|
|
United States-English | |
|
|
 |
|
HP-UX IPSec version A.02.00 Administrator's Guide: HP-UX 11i version 1 and HP-UX 11i version 2 > Chapter 7 HP-UX IPSec and HP-UX
Mobile IPv6
Configuration Overview |
|
|
This section contains general information about two HP-UX IPSec configuration objects used for HP-UX Mobile IPv6:
This section also provides an overview of the procedure for configuring HP-UX IPSec for HP-UX Mobile IPv6. Gateway IPSec policies specify forwarding behavior on gateways, or nodes that forward IP packets. HP-UX IPSec A.02.00 supports gateway IPSec policies only on HP-UX Mobile IPv6 Home Agents that use the policies to forward IP packets to and from Mobile IPv6 clients. You configure two gateway IPSec policies for each end-to-end address pair. Each gateway IPSec policy specifies the source and destination addresses for the end-to-end packets, and defines the HP-UX IPSec behavior for the data segments between the gateway and the destination endpoint. Figure 7-4 “Gateway IPSec Policies” shows the main ipsec_config parameters for configuring the two gateway IPSec policies on a gateway, G, for forwarding packets between the end systems A and B. The first gateway IPSec policy, G-A, is used for the data segments between G and A when G forwards packets between A and B (the data segments on the left side of the figure). The to_A policy specifies that G uses the tunnel tunnelG-A for the data segments between G and A. You configure the tunnelG-A parameters in a separate tunnel IPSec policy. The second gateway IPSec policy, G-B, is used for the data segments between G and B when G forwards packets between A and B (the data segments on the right side of the figure). The to_B policy specifies that G forwards the packets in clear text for the data segments between G and B. Mobile IPv6 uses manual key Security Associations (SAs). Manual key SAs do not use IKE to generate and distribute encryption keys. Instead, the administrator manually configures and distributes the encryption keys. You should configure strong, random, encryption keys for manual key SAs. If you are using DES or 3DES encryption, and the key is not sufficiently strong, ipsec_config reports an error messages similar to one of the following: Weak DES encryption key: 0xhhhh.... Weak 3DES encryption key: 0xhhhh.... One way to generate strong encryption keys is using the HP-UX Strong Random Number Generator product, available at no cost from the HP Software Depot (http://software.hp.com). After you have installed the HP-UX Strong Random Number Generator, you can generate a random number and use the od utility to display an ASCII string of the hexadecimal digits by executing the following command sequence: od -Ax -Nnn /dev/random nn is the number of bytes to extract from the random number generator. For example, the following command extracts and displays a 24-byte random number for a 3DES encryption key: od -Ax -N24 /dev/random Troubleshooting manual key problems can be difficult because there are no IKE negotiations and no IKE audit messages. See Chapter 5 “Troubleshooting HP-UX IPSec”, “Manual Keys Fail” for information on troubleshooting manual keys. Use the following procedure to configure HP-UX IPSec on a Mobile IPv6 Home Agent.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 Printable version |
|
|
|
|
|
|||||||||||||||
|
|||||||||||||||
