum number of IPSec or Quick Mode (QM) SA negotiations that IKE can perform using an ISAKMP/MM SA. Each IPSec/QM SA negotiation establishes two IPSec SAs (one in each direction). If the value of max_quick_modes is 1, IKE provides Perfect Forward Secrecy (PFS) for the IPSec SA keys and the identities of the ISAKMP negotiating parties (and identities of any parties for which the ISAKAMP parties are acting as proxies). With PFS, the exposure of one key permits access only to data protected by that key. When PFS is configured, the IKE daemon creates a new ISAKMP SA for each IPSec SA negotiation and performs a Diffie-Hellman exchange for each IPSec SA negotiation. Range: 1 - 255. Default: 100. The following batch file entries configure two IKE policies. The first policy (apple) is for a remote system (10.1.1.1) that uses RSA signature (security certificate) for IKE authentication. The second policy (all_others) is for all other systems in the local network (10.*.*.*), which use preshared keys for IKE authentication. The priority argument is omitted, and the automatic priority increment assigns the first policy (apple) a lower priority value (higher priority) than the second policy (all_others). add ike apple -remote 10.1.1.1 -auth RSASIG add ike all_others -remote 10.0.0.0/8 -auth PSK |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 Printable version |
|
|
|
|
|
|||||||||||||||
|
|||||||||||||||
